NTFS Permissions on folders

[Martyn Weiss]

Hi,

Sorry if this is a gormless question, but how <i>exactly</i> do I set
up permissions on a nested folder structure such that a group of users
can create/update/rename/delete files anywhere within the structure
but not modify the folder structure in any way (i.e. no folder
creation/deletion/renaming)?

I've tried giving the group two sets on permissions, one for Files
Only and one for the top-level folder. However, I can't seem to find
a combination of individual permissions which allows users to rename
files which doesn't also permit them to delete folders. It seems as
if the "Delete subfolders and files" permission needs to be set to
allow users to rename files, but because it applies to both, then
enables them to delete subfolders.

Perhaps I am in a muddle ...

Cheers & TIA, Martyn

 

[Steven L Umbach]

Try this.

First make sure that everyone has no more than read/list/execute permissions to the
drive/root folder and check advanced permissions also.

Then on the top folder give the appropriate group read/list/execute permissions in
the main security page. Then go to advanced permissions, add the group again and
select "files only" in the apply onto box and select everything but change
permissions and take ownership. Make sure the users are not member of another group
that has more permissions to that folder than you want them to have and keep in mind
that if creator/owner is present a user will be assigned those permissions to any
file folder they create and are owner of. When you test, be sure you are logged on
as a user that is only a member of that group. --- Steve

 

[Martyn Weiss]

Steve

Try this.

Thanks. I tried to do what you said exactly, but if I do, a user in
the group can't create a file in the top-level folder. Far as I can
tell, the user can only do that if I check Create Files / Write Data
in the "Apply Onto: This folder and sub-folders" entry for the user
group. Also, even if I do that, the user still can't rename a file
within a subfolder.

Is there a utility which will show a user's effective permissions on a
file and its contents?

Cheers, Martyn

 

[Steven L Umbach]

Hi Martyn.

Yes you are correct, and I missed stating such, that the group would need to
allow users create files/write data permission for folder/subfolers/files.

I spent some time testing your secenario and what worked for me was to give
a test group read/list/execute/write permissions on the "main security page"
and then went to advanced permissions and edited that to remove permission
for create folders/append data. I left the special permissions for the test
group as everything but allow for take ownership and change permissions for
"files only". After logging off and logging on as a regular user in the test
group I could create/modify/rename/delete files in the main folder and
subfolders but not create or delete any folders. I think that is what you
were trying to accomplish. After making changes be sure to log off and then
back on before testing. There are various utilities that show permissions
for a group such as showacls or dumpsec from SomarSoft, though they may not
report advanced permissions in an easily understandable way. W2003/XP Pro
now have built in effective permision reporting. --- Steve