File server / NTFS permissions

This one has me stumped and I'm guessing because it's so stupid easy this is why Googling has got me no where.

I'm setting up some NTFS permissions. I've created a folder called "Folder1" and given "John Doe" special NTFS permissions (everything except "Full Control" and "Change Ownership") and set it to inherit. I have done the advanced, "Apply Onto" subfolder and files only so he can change all the permissions for everything within "Folder1"
but not the "Folder1" permissions.

When doing this he is unable to create a subdirectory and unable to copy files in to some directories. For kicks I applied (replaced) all child folders with the inherited rules and rebooted but it didn't work.

When checking the subfolders "John Doe" has the correct permissions so they are inherited.

They need full control to create sub directory's..I would add the permission and see what happens

It works with full control. The only issue with that is that I don't want them to be able to modify the permissions. I hope Server 2008 is better as far as permissions. NTFS is good but it takes 2 permission sets just to allow files modification but block folder creation.

merc123 said:

It works with full control. The only issue with that is that I don't want them to be able to modify the permissions. I hope Server 2008 is better as far as permissions. NTFS is good but it takes 2 permission sets just to allow files modification but block folder creation.

Click to expand...

now you know why I use Solaris

we're stuck. I guess I could convert over to Linux

Got to make a couple of presumptions here

I am going to assume you are using Windows 2003 Server, and that you don't want to just create a share and share that folder/space to the users.

You can go in through the security settings/advanced settings for the folder and by clicking Edit for the particular user account, set the following check blocks in the special permissions area.

Check for create files/ Write Data
Check Create Folders / Append Data
Uncheck Write Attributes and Write Extended Attributes
Uncheck Delete Subfolders and Files
Check Traverse Folder / Execute Files
Check List Folder / Read Data
Check Read Permissions
Uncheck Change Permissions
Uncheck Take Ownership

Assuming I understood what you were wanting to do, this user will be able to see/ list / edit / execute files in this folder and subfolders but not delete those files or change ownership or permissions for the folder, subfolders, or files contained therein.

Hope this helps

Robert

Tried that Robert.

What that does is allow them to view files but not edit them. Here is the solution I found:

DENY the "Delete Subfolder & Files", "Delete", and "Create Folders / Append Data" and Apply to "This Folder and subfolders" to the usergroup. Then do another one for that user group and set everything to allow except full control, change permission and take ownership and apply it to "This folder, subfolder, and files."

That effectively prevents a user from creating/deleting folders but they can do whatever they want with files.