NTFS Permissions Issue (Locking Down a Top-Level data folders)

[Guest VFR]

Hello,

I am having an issue with configuring NTFS permissions and Im

struggling to find an appropriate solution..

 

My issue is regarding the management of top-level folder permissions.

My goal is to prevent end-users from deleting, moving and/or renaming

"top-level" folders while still allowing them to traverse, create,

delete and modify the files and folders below the top-level folder.

 

Example Structure:

 

Drive: X

-> TL-Folder-A

-> 2ND-Level-Folder-A

-> 3RD-Level-Folder-A

-> FileX

-> FileY

-> 3RD-Level-Folder-B

-> 3RD-Level-Folder-C

-> 3RD-Level-Folder-D

-> 2ND-Level-Folder-B

-> 2ND-Level-Folder-C

-> TL-Folder-B

-> TL-Folder-C

 

There are two solutions i have attempted so far:

 

SOLUTION 1:

 

1. Grant the appropriate group "Modify" permissions (Scope: This

Folder, Subfolders and files) to the Top-Level folder (e.g.: TL-Folder-

A).

2. Navigate to the "Advanced" permission options.

3. Uncheck the "Delete" option under the advanced permissions.

4. Check the "Delete Subfolders and Files" option under the advanced

permissions.

 

This actually works pretty well..

It allows users to create, delete and modify files and folders below

the TLFolder, but not delete the TLFolder itself.

This is great except end-users can still move and/or rename the

folder.

I would like to prevent this if possible.

 

SOLUTION 2:

 

1. Grant the appropriate group "Modify" permissions (Scope: Subfolders

and files only) to the Top-Level folder.

2. Grant the appropriate group "Read & Execute" permissions (Scope:

This Folder only) to the Top-Level folder.

 

This link "http://www.webservertalk.com/

archive93-2006-2-1387534.html" (Post 3) provides a slightly different

explanation of the same solution...

 

Unfortunately this does not achieve what I want at all.

If we apply this solution to "TL-Folder-A" using the "Example

Structure" above, the following occurs:

 

"TL-Folder-A" Cannot be modified, moved or deleted by the user

(fantastic, exactly what I want)

Users can list and read all data below "TL-Folder-A". (great)

Users ---"CANNOT"--- modify and/or create sub folders and files under

"TL-Folder-A" (NOT GOOD, I need users to have these rights)

However, users ---"CAN"--- create, modify and delete subfolders and

files under "2ND-Level-Folder-A", "2ND-Level-Folder-B", "2ND-Level-

Folder-C" and at lower levels.

 

So as you can see, both solutions almost works, but not quite...

 

----

Also I am NOT willing to block inheritance as a solution.

Blocking inheritance is a sloppy way of managing permissions as it

makes it very difficult to complete system wide changes (e.g.:

granting a new group access to data across an entire folder

structure).

 

Hopefully some smart person out there can help me out.

I have been looking into this for sometime and its really bugging me.

 

Thanks in advance!

Regards,

Adrian

[Guest schweizer.martin@gmail.com]

Re: NTFS Permissions Issue (Locking Down a Top-Level data folders)

 

Hello Adrian

 

I'm in the same situation. Is there a better solution?

 

Regards,

 

On 23 Nov., 08:20, VFR <paech.adr...@saugov.sa.gov.au> wrote:

> Hello,

> I am having an issue with configuring NTFS permissions and Im

> struggling to find an appropriate solution..

>

> My issue is regarding the management of top-levelfolderpermissions.

> My goal is to prevent end-users from deleting, moving and/or renaming

> "top-level" folders while still allowing them to traverse, create,deleteand modify the files and folders below the top-levelfolder.

>

> Example Structure:

>

> Drive: X

> -> TL-Folder-A

> -> 2ND-Level-Folder-A

> -> 3RD-Level-Folder-A

> -> FileX

> -> FileY

> -> 3RD-Level-Folder-B

> -> 3RD-Level-Folder-C

> -> 3RD-Level-Folder-D

> -> 2ND-Level-Folder-B

> -> 2ND-Level-Folder-C

> -> TL-Folder-B

> -> TL-Folder-C

>

> There are two solutions i have attempted so far:

>

> SOLUTION 1:

>

> 1. Grant the appropriate group "Modify" permissions (Scope: ThisFolder, Subfolders and files) to the Top-Levelfolder(e.g.: TL-Folder-

> A).

> 2. Navigate to the "Advanced" permission options.

> 3. Uncheck the "Delete" option under the advanced permissions.

> 4. Check the "DeleteSubfolders and Files" option under the advanced

> permissions.

>

> This actually works pretty well..

> It allows users to create,deleteand modify files and folders below

> the TLFolder, but notdeletethe TLFolder itself.

> This is great except end-users can still move and/or rename thefolder.

> I would like to prevent this if possible.

>

> SOLUTION 2:

>

> 1. Grant the appropriate group "Modify" permissions (Scope: Subfolders

> and files only) to the Top-Levelfolder.

> 2. Grant the appropriate group "Read & Execute" permissions (Scope:

> ThisFolderonly) to the Top-Levelfolder.

>

> This link "http://www.webservertalk.com/

> archive93-2006-2-1387534.html" (Post 3) provides a slightly different

> explanation of the same solution...

>

> Unfortunately this does not achieve what I want at all.

> If we apply this solution to "TL-Folder-A" using the "Example

> Structure" above, the following occurs:

>

> "TL-Folder-A" Cannot be modified, moved or deleted by the user

> (fantastic, exactly what I want)

> Users can list and read all data below "TL-Folder-A". (great)

> Users ---"CANNOT"--- modify and/or create sub folders and files under

> "TL-Folder-A" (NOT GOOD, I need users to have these rights)

> However, users ---"CAN"--- create, modify anddeletesubfolders and

> files under "2ND-Level-Folder-A", "2ND-Level-Folder-B", "2ND-Level-Folder-C" and at lower levels.

>

> So as you can see, both solutions almost works, but not quite...

>

> ----

> Also I am NOT willing to block inheritance as a solution.

> Blocking inheritance is a sloppy way of managing permissions as it

> makes it very difficult to complete system wide changes (e.g.:

> granting a new group access to data across an entirefolder

> structure).

>

> Hopefully some smart person out there can help me out.

> I have been looking into this for sometime and its really bugging me.

>

> Thanks in advance!

> Regards,

> Adrian

[Guest Logging.Notification@gmail.com]

Re: NTFS Permissions Issue (Locking Down a Top-Level data folders)

 

I wish i knew :-/

There must be some smart cookie out there that knows the answer..

 

Adrian