Questions

How can you make a set of sub-folders read only?

+
0 Votes
Locked

How can you make a set of sub-folders read only?

jjanning
Hello everyone,

I have a question on how to make one set of subfolders read-only...with some additional strings attached.

For simplicity, let's assume I'm only using 2 groups, Everyone and Admins.


Here is our setup:

We have a shared folder named "Jobs"
In this folder there are folders with job numbers. Ex: 1000, 1001, 1002, etc...
In these job folders there are folders with letters. Ex: a, b, c, etc...


Here is a visual representation:

Jobs
|----------------------|------------------------|
1000 1001 1002
|-------|-------| |-------|-------| |-------|-------|
a b c a b c a b c


Here are the two main issues we are trying to solve:
1. Associates will accidentally drag & drop a job number folder into another job number folder. For example, one day we will discover that folder 1000 was moved into folder 1002.
2. Associates will accidentally rename job number folders. For example, folder 1001 was accidentally renamed to 1100.

With that being said, these are the permissions we are trying to enforce, but to no avail.
-Admins have Full control everywhere (this is no problem)
-Inside the "Jobs" folder, Everyone should only be able to read.
-They can NOT modify folder or files
-They can NOT create folders or files
-They can NOT rename folders or files
-They can NOT delete folders or files
-They can NOT move folders or files (cut & paste, drag & drop)
-They can NOT copy folders or files (
-Inside each job number folder (1000, 1001, 1002) and their sub-folders (a, b, c), Everyone has full control.

If anyone has an answer or even knowledge of 3rd party tools it would be much appreciated. We have tried a host of different permission configurations but nothing seems to work.

Thanks in advance for your help.
  • +
    0 Votes
    robo_dev

    If you explicitly deny access to everyone at the jobs folder, then grant all access at number folder, does that not work?

    Is this a domain or workgroup?

    My first guess is that there is some mixup between NTFS permissions vs Share permissions.

    http://technet.microsoft.com/en-us/library/cc754178.aspx

    +
    0 Votes
    Kenone

    At the "Jobs" folder level, turn off inheritance. Then take away their modify and write permissions. Inside that folder you can give them whatever permissions you like and "include subfolders"

    +
    0 Votes
    markp24

    hears some articles on how to disable drag and drop
    http://www.computing.net/answers/windows-xp/disable-drag-and-drop/140909.html

    or teach the users if they accidentally drag a file/folder into another folder, press Ctrl-Z to undo the drag operation.

    +
    0 Votes
    oldbaritone

    Everything was great until your last sentence:
    -Inside each job number folder (1000, 1001, 1002) and their sub-folders (a, b, c), Everyone has full control.

    That's the killer - if users have full control within the folder, then you can't prevent them from renaming, deleting or dragging things from one folder to another (including between different jobs) Since they have read/create/modify/delete, they could take something from 1002\a and drop it in 1234\d - and there's no reason they couldn't rename folders either - 1002\a might become 1002\1234 because someone was careless.

    This sounds like a homebrew production-control software, no? Any time users are given direct access into the file structure, these things will happen. And the usual way to prevent it is to create a UI front-end that controls what they can do.

    I'm sure there's a commercial application that will meet your needs, but it's probably not free.

    Start at the beginning - figure out what needs to be done in terms of the job, not in terms of a computer. Then figure out what to do to make the job easier with IT. Perhaps a document retrieval/update system might be part of the solution?

    A simple analogy - yes, you could come up with systems and alarms to make firefighting easier, but the simple solution is to take the matches away from the child.

    Likewise here - don't give end users "full control" in the file system. You're just letting them "play with matches" when you do.

    And there's one MAJOR issue you didn't address - everything said "Associates will accidentally ..." What happens if you have a disgruntled Associate who "intentionally" starts messing with the data? I suspect it would be a nightmare.

    +
    0 Votes
    jjanning

    First, let me say thank you for all the replies. Hopefully I can clear up any uncertainties.

    First, I am familiar with xcacls and use it with a job creation script I wrote to provide specific permissions on some of the sub-folders. I am under the impressions that xcacls does NOT provide any additional functionality that you can't manually set in the folders property. If this is incorrect, I will gladly accept someone telling me I'm wrong and look further into it.

    Second, this is a domain and everyone has the "jobs" folder set as a mapped drive which means I can NOT deny them access to that folder. They must be able to see all the job number folders.

    Third, disable drag & drop on the start menu doesn't disable it in Windows Explorer. Also, there are ~130 users that would need to be told "Don't do this or press ctr+z" and ~129 of those users would forget 5 seconds later.

    Unfortunately, oldbaritone hit the nail on the head with where my problem truly lies and if what he says is right, there may be no way to this.

    The following settings are the closest I've come to a solution. These permissions are for the Everyone group:

    Jobs folder: Share permissions = Full, Security permissions = Read Only (This folder only) & Full (Subfolders and files only)

    This satisfies every requirement except they can still drag&drop and cut&paste a job number folder into another.

    Additional thoughts, questions, and concerns are welcome!

  • +
    0 Votes
    robo_dev

    If you explicitly deny access to everyone at the jobs folder, then grant all access at number folder, does that not work?

    Is this a domain or workgroup?

    My first guess is that there is some mixup between NTFS permissions vs Share permissions.

    http://technet.microsoft.com/en-us/library/cc754178.aspx

    +
    0 Votes
    Kenone

    At the "Jobs" folder level, turn off inheritance. Then take away their modify and write permissions. Inside that folder you can give them whatever permissions you like and "include subfolders"

    +
    0 Votes
    markp24

    hears some articles on how to disable drag and drop
    http://www.computing.net/answers/windows-xp/disable-drag-and-drop/140909.html

    or teach the users if they accidentally drag a file/folder into another folder, press Ctrl-Z to undo the drag operation.

    +
    0 Votes
    oldbaritone

    Everything was great until your last sentence:
    -Inside each job number folder (1000, 1001, 1002) and their sub-folders (a, b, c), Everyone has full control.

    That's the killer - if users have full control within the folder, then you can't prevent them from renaming, deleting or dragging things from one folder to another (including between different jobs) Since they have read/create/modify/delete, they could take something from 1002\a and drop it in 1234\d - and there's no reason they couldn't rename folders either - 1002\a might become 1002\1234 because someone was careless.

    This sounds like a homebrew production-control software, no? Any time users are given direct access into the file structure, these things will happen. And the usual way to prevent it is to create a UI front-end that controls what they can do.

    I'm sure there's a commercial application that will meet your needs, but it's probably not free.

    Start at the beginning - figure out what needs to be done in terms of the job, not in terms of a computer. Then figure out what to do to make the job easier with IT. Perhaps a document retrieval/update system might be part of the solution?

    A simple analogy - yes, you could come up with systems and alarms to make firefighting easier, but the simple solution is to take the matches away from the child.

    Likewise here - don't give end users "full control" in the file system. You're just letting them "play with matches" when you do.

    And there's one MAJOR issue you didn't address - everything said "Associates will accidentally ..." What happens if you have a disgruntled Associate who "intentionally" starts messing with the data? I suspect it would be a nightmare.

    +
    0 Votes
    jjanning

    First, let me say thank you for all the replies. Hopefully I can clear up any uncertainties.

    First, I am familiar with xcacls and use it with a job creation script I wrote to provide specific permissions on some of the sub-folders. I am under the impressions that xcacls does NOT provide any additional functionality that you can't manually set in the folders property. If this is incorrect, I will gladly accept someone telling me I'm wrong and look further into it.

    Second, this is a domain and everyone has the "jobs" folder set as a mapped drive which means I can NOT deny them access to that folder. They must be able to see all the job number folders.

    Third, disable drag & drop on the start menu doesn't disable it in Windows Explorer. Also, there are ~130 users that would need to be told "Don't do this or press ctr+z" and ~129 of those users would forget 5 seconds later.

    Unfortunately, oldbaritone hit the nail on the head with where my problem truly lies and if what he says is right, there may be no way to this.

    The following settings are the closest I've come to a solution. These permissions are for the Everyone group:

    Jobs folder: Share permissions = Full, Security permissions = Read Only (This folder only) & Full (Subfolders and files only)

    This satisfies every requirement except they can still drag&drop and cut&paste a job number folder into another.

    Additional thoughts, questions, and concerns are welcome!