Is there anyway I can stop users moving folders to other folders?

[Pab]

Hi All,

I couple of days ago one of my users had moved one of his folders to
another part of the hard disk and came to me when he couldn't now open
his file to the files going missing. It had all happened because he
must have mistakenly dragged and dropped one of his folders onto
another folder and had not realised it. Then he couldn't open one of
his files the next time he logged on. I have been trying to restrict
the changes that he could make by making the hard drive NTFS
(previously it was FAT32) and setting permissions for parts of the
hard disk to be read-only, but then even with permissions set to read
only they can still move folders around willy-nilly, hence
potentially causing more damage to their heiarchy.

i.e. say i have

Folder A

and inside that I have

Folder B.

I set folder A's permissions to be read-only. So I can't write any
thing in Folder A. I can only read what's there. Hence, anything
contained in Folder A i supposedly read-only.

But when I try to move

Folder B

onto a different folder, say

Folder C

The OS will quite happily let me, provided that Folder C is
write-enabled. i.e. provided that the destination folder is
write-enabled, I can permanently take out anything out of anoother
folder.

This can't be right can it?

Many thanks.

Take care all.

Pab.

 

[Steven L Umbach]

If you have read permissions to a file, then you can copy it to another folder where
you are allowed to write but not move it. Move is essentially a read/write/delete
operation while copy is just read/write. You need to check that the user is not a
member of another group that has delete/modify/full permissions for the folder in
including the advanced permissions page. If the user is the owner of that file, then
he will have the ntfs permissions of the creator/owner also. You can go to
advanced/owner to see who is the current owner of file. --- Steve

 

[Andrew Mitchell]

If you have read permissions to a file, then you can copy it to another
folder where you are allowed to write but not move it. Move is
essentially a read/write/delete operation while copy is just read/write.
You need to check that the user is not a member of another group that
has delete/modify/full permissions for the folder in including the
advanced permissions page. If the user is the owner of that file, then
he will have the ntfs permissions of the creator/owner also. You can go
to advanced/owner to see who is the current owner of file. --- Steve

Disabling left-click drag and drop operations within Explorer/My Computer
would be a great way to achieve this, but I don't know of a way to do it
without writing a separate app to trap the drag/drop operation.

Still allowing the Right-Click, context menu driven drag and drop while
blocking the left-click drag and drop would force the user to make a choice
of copying or pasting and would prevent the 'shaky hand' left-click drag and
drop move operations that happen by accident.

*Anyone listening MS product developers???*

Andy.

 

[Lanwench [MVP - Exchange]]

Disabling left-click drag and drop operations within Explorer/My
Computer would be a great way to achieve this, but I don't know of a
way to do it without writing a separate app to trap the drag/drop
operation.

Still allowing the Right-Click, context menu driven drag and drop
while blocking the left-click drag and drop would force the user to
make a choice of copying or pasting and would prevent the 'shaky
hand' left-click drag and drop move operations that happen by
accident.

*Anyone listening MS product developers???*

Andy.

I have to say, given that there are so many other places where you get a
confirm box like "Are you sure you want to do X? Are you REALLY sure? Y/N"
in Windows, it would be really nice to have one of these available in
Explorer for those times when we've all accidentally dragged a folder into
another one. I miss Winfile sometimes.

 

[Andrew Mitchell]

I have to say, given that there are so many other places where you get a
confirm box like "Are you sure you want to do X? Are you REALLY sure? Y/N"
in Windows, it would be really nice to have one of these available in
Explorer for those times when we've all accidentally dragged a folder into
another one.

The only problem with dialog boxes is (as you mentioned) there are so many of
them. Due to the high number of dialog boxes being presented to users, they
don't even read them and just click "yes". How many times have you been
dealing with a user complaining about a particular error they get and when
you ask for the text of the message, they have no idea because they just
click a button to make it go away?

I miss Winfile sometimes.

Yep. Bring back File Manager.

Andy.

 

[Lanwench [MVP - Exchange]]

The only problem with dialog boxes is (as you mentioned) there are so
many of them. Due to the high number of dialog boxes being presented
to users, they don't even read them and just click "yes". How many
times have you been dealing with a user complaining about a
particular error they get and when you ask for the text of the
message, they have no idea because they just click a button to make
it go away?

Agreed! This is just one of the few times I'd want one...

 

[Andrew Mitchell]

"Lanwench [MVP - Exchange]"

Agreed! This is just one of the few times I'd want one...

I'm waiting for the announcement that Longhorn will allow developers to make
use of 'enhanced dialog boxes', where a mechanical arm appears out of the
side of the monitor and beats the user to a pulp if they click a dialog
button too quickly (obviously not reading it).
That'll teach 'em !!

Maybe I could port Norton Commander to XP...........

 

[Pab]

Hi there Steve,

The person whose access I'm trying to restrict is a member of group
Users. Users does not have any rights to change anything in the
directory in question. Only Administrators has that right. My user
is not a member of Administrators, only of the group Users. Users, as
I say, does not have any rights to change anything in that directory.

So,

- Users is not linked to any other group

- my specific user is ONLY a member of that group, Users

- Users does NOT have any special rights or privileges in that
directory whatsoever

- the OWNER of the directory is group Administators, not Users

Specifically,

When I do Properties in Explorer and do Security in that directory I
get :-

ADMINISTRATORS :- Permissions Allow Deny
------------------
Full Control YES no
Modify YES no
Read & Execute YES no
List Folder Contents YES no
Read YES no
Write YES no

EVERYONE :- Permissions Allow Deny
------------------
Full Control no no
Modify no no
Read & Execute YES no
List Folder Contents YES no
Read YES no
Write no no

SYSTEM :- Permissions Allow Deny
------------------
Full Control no no
Modify no no
Read & Execute YES no
List Folder Contents YES no
Read YES no
Write no no

If I press "Advanced .." and go to the Owner tab I get...

Current owner for this item:
"Administrators (PC2\Administrators)"

- for that directory.

Notice the USERS group is not even in the list. As a member of USERS,
however, you can drag-and-drop any directory within this directory out
to any other directory you wish by draggin-and-dropping it. This is
how my friend lost his file. (as long you have write access to it)

As I said, USERS doe not seem to be inheriting any rights from another
group and the ownership the directory does not belong USERS, so why is
it possible to move out a directory?

Many thanks Security !!

Bye for now,

Pablo.

 

[Steven L Umbach]

Thanks for the detailed info - very helpful. From what I can see the user
would be getting he permission by being a member of the everyone group which
would give him read/list/execute which should not be enough permissions to
move a folder just with that group membership. It seems to me that a while
back there was a similar issue a user was having. Try going to the
root/drive folder of that drive and make sure that everyone and users have
no more than read/list/execute permissions at that level and be sure to
check the advanced page. Also make sure that everyone/users do not have
excessive permissions in the advanced permission entries of the folder you
show permissions for. --- Steve

 

[Michael Bednarek]

[snip]

I miss Winfile sometimes.

You don't have to (miss it). See
<http://www.kellys-korner-xp.com/xp_tweaks.htm>,
line 71, right hand column; or more to the point:
<http://www.kellys-korner-xp.com/regs_edits/WINFILE.EXE>.

Works here (NT5.1)

 

[Lanwench [MVP - Exchange]]

<bookmarks madly>

Thanks, Michael!

[snip]

I miss Winfile sometimes.

You don't have to (miss it). See
<http://www.kellys-korner-xp.com/xp_tweaks.htm>,
line 71, right hand column; or more to the point:
<http://www.kellys-korner-xp.com/regs_edits/WINFILE.EXE>.

Works here (NT5.1)

 

[Pab]

Hi Steve,

I've checked on the root drive and this is what I get :-

Data (E Properties

[ tab Security ]

Name:
Everyone

Permissions Allow Deny
----------------
Full Control no no
Modify no no
Read & Execute YES no
List Folder Contents YES no
Read YES no
Write no no

under Advanced... I get :-

Access Control Settings for DATA (E

[ tab Permissions ]

Type Name Permission Apply to
Allow Everyone Read & Execute This folder, subfolders, and
files

[ tab Owner ]

Current owner of this item:
"Administrators (PC2\Administrators)"

and then if I go back to Permissions and do View...

Permission Entry for DATA (E

[tab Object]

Name: "Everyone"

Apply onto: "This folder, subfolders and files"

Permissions Allow Deny
----------------- ------- -------
Traverse Folder / Execute File YES no
List Folder / Read Data YES no
Read Attributes YES no
Read Extended Attributes YES no
Create Files / Write Data no no
Create Folders / Append Data no no
Write Attributes no no
Write Extended Attributes no no
Delete Subfolders and Files no no
Delete no no
Read Permissions YES no
Change Permissions no no
Take Ownership no no

Notice you don't see any other group mentioned, only Everyone. Below
THAT you get SYSTEM and Administrators mentioned (re. previous
posting), and moreover, when I try to move folders in this directory
(root) I get no problems at all .. just like if I had complete
privileges.

This shouldn't be allowed to happen and is causing my brain to
overheat. It's very confusing.

Many thanks !!

Bye for now.

Pablo.