"Write-once" directory permissions

[Sergey Drabkin]

Is it possible to configure a directory as a drop-box, but
one where users can browse and examine files? A user
should be able to create a file, then copy it into the
drop-box, but not be able to modify it later. The user
must be able to read the file, and other files, in the
same-directory.

Is this write-once functionality possible with XP
permissions? I tried everything I could think of, but XP
seems to think that permission to write equals permission
to change, which definitely oversimplifies the situation.

 

[GoumbaYa]

What the hell are you talking about?

 

[Rosanne]

What the hell are you talking about?

OP seems to want to be able to set Write permissions to folders without
giving Edit permission.

I poked around on XP Pro and haven't seen the setup I'm used to on Win2K
or even Win98, of being able to specify who in particular does what. It
seems to handle security differently. Since I only have a home network,
with all remotes disabled, I haven't really worried about who had access
to what.

Dern it, I can visualize one way of doing it in a *nix system, but I
can't help you here. Sorry...

There are much better brains here than I, though.

~ R

 

[Roger Abell]

Yes, of course this is possible.
You only need to go beyond the familiar "shortcut"
groupings of NTFS permissions using the advanced
edit capability.
Example :
make a folder c:\test
Go into the security dialog in the properties of this folder.
Remove any NTFS permission grants, except for those to
Administrators and to Users.
To do the above you probably needed to uncheck the
box for inheriting from the parent container found over
in the advanced dialog.
Say you now end up with NTFS permissions (as seen in
the non-advanced dialog)
Administrators Full Control (all boxes checked)
Users Read/Execute (and the boxes under it)
Highlight Users and uncheck Read/Execute but
leave the three boxes to List, Read, and Write
OK, now go back over to the advanced edit dialog,
and you should see two ACEs listed for Users
Notice that one applies to This folder and subfolders.
Leave that one alone.
Highlight the other which applies to This folder,
subfolders, and files
Now edit it, and locate the grant to
Create folders/Append data
and uncheck it.
Verify that neither of the two deletes
are checked in this ACE.
OK, back out of the properties and test
the behavior of folder c:\test now.

 

[GoumbaYa]

Security works exactly the same way in XP as it does in Win2K.

 

[Rosanne]

Security works exactly the same way in XP as it does in Win2K.

Okay. I'll poke around with it some more tomorrow. One thing I don't
like about Win2K at work (as opposed to the WinNT and Win98 that we ran
previously) is that if someone in my office is unable to access a file
or folder, I can't troubleshoot. Since I'm not a sysadmin, it won't let
me know who is a member of the "office" group. I have to call out the
big guns immediately, adding to their workload. Usually I just add the
user individually (which it WILL let me do, since I have full control
over those particular files and folders). THEN I call the sysadmins to
have them check the group membership and add the prodigal user if he or
she is missing.

When I took a look at a folder on my home system, I didn't have a
security tab - just "General", "Sharing" and "Customize". Files just
have "General", "Custom" and "Summary". It may be because I accepted
the default XP appearance, instead of setting it to the older one. I'll
have to do a little more reading.

Thanks!

~ R

 

[Rosanne]

When I took a look at a folder on my home system, I didn't have a
security tab - just "General", "Sharing" and "Customize". Files just
have "General", "Custom" and "Summary". It may be because I accepted
the default XP appearance, instead of setting it to the older one. I'll
have to do a little more reading.

Thanks!

~ R

Never mind - somebody else was asking basically the same question - how
to make the security tab visible - and I got my answer. I just turned
off "Use simple file sharing" and violetta!

Thanks!

~ R

 

[Roger Abell]

Rosanne,

If the "big guns" were effectively using what W2k/W2k3 is
capable of, then they could/would deligate to you these tasks
(and the power needed to accomplish them).
This can be done without their "giving away the house"
In fact, this ability to delegate is one of the significant features
added to address shortcomings of NT4, which forced sysadms
to have to play man-in-the-middle for everything - overloading
them and slowing everyone else.

 

[Rosanne]

Rosanne,

If the "big guns" were effectively using what W2k/W2k3 is
capable of, then they could/would deligate to you these tasks
(and the power needed to accomplish them).
This can be done without their "giving away the house"
In fact, this ability to delegate is one of the significant features
added to address shortcomings of NT4, which forced sysadms
to have to play man-in-the-middle for everything - overloading
them and slowing everyone else.

This is not terribly unusual. I don't foresee them ever actually
delegating that ability to users, though. On another network I work
with, they've taken away our ability to change our workspace via user
profiles, citing it as a security risk. I can't use my calendar for
appointments, because they're lost when I log out. I think the .normal
file is read-only at the user level. And one size does NOT fit all when
it comes to the desktop icons - they've left out little things I use
daily - like MSWord. So now I run a batchfile to dump the particular
icons I need to my desktop. Every time I log in. I shake my head every
time I do it - running a mini-PROGRAM is safer than letting MS do what
it was DESIGNED to do?

Sigh... I ranted for the first six months or so, then got tired.

~ R
p.s. Don't tell them about the batchfiles, or we'll all have a raging
case of carpal tunnel. Some of those apps are in sub-sub-sub-sub-
folders, and I would have to dig them out EVERY DAY.

 

[Roger Abell]

Sounds like their guns are larger than the
game they know how to track !!
Your secrets are safe.

 

[Sergey Drabkin]

That worked! Thank you very much.