Windows security settings to deny del/ren/create folders

[i]

1. You have a Windows 2003 server.
2. You have some random turkey as a user.
3. Said turkey can only access two shares on said server. They have no console access.
4. Said shares contain a load of folders, which occasionally contain loads of files.

Question:

How can the account permissions be modified, or the two root folders' security settings be modified, in order to prevent the turkey from deleting/renaming/creating folders on either share? The turkey should still have the ability to delete/rename/create files contained within said folders.

 

[Bozo]

I believe you set those atributes by right clicking on each share/folder and selecting 'Sharing and Security' You should find the check boxes under Permissions and under the Security tab.

Bozo :mrgrn:

 

[Mercutio]

14 people looked at this? And no one else answered?

OK...

There's three sets of rules that govern file-level security on Window.

Rule 1. Share-level security is additive unless there's a "Deny". A user's permissions for a file share are the Most Permissive possible.

If the Everyone Group has the Read permission on a Share, and the Dialup Users Group has Full Control, and I'm a member of Dialup Users, I inherit Read and Full Control.

There are 3 share-level permissions. Share Permissions are only set at the Folder Level:
Read - Which, go figure, lets you read the contents of folders, read files inside, and run programs.
Change: Adds the ability to modify files, and to create and delete files and folders.
Full Control: Adds the ability to modify Share permissions

Obviously, Denies shouldn't be set unless you REALLY mean it.

Rule 2: NTFS-level security is additive unless there's a "Deny". A user's NTFS permissions for a file are the Most Permissive possible.

There are six File/Folder Permissions for NTFS:
List Folder Contents
Read
Read and Execute
Write - Allows creation of new files and appends to existing files
Modify - Allows deletion of files
Full Control - Allows "Take Ownership" and permission modification

Deny permission still exists, and should only be used to absolutely prevent a behavior.

Rule 3: The combination of NTFS and Share permission is Subtractive, always resulting in the most restrictive combination of permissions.

If I'm a member of Dialup Users, and as such I have Full Control Share permission, but Dialup Users have only Read, Read and Execute and Write NTFS permissions on a the folder that's being shared, the net effect is that I cannot Delete anything, as I do not have the NTFS modify right. I can still write to files that already exist.

In other words, for your PITA user, take away his NTFS Modify permission whereever you need to, and he can't delete (or rename, since that would delete the original file/folder) things on your share.

 

[Buck]

14 people looked at this? And no one else answered?

I looked at it more than once.

 

[fb]

Me too

 

[i]

Thanks Mercutio. And Buck... are you developing another personality?

 

[Buck]

And Buck... are you developing another personality?

It's difficult to tell at the moment. :shake2: