Can I use a GPO to stop users from changing information in Windows folders?

Active Directory
Windows Security
Our company has a share called "ClientStore" where we store all client information. Within the "ClientStore" folder we have a letter for each letter in the alphabet. Then we have another folder with the client's company name within the folder that the client's company name starts with. Then we have all the client information within that particular client folder. What we're trying to accomplish is to prevent users from making changes, such as deleting, renaming, moving and so on, to our folder structure. We would like to lock it down but we still need to allow our users to write, edit and read within each of those Client Folders so they can save documents and edit documents for a particular client. Is there anyway to accomplish this with a GPO?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I believe you could accomplish this by denying the delete permission on the folder structures for the groups you do not want to delete.

Remember, that Windows 2003 will propigate permissions automatically to child folders– unless the folder has turned off the inheretance of permissions from the parent.

Also keep in mind that if you do this, which I think is what your asking for, that when users create files they will not be able to delete them unless you’ve given the creator owner delete access.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Buddyfarr
    or what you could do is setup the entire folder structure with List Files/Traverse folders permissions to all groups that need to get into the folders. this will allow them to see the folders and get into them but they will not be able to modify nor delete any of them. then give the the last folders special rights to the user groups to modify the subfolders and files only.
    6,850 pointsBadges:
  • Jerry Lees
    Buddy, this won't allow them to read the contents of the files either though unless you added the read permission. Additionally, the original question was needing to read, write, and modify. This is essentially the change permission MINUS the delete permission.
    5,335 pointsBadges:
  • Wrobinson
    The way to go about this is not using group policy but NTFS permissions.
    5,625 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: