Need help with server security privileges

[Guest]

I'm trying to set up a server folder where the users have file read and write
access, but they cannot overwrite or delete files. I don't really care about
folder permissions. I'll have an administrator create folders.

As I read through the support files, I can't figure out how to separate
write and overwrite privileges. These two permissions are tied together on
one option:

Create Files/Write Data
The Create Files permission applies only to folders and allows or denies the
user from creating files in the folder.

The Write Data permission applies only to files and allows or denies the
user from making changes to the file and overwriting existing content by NTFS

 

[Steven L Umbach]

The link below explaining special permissions may help. There is a
distinction in what users can do to existing files. If they have modify
permissions they can delete files. With write permissions they can append
data which means they can add data to an existing file. A lot depends on how
the application handles files as many will delete the old file and create a
new one when the file is modified which a user without modify/full control
can not do. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

The Append Data permission applies only to files and allows or denies the
user from making changes to the end of the file but not from changing,
deleting, or overwriting existing data .

 

[Guest]

Right - thanks. I really appreciate the response, Steve.

These will all be Microsoft Word files.

I don't want change/overwrite permissions. I don't see how I can separate
it so that users can create but not delete or overwrite. If I'm reading it
correctly, I want "create files" to be set to "allow" but "write data" to be
set to "deny." But it looks to me as though the "Create Files / Write Data"
permission is tied to one permission line. I don't understand why they're
not two separate permissions.

Am I reading that wrong?

I don't care if they have "create folder" privileges, so that line "Create
Folders / Append Data" can be set to "deny."

I used to do some server admin years ago... It seems that this used to be
easy on WinNT. Now I'm just on a project and trying to set up an
appropriately secure server space, and can't get the help I need from my IT
group, who tells me that this can't be done. I find that hard to believe,
although don't see how to do it.

 

[Steven L Umbach]

I admit it is confusing in the way MS label special permissions. When you
see a permission such as Create Files / Write Data the create files applies
only to folders while write data applies only to files. It makes a
difference deepening on what you select in the "apply onto" box for special
permissions. For example you can give users a set of one permissions for
folders only and then another for files only. If you look at the special
permissions in the root/drive folder in advanced you will see how default
special permissions are configured for users where that group is shown three
times. The overall permissions you see on the general security page are for
folders, subfolders, and files. If you have some reason for users to create
files and be able to view then but not change/edit them in any way then do
not give the users any delete, write data, and append data permissions for
"files only" but give them create files/write data for folders only. The
other problem is that the creator of a file will receive permissions that
the creator owner placeholder has which by default is full control though
you can change that but the owner of a file could potentially change
permissions to it. If you want to create a drop folder just give the users
write access to the folder. If the users need to be able to edit and save.
If you need them to be able to edit Word files you are probably out of luck
as I believe Word deletes the old file and creates a new file from the
temporary it creates of the opened file after a user saves an edited
document. However this is a case where creator owner may help because in
default configuration it will give the file creator permissions to edit a
Word document but only allow others to read if the folder restrictions are
such to restrict users in general to only read. --- Steve

 

[Guest]

Thanks again, Steve.

I admit it is confusing in the way MS label special permissions. When you
see a permission such as Create Files / Write Data the create files applies
only to folders while write data applies only to files. It makes a
difference deepening on what you select in the "apply onto" box for special
permissions. For example you can give users a set of one permissions for
folders only and then another for files only. If you look at the special
permissions in the root/drive folder in advanced you will see how default
special permissions are configured for users where that group is shown three
times. The overall permissions you see on the general security page are for
folders, subfolders, and files. If you have some reason for users to create
files and be able to view then but not change/edit them in any way then do
not give the users any delete, write data, and append data permissions for
"files only" but give them create files/write data for folders only. The
other problem is that the creator of a file will receive permissions that
the creator owner placeholder has which by default is full control though
you can change that but the owner of a file could potentially change
permissions to it. If you want to create a drop folder just give the users
write access to the folder. If the users need to be able to edit and save.
If you need them to be able to edit Word files you are probably out of luck
as I believe Word deletes the old file and creates a new file from the
temporary it creates of the opened file after a user saves an edited
document. However this is a case where creator owner may help because in
default configuration it will give the file creator permissions to edit a
Word document but only allow others to read if the folder restrictions are
such to restrict users in general to only read. --- Steve