Announcement

Collapse
No announcement yet.

ntfs permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ntfs permissions

    Hi,

    is it possible to let a group of users to write/edit files, create new files, but NOT delete any file or folder?
    i tried any combination on ntfs and special access and it never let them create new files, it will make 0k file or folder with error about renaming, but they can change files as i wanted.
    just want them to be able to create new files as well.
    Thanks & Regards

    Retaliator

    MCSA/MCSE/CCNA
    Computer Science Graduate

  • #2
    Re: ntfs permissions

    AFAIK the standard WRITE permission should do that -- MODIFY is required to delete files
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: ntfs permissions

      It does not work, because they can't create new files or folders.
      Thanks & Regards

      Retaliator

      MCSA/MCSE/CCNA
      Computer Science Graduate

      Comment


      • #4
        Re: ntfs permissions

        Why not grant them everything except "Full Control", and DENY them "Delete" on the folder and on subfolders and files? See attachment - I forgot to ring "delete subfolders and files"
        Attached Files


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: ntfs permissions

          Some personal experience:

          I tried to deny Delete and I ran into these problems:

          Word temporary files are not deleted at the end of their use, as they would expect to, and so subsequent attempts to launch Word and modify that document end up messed up (can't remember the exact message) but the doc could not be subsequently saved.

          Sometimes, and I never got around to determining why, users could not rename folders. I thought that rename = create a copy and delete the old, (not a real copy, you understand, I mean a copy in the directory listing or something like that) but I am not sure on that one. But it caused problems there too.

          Anyway, the main killer for me was that Word could not delete it's temporary files (you know, the ones that are hidden and start with a tilde). I guess this may happen with Excel and others too

          So I had to give up denying Delete. Maybe your users don't use Word or any other program that creates and deletes temporary files?
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: ntfs permissions

            Oh, if ONLY Microsoft would have Word create its TEMP files in the TEMP folder... how SIMPLE would that be?!

            Sometimes they do some REALLY stupid things and this is one of them...


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: ntfs permissions

              I do not know if it meets your requirement or not..................still have a look at it.

              Usually we want that usres shold not be able to delete other user's files but they can delete their own.

              Then we can do the following:

              1. Remove the explicit deny for deletion.

              2. Also do not check the box to permit the deletion.

              3. As a result Users will not be able to delete the files as they do not have any permissions set for deletion.

              4. Add creator/Owner group and allow them to delet the files.

              5. So the users will be able to delete their own files not others........

              6. Problem of tem files and renaming would be solved.

              But again if you want that they should not be able to delete even their own files then below described permissions would remain there.
              Kapil Sharma
              ~~~~~~~~~~~~~
              Life is too short, Enjoy It.

              Comment


              • #8
                Re: ntfs permissions

                I tried every conbination and they can't create new files/folders or copy to that folder files, and that's a prob.

                a user that belong to the group with RW-NoDel can't create those files.
                the group is assigned permissions like in the screen shot.
                Attached Files
                Thanks & Regards

                Retaliator

                MCSA/MCSE/CCNA
                Computer Science Graduate

                Comment


                • #9
                  Re: ntfs permissions

                  This makes me wonder what the underlying file table steps are carried out when renaming a folder - is it something to do with deleting the old name and making a new one? I don't know, but it seems reasonable to me. Maybe someone else has further in depth knowledge on this one, as I said, I had to give up but then I was only able to spend a couple of hours on it.
                  Best wishes,
                  PaulH.
                  MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                  Comment


                  • #10
                    Re: ntfs permissions

                    Hi, Retaliator.
                    I did a test myself for this issue. These are the results I got to:
                    1) created a folder, inside the TEMP folder, called ML;
                    2) gave to a username I had (called SBC) special permissions: Deny on DELETE and Deny on DELETE SUBFOLDERS AND FILES. I checked the Apply these permissions to objects and/or containers within this container only (see perm.jpg);
                    3) see the list of permissions in perm2.jpg ;
                    4) while logged in with SBC, I created a text file (see perm_create.jpg and perm_create2.jpg). No problems;
                    5) I edited the newly created file by changing its contents (see perm_edit.jpg. Notice the change in the size of the file). Had no problems;
                    6) I created on the Desktop another text file, with the same name, and tried to replace the existing file in ML (see perm_replace.jpg). Got an error message;
                    7) I tried to delete the text file from the ML folder (see the perm_delete.jpg). Got an error message.

                    Conclusion:
                    I was able to give permissions to a user in such a manner, that he was able to create files and edit them, but could not delete them (or replace, since during this process, the existing file is first deleted).
                    I don't know why is not working for you, but it works as I remember it should work, with Special NTFS Permissions.
                    I would suggest you do a test by yourself, with a test file, a test user and a test folder.


                    Paul, I am trying to look for some info regarding the underground operations that are done while doing different actions with files on NTFS, you got me curious about it . I'll post if I'll find any...
                    Attached Files

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment


                    • #11
                      Re: ntfs permissions

                      And the other two screenshots, with the error messages.
                      Attached Files

                      Sorin Solomon


                      In order to succeed, your desire for success should be greater than your fear of failure.
                      -

                      Comment


                      • #12
                        Re: ntfs permissions

                        Hi Sorin. While working with the text files, I can see that you have achieved the objective but I think that working with Word documents will only work for when the document is first created/saved. Subsequent edits and so on get screwed up because of those pesky temporary files, so it depends on whether Retaliator's users want to work with MSOffice documents or not. For me, that was the killer.

                        Are you able to repeat your experiment with a Word document and an Excel spreadsheet? To be sure, the docs wil have to be edited and resaved twice over in order to give those pesky temporary files a throrough workout, and in order to find out if they get in the way when resaving an existing Word document. I think my setup fell over when another user tried to edit someone else's Word document. Both users had "Deny delete" permissions.

                        I too am interested in how NTFS works on a lower level. I'll PM you if I find anything interesting, so I won't clutter up this thread unless it's relevant.
                        Best wishes,
                        PaulH.
                        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                        Comment


                        • #13
                          Re: ntfs permissions

                          Hi, Paul. You asked so nice, I couldn't refuse it
                          These are the test and the results:
                          1) in the same environment as the previous test, I created a Word file called Plain File.doc, with a nonsense inside (see word_new.jpg). As you can see, the temporary file was created;
                          2) I opened the file second time and added a new line (see word_second.jpg). You can see more tmp files, that cannot be deleted, since the user has no right to do so;
                          3) I closed the file, and none of the temporary files were deleted (see word_final.jpg);
                          4) I opened the file again 4 more times, every time adding an empty line and saving the file (see word_4.jpg). Again, none of the temporary files were deleted, but I had no problems creating, editing and saving the file.
                          Did not check what happens while other user tries to edit the same file, I'll look for it later.

                          Hope this helps.
                          Attached Files

                          Sorin Solomon


                          In order to succeed, your desire for success should be greater than your fear of failure.
                          -

                          Comment


                          • #14
                            Re: ntfs permissions

                            Cheers, Sorin, . Yes, my problem was with other users (who have exact same permissions) trying to edit and save the document. Perhaps Retaliator can confirm whether his users are using MS Office documents and so whether these thoughts are relevant to him? (they may be relevant to other readers of this thread, though).
                            Best wishes,
                            PaulH.
                            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                            Comment


                            • #15
                              Re: ntfs permissions

                              Hi,

                              the problem is with every file, copying to that folder or creating a new txt file.

                              Strange..
                              Thanks & Regards

                              Retaliator

                              MCSA/MCSE/CCNA
                              Computer Science Graduate

                              Comment

                              Working...
                              X