Folder Creation Rights

[George]

Hello,

Is it possible to allow all domain users access to all files and
folders on a certain share, yet prevent users (except one) from create
new folders and sub folders? O/S is Windows 2003.

Thank you,
George

 

[Ace Fekay [MVP]]

Re: Folder Creation Rights

In news:vaqc045as35hhvbo7fibrmn0q4081cb29i@4ax.com,
George <George@yahoo##.com> typed:
> Hello,
>
> Is it possible to allow all domain users access to all files and
> folders on a certain share, yet prevent users (except one) from create
> new folders and sub folders? O/S is Windows 2003.
>
> Thank you,
> George

Yes. Simply share the folder with the following perms:

Share perms:
Authenticated Users = C
Domain Admins = FC

NTFS perms:
Authenticated Users = R
Group1Modify = M (that can perform what you are asking)
Group2ReadOnly = R (that can't)

If you want Group2ReadOnly to be able to change files but not create sub
folders, don't add them in the DACL (Discretionary Access Control List)
because that is a standard set of combined permissions, but rather click on
Advanced and add the group in the Advanced ACL (Access Control List) and
select the group, click Edit to get in the ACEs (Access Control Entries),
and specify specifically the perms you want to allow for this object, child
objects, this object only, etc.

Windows Security News: Learning Guide: Access control
http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1025004,00.html

Understanding Windows NTFS Permissions
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

 

[Herb Martin]

Re: Folder Creation Rights


"George" <George@yahoo##.com> wrote in message
news:vaqc045as35hhvbo7fibrmn0q4081cb29i@4ax.com...
> Hello,
>
> Is it possible to allow all domain users access to all files and
> folders on a certain share, yet prevent users (except one) from create
> new folders and sub folders? O/S is Windows 2003.

Sure, Ace gave you the (or an) answer depending on exactly what
you mean by "access to all files".

It is also possible to set FILE (NTFS) permission different from the
DIRECTORY (NTFS) permissions.

In this manner files can be give one permission for a set of users AND
directories can be different for that SAME set of users.

You can also -- by using Special (NTFS) Permissions -- also grant
things like "Create Files" but NOT allow "Create Subdirectories"
(or the reverse.)

In all such cases, permissions at the SHARE will have to be enough
for the MAXIMUM needed for that Group of users, but can be
entirely different at the NTFS and Share level for OTHER Groups
of users.

 

[George]

Re: Folder Creation Rights

Wow Ace...great info!! Thank you very much for responding and
providing me this info.
George

On Wed, 16 Apr 2008 19:08:57 -0400, "Ace Fekay [MVP]"
<PleaseAskMe@SomeDomain.com> wrote:

>In news:vaqc045as35hhvbo7fibrmn0q4081cb29i@4ax.com,
>George <George@yahoo##.com> typed:
>> Hello,
>>
>> Is it possible to allow all domain users access to all files and
>> folders on a certain share, yet prevent users (except one) from create
>> new folders and sub folders? O/S is Windows 2003.
>>
>> Thank you,
>> George
>
>Yes. Simply share the folder with the following perms:
>
>Share perms:
>Authenticated Users = C
>Domain Admins = FC
>
>NTFS perms:
>Authenticated Users = R
>Group1Modify = M (that can perform what you are asking)
>Group2ReadOnly = R (that can't)
>
>If you want Group2ReadOnly to be able to change files but not create sub
>folders, don't add them in the DACL (Discretionary Access Control List)
>because that is a standard set of combined permissions, but rather click on
>Advanced and add the group in the Advanced ACL (Access Control List) and
>select the group, click Edit to get in the ACEs (Access Control Entries),
>and specify specifically the perms you want to allow for this object, child
>objects, this object only, etc.
>
>Windows Security News: Learning Guide: Access control
>http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1025004,00.html
>
>Understanding Windows NTFS Permissions
>http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html

 

[Ace Fekay [MVP]]

Re: Folder Creation Rights

In news:393d04diqlk171rtisu3scb8lova8p2skq@4ax.com,
George <George@yahoo##.com> typed:
> Wow Ace...great info!! Thank you very much for responding and
> providing me this info.
> George

My pleasure! Good luck.

Ace