Security on a Network Share using SBS 2003 – NTFS Partition

0 pts.
Tags:
Networking
Outsourcing
Security
Tech support
Hello colleagues; I am trying to accomplish the following task 1) Avoid users to delete and move folders and files on a network share They should only be able to create, read, execute,write files and folders I have already created the group and deny delete and delete subfolder and files. This option is not working for me because is having like side effects, allow me to explain. Once the deny delete and delete subfolder is applied 1) Users can not delete files and folder ? First task accomplish 2) Users can not move a folder into another folder ? Second task accomplish however it creates an empty folder with the same name of the source folder inside the destination folder ? This it can not be delete an creates confusion for the users and they by accident start filing in the wrong location. HOW CAN I BLOCK AVOID THE COPY OF THE FOLDER 3) All file created under the share respond to the deny option however is not possible to create excel files. Error message can not save the ?file name? the folder is mark as a read only . Any idea? 4) User can not move or delete files inside the share but they can creates copies on theirs desktop ? for security could this be control it. Thanks in advance..
ASKED: July 20, 2006  1:50 PM
UPDATED: July 21, 2006  6:45 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hello,

Sounds like you have the permissions all out of whack. To start, anytime you apply the ‘deny’ permission it’s going to take precidense over all other permissions (share or NTFS). So be careful how you Deny.

If you have a shared folder and you want to give certain permissions to certain users/groups, apply the change or full control permission at the share level, then use NTFS to lock down the file. This prevents conflicts. Remember that when NTFS and share permissions are joined, the most restrictive permission wins.

If your wanting to allow users to delete files from within a folder you should give the users ‘modify’ permissions. This will allow them to create new files, write to existing files and delete files but restricts a user from changing effective permissions on the file. Only full control allows that.

There are a lot of good resources to be found on line that will explain in detail how permissions work and may help you better understand how to apply them in your environment. I’d suggest doing a bit of homework, then laying out a plan (flow chart) of what users/groups need what level of permissions before applying them.

When planning, don’t get overly complicated as that makes for administrative headaches. Keep your permission sets as simple as possible and you should be in good shape!

Good luck!

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TheVyrys
    Petroleuman may be right, (he usually is) your permissions may be out of whack. However, even if you have set them correctly, I think there are limitations that don't allow the results you are looking for. Here's why I say that: The minimum permission setting needed in order to open, edit, and save a document correctly is Modify. You can find this documentation from Microsoft in various places. Here is one of many- http://support.microsoft.com/kb/157115/EN-US/ I chose this link as it also covers your question #3 about Excel displaying the error. You are likely seeing a lot of .tmp files in the folders that only you can delete. This is also the case with Word files, but for some reason, Word doesn't give the errors. It just saves the file and leaves the .tmp in the folder. At least that's what I have experienced. You may just have to give users change permissions on those folders and maintain good backups. but alas! there is SOME hope for question #2.- You can stop the empty folder from being created and keep users from moving folders by assigning special permissions. It's easy to do, BUT they will not be able to create ANY folders....so it may not be an option if you want them to create folders, which I think you mentioned. To do so, set the share permissions of the Shared folder to Change for the group. Then set the NTFS security for the Shared folder to Modify. Next, select all subfolders, and set the NTFS security on them as such: Remove the 'inherit permissions from parent' setting. Edit the groups access by denying the Create Folder/append data in special permissions. Finally, select the 'replace permission entries on all child objects' check box, and apply. That will allow users to create, modify, and yes, unfortunately, delete files, but they cannot create or move folders. If they try it will deny them, and not create that stupid empty folder. on question #4.- I don't know any easy way to give someone access to a file and stop them from saving a copy of it. There may be additional software or downloads out there, but I don't think Microsoft has provided such articulate control as you are looking for with their permissions. Though they should. on a side note- you can move files (cut/copy and paste,etc.)into the folders that have the 'deny delete' permissions set, but you just cannot save to them or edit the existing files. I don't know what your situation is, but a forms based, or web type application may be something to consider. Or even Public folders on Exchange. hope this helps!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following