Write but not delete permission on a folder?

[Netmasker]

I would like to secure a Directory (folder) in Windows 2000 (I am the only
one with administrative rights) so that other users of the computer have the
following permissions:
- have write permission in the Directory (create/modify/delete files and
subdirectories in the Directory).
- can not rename or delete this Directory that I had created for them.

Is this possible???
If yes, what are the permissions that I must set for my users on that
particular Directory??

Thanks in advance.

 

[Steven L Umbach]

It is possible, using advanced permissions. Give the users read/list/execute
nfs permissions for the folder. Then go into advanced permissions and select
add. Add the group and then select apply onto. Then choose subfolder and
files. Check off the permissions that would be equivilant to modify. Test it
out, but I believe it should work. --- Steve

 

[John Hamilton]

Don't forget that the filesystem needs to be NTFS


John

 

[Salt_Peter]

Steven already specified "ntfs permissions" in his post, the more important
issue here is ntfs parent/child inheritence. At the share's parent folder,
ntfs permission inheritence needs to be disabled and the configured ntfs
permissions "copied over" in order to isolate/modify the parent folder's
permissions. This way the parent folder can be secured and it's subobjects's
security specified by inheritance. Basicly, you're creating a new Access
Control List.

 

[Netmasker]

Thanks everyone but it didn't work!! I tried everything but it didn't work
and I can't see what I do wrong.
I will explain again what I want to do exactly:
1) Create a new folder named "test" (for example) under my hard disk c:\
2) I want to have full permissions on the folder "test" as I am the
administrator
3) I want everybody else not to be able to delete or rename the folder
"test"
4) I want everybody else to be able to read/create/rename/modify/delete his
subfolders and files under the folder "test".

Can anyone tell me what permissions I must set on the folder "test" (as
there are no subfolders and files created yet by my users) for:
- the group "adminstrators"
- the group "everyone"
and where to apply these permissions (this folder, subfolders, files, etc.)

Thanks again

 

[Salt_Peter]

As was stated in the previous response, ntfs permissions are inherited by
the newly created "test" folder. You need to first break the inheritence
hierarchy to redefine the ntfs permissions on the folder. In this case, if
C: is set to everyone->full control, that is the permission the test folder
will inherit unless specified otherwise. I'm not talking about share
permissions, which only apply over network connections, i'm referring to
ntfs permissions.

Also, the ntfs permissions dialog lets you modify permissions for either the
object itself (the test folder only) or the files and/or subfolders created
within. That's what the list box is for.

On the file or folder properties dialog, click the "Security" tab and the
"Advanced" button to disable inheritence via the check box at bottom of
dialog, copy over existing permissions and assign special file or folder
permissions according to your needs.

Note the drop down list box choices:

This folder, subfolders and files
This folder only
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only

Needless to say, the share permission should be set to evryone->read only
and the ntfs permission refined to admin->full control, test
folder=users->read only and subobjects=users->"whatever is appropriate".
It's a simple procedure, shouldn't be too difficult to acomplish.

 

[Netmasker]

Salt_Peter I know everything about inheritence and I have done everything
you proposed, with no result.
OK, what do you see wrong in the following configuration in "Advanced
Permission Entries" for the folder "test"???
Access Control Settings for test:
---------------------------------------------------------------
Type Name Permission Apply
to
Allow Administrators Full Control This folder,
subfolders and files
Allow myuser Read & Execute This folder,
subfolders and files
Allow myuser Full Control Subfolders
and files only
---------------------------------------------------------------
When I log off as administrator and then log on as "myuser", not only I
can't create subfolders and files in the folder "test" but also I CAN delete
the folder "test" completely !
What do I miss ??

 

[Salt_Peter]

I thought you said you didn't want the user to delete the test folder, so
why are you giving him the execute permission on folder? And don't you see
the "advanced" button to modify the basic permission templates on the
security tab?

I'm thinking of at least 3 ways you can rectify this. Security tab >
advanced button and uncheck the advanced delete permission for that folder
alone. Let the user read only the folder but execute subfolders and files by
modifying the drop down list box. Specify that folder's security through a
GPO. And even a 4th choice of denying the user from deleting the test folder
in ntfs advanced permissions.