file permissions

  • Thread starter Thread starter Scott Micale
  • Start date Start date
S

Scott Micale

I have a share that I have created for my users and I want to put
permissions on the sub folders so that the user can:

Do anything in a subfolder except delete files and folders. I am struggling
to get this setup and it should not be that hard. The share resides on a
NT4 BDC, but I am setting the permissions from a 2003 DC. Can someone give
me the best options?

Thanks!
 
The NTFS permissions tools in NT are a little limited
compared to later generations, and you would be best
off using then on the NT rather than later generations'
tools via a drive mapping. I think most of the issues
have been corrected, but at one time using uplevel tools
for the ACLing of NT 4 owned NTFS space could lead
to ACL corruption.
Have you tried granting to the group and then denying
delete for files ??
 
Yes I have tried from the 2003 server to grant the group Modify, Read &
Exec., List Folder Contents, Read, Write and then if you hit the advanced
button you can set the deny options and I chose Delete Subfolders & Files,
and Delete. That does not seem to work either. I am just baffled by this
and would have to think that there has to be other people out there that
want to be able to do the same thing I am trying to accomplish. You spoke
of other tools earlier. Where can I get these tools?

Your last question mentioned denying delete for files on a NT space. Where
is there a deny option in NT 4?
 
Well, you have me thinking now, as the NT4 toolset is a stretch
back in time . . . The original tools have a rudimentary Deny,
but the updated ACLing dialog, which became available if you
installed the optional security configuration editor that was released
as a part of SP 4 (and was later updated in service packs) provides
most of the Advanced view you are used to seeing in up-level versions,
wherein you can be more specific about the deny that is set.

The reason, AIUI, that this is not so simple as it seems it should be is
that to add files and rename them rather full access is needed to read,
write, execute, and delete on the directory structure; so granting just
what you are after conflicts some with giving the needed access below.

I grant everything that I can to This folder, subfolders and file on the
parent directory, then often need to use a grant of list on This folder
and subfolders only (to keep the execute from being allowed to files),
and of read, or modify, etc to Files only or sometimes to Subfolders
and Files.

In your case, add read or read execute, and then also grant a Write
that you reduce to Files or to Subfolders and Files.
You very possibly need to play some to get this done and will end
up needing to first define the Write for Files, and then the Read for
This folder, subfolders, and files.
 
Back
Top