Sign in with
Sign up | Sign in
Your question

How to restrict access to just Files, not Folders

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 30, 2005 2:15:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I want to restrict access to users to be able to create, delete, modify
files, but not folders.
The security options are not granular enough that I can tell.
If I unselect Delete Subfolders and Files AND Delete, then folders cannot be
deleted, but either can files.
If I unselect just Delete Subfolders and Files, and leave Delete, then both
can be deleted. Same is true if just Delete Subfolders and Files is selected.

Any recommendations is requested and appreciated.

Thank you.

Tom Gibson
Anonymous
a b 8 Security
January 30, 2005 9:15:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Did you use the "Apply onto:" drop down option to match the target object
such as:

"This folder only"
"This folder, subfolders and files"
"This folder and subfolders"
"This folder and files"
etc.

Another option "Apply these permissions to objects and/or containers within
this container only" may help as well (found at bottom of the same
permissions entry dialog box).

Do let us know if this helps. Thanks!


"Tom Gibson" wrote:

> I want to restrict access to users to be able to create, delete, modify
> files, but not folders.
> The security options are not granular enough that I can tell.
> If I unselect Delete Subfolders and Files AND Delete, then folders cannot be
> deleted, but either can files.
> If I unselect just Delete Subfolders and Files, and leave Delete, then both
> can be deleted. Same is true if just Delete Subfolders and Files is selected.
>
> Any recommendations is requested and appreciated.
>
> Thank you.
>
> Tom Gibson
Anonymous
a b 8 Security
January 30, 2005 10:46:34 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Tom,
As Desmond has indicated you must use the selector in the
advanced editing view to set an ACE of modify so that it
applies to Files Only.
All of the security bits have meaning that can differ slightly
depending on whether an object (file) or container (folder)
is being considered. That is why you find that the same
checkbox is titled such as Delete Subfolders and Files
and it will have that effect as long as the ACE is set to
Apply to Subfolders and files or This folder, subfolders,
and files. If you need only the file interpretation then you
must set it so that it does not apply to folders.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
> I want to restrict access to users to be able to create, delete, modify
> files, but not folders.
> The security options are not granular enough that I can tell.
> If I unselect Delete Subfolders and Files AND Delete, then folders cannot
be
> deleted, but either can files.
> If I unselect just Delete Subfolders and Files, and leave Delete, then
both
> can be deleted. Same is true if just Delete Subfolders and Files is
selected.
>
> Any recommendations is requested and appreciated.
>
> Thank you.
>
> Tom Gibson
Related resources
Anonymous
a b 8 Security
January 30, 2005 3:50:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

This should work. On the main security page give the group read/list/execute
to the folder. Then go into "advanced" permissions and add the group again.
Then select "folder and subfolder" in the apply onto box and check all the
permissions other than full control and change permissions. What many seem
to miss is that a user or group can be listed multiple times in advanced
permissions. --- Steve


"Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
>I want to restrict access to users to be able to create, delete, modify
> files, but not folders.
> The security options are not granular enough that I can tell.
> If I unselect Delete Subfolders and Files AND Delete, then folders cannot
> be
> deleted, but either can files.
> If I unselect just Delete Subfolders and Files, and leave Delete, then
> both
> can be deleted. Same is true if just Delete Subfolders and Files is
> selected.
>
> Any recommendations is requested and appreciated.
>
> Thank you.
>
> Tom Gibson
Anonymous
a b 8 Security
January 30, 2005 4:05:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

to all: thanks for the quick responses.
I had selected the constraint of Files only, but then my users were not
permitted to traverse any subfolders.

I had missed the fact that users could be listed in the Advanced page more
than once. I shall have to try that.

My solution:
Authenticated Users: Traverse Folder / List access - This folder, subfolders
and files
Folder Admins: Modify - This folder, subfolders and files
Folder Users: Modify - Files only

Then I reset it for all objects below.
Now, when for each folder, the files have the permissions required. A user
can add, delete, modify any files. But to traverse the folders, they are
using the Authenticated Users permissions.

Thanks

"Steven L Umbach" wrote:

> This should work. On the main security page give the group read/list/execute
> to the folder. Then go into "advanced" permissions and add the group again.
> Then select "folder and subfolder" in the apply onto box and check all the
> permissions other than full control and change permissions. What many seem
> to miss is that a user or group can be listed multiple times in advanced
> permissions. --- Steve
>
>
> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
> >I want to restrict access to users to be able to create, delete, modify
> > files, but not folders.
> > The security options are not granular enough that I can tell.
> > If I unselect Delete Subfolders and Files AND Delete, then folders cannot
> > be
> > deleted, but either can files.
> > If I unselect just Delete Subfolders and Files, and leave Delete, then
> > both
> > can be deleted. Same is true if just Delete Subfolders and Files is
> > selected.
> >
> > Any recommendations is requested and appreciated.
> >
> > Thank you.
> >
> > Tom Gibson
>
>
>
Anonymous
a b 8 Security
January 30, 2005 9:24:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It looks like you pretty much did what I suggested with two different groups
though I believe I misunderstood your original post thinking that you wanted
to let users create/modify folders but not files for whatever reason. You
will find that you have great flexibility with advanced permissions and I
usually try to accomplish a configuration without using deny permissions
which tend to complicate things, particularly since an explicit allow
overrides an inherited deny. --- Steve


"Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
> to all: thanks for the quick responses.
> I had selected the constraint of Files only, but then my users were not
> permitted to traverse any subfolders.
>
> I had missed the fact that users could be listed in the Advanced page more
> than once. I shall have to try that.
>
> My solution:
> Authenticated Users: Traverse Folder / List access - This folder,
> subfolders
> and files
> Folder Admins: Modify - This folder, subfolders and files
> Folder Users: Modify - Files only
>
> Then I reset it for all objects below.
> Now, when for each folder, the files have the permissions required. A
> user
> can add, delete, modify any files. But to traverse the folders, they are
> using the Authenticated Users permissions.
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> This should work. On the main security page give the group
>> read/list/execute
>> to the folder. Then go into "advanced" permissions and add the group
>> again.
>> Then select "folder and subfolder" in the apply onto box and check all
>> the
>> permissions other than full control and change permissions. What many
>> seem
>> to miss is that a user or group can be listed multiple times in advanced
>> permissions. --- Steve
>>
>>
>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
>> >I want to restrict access to users to be able to create, delete, modify
>> > files, but not folders.
>> > The security options are not granular enough that I can tell.
>> > If I unselect Delete Subfolders and Files AND Delete, then folders
>> > cannot
>> > be
>> > deleted, but either can files.
>> > If I unselect just Delete Subfolders and Files, and leave Delete, then
>> > both
>> > can be deleted. Same is true if just Delete Subfolders and Files is
>> > selected.
>> >
>> > Any recommendations is requested and appreciated.
>> >
>> > Thank you.
>> >
>> > Tom Gibson
>>
>>
>>
Anonymous
a b 8 Security
January 30, 2005 11:34:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am in total agreement on always finding a way to avoid using
a deny if at all possible.

There is something of an art in finding out how to set advanced,
aka special, permissions with the least frustration and re-attempts.
In example of this post, using only Users group for example, I would
1. set a grant of Modify for Users
2. go to Advanced and change the Modify grant to Files only
3. OK/Apply back to the generic permissions view, and there
set a grant of List folders
There are cases where doing the same things in a different order
causes what has been done to get wiped out because it is implied
in an ACE through which one only temporarily passes if using the
generic permissions dialogue. It can be very frustrating until one
catches on, but so can making sure all the individual checkboxes
of an advanced edit view are in place.

--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:umI5CsyBFHA.3416@TK2MSFTNGP09.phx.gbl...
> It looks like you pretty much did what I suggested with two different
> groups though I believe I misunderstood your original post thinking that
> you wanted to let users create/modify folders but not files for whatever
> reason. You will find that you have great flexibility with advanced
> permissions and I usually try to accomplish a configuration without using
> deny permissions which tend to complicate things, particularly since an
> explicit allow overrides an inherited deny. --- Steve
>
>
> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
> news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
>> to all: thanks for the quick responses.
>> I had selected the constraint of Files only, but then my users were not
>> permitted to traverse any subfolders.
>>
>> I had missed the fact that users could be listed in the Advanced page
>> more
>> than once. I shall have to try that.
>>
>> My solution:
>> Authenticated Users: Traverse Folder / List access - This folder,
>> subfolders
>> and files
>> Folder Admins: Modify - This folder, subfolders and files
>> Folder Users: Modify - Files only
>>
>> Then I reset it for all objects below.
>> Now, when for each folder, the files have the permissions required. A
>> user
>> can add, delete, modify any files. But to traverse the folders, they are
>> using the Authenticated Users permissions.
>>
>> Thanks
>>
>> "Steven L Umbach" wrote:
>>
>>> This should work. On the main security page give the group
>>> read/list/execute
>>> to the folder. Then go into "advanced" permissions and add the group
>>> again.
>>> Then select "folder and subfolder" in the apply onto box and check all
>>> the
>>> permissions other than full control and change permissions. What many
>>> seem
>>> to miss is that a user or group can be listed multiple times in advanced
>>> permissions. --- Steve
>>>
>>>
>>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
>>> >I want to restrict access to users to be able to create, delete, modify
>>> > files, but not folders.
>>> > The security options are not granular enough that I can tell.
>>> > If I unselect Delete Subfolders and Files AND Delete, then folders
>>> > cannot
>>> > be
>>> > deleted, but either can files.
>>> > If I unselect just Delete Subfolders and Files, and leave Delete, then
>>> > both
>>> > can be deleted. Same is true if just Delete Subfolders and Files is
>>> > selected.
>>> >
>>> > Any recommendations is requested and appreciated.
>>> >
>>> > Thank you.
>>> >
>>> > Tom Gibson
>>>
>>>
>>>
>
>
Anonymous
a b 8 Security
January 31, 2005 1:50:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I like that method! It does certainly simplify the task. Simple is good.
Thanks. --- Steve


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:o T5yNo0BFHA.3096@TK2MSFTNGP14.phx.gbl...
>I am in total agreement on always finding a way to avoid using
> a deny if at all possible.
>
> There is something of an art in finding out how to set advanced,
> aka special, permissions with the least frustration and re-attempts.
> In example of this post, using only Users group for example, I would
> 1. set a grant of Modify for Users
> 2. go to Advanced and change the Modify grant to Files only
> 3. OK/Apply back to the generic permissions view, and there
> set a grant of List folders
> There are cases where doing the same things in a different order
> causes what has been done to get wiped out because it is implied
> in an ACE through which one only temporarily passes if using the
> generic permissions dialogue. It can be very frustrating until one
> catches on, but so can making sure all the individual checkboxes
> of an advanced edit view are in place.
>
> --
> Roger
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:umI5CsyBFHA.3416@TK2MSFTNGP09.phx.gbl...
>> It looks like you pretty much did what I suggested with two different
>> groups though I believe I misunderstood your original post thinking that
>> you wanted to let users create/modify folders but not files for whatever
>> reason. You will find that you have great flexibility with advanced
>> permissions and I usually try to accomplish a configuration without using
>> deny permissions which tend to complicate things, particularly since an
>> explicit allow overrides an inherited deny. --- Steve
>>
>>
>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>> news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
>>> to all: thanks for the quick responses.
>>> I had selected the constraint of Files only, but then my users were not
>>> permitted to traverse any subfolders.
>>>
>>> I had missed the fact that users could be listed in the Advanced page
>>> more
>>> than once. I shall have to try that.
>>>
>>> My solution:
>>> Authenticated Users: Traverse Folder / List access - This folder,
>>> subfolders
>>> and files
>>> Folder Admins: Modify - This folder, subfolders and files
>>> Folder Users: Modify - Files only
>>>
>>> Then I reset it for all objects below.
>>> Now, when for each folder, the files have the permissions required. A
>>> user
>>> can add, delete, modify any files. But to traverse the folders, they
>>> are
>>> using the Authenticated Users permissions.
>>>
>>> Thanks
>>>
>>> "Steven L Umbach" wrote:
>>>
>>>> This should work. On the main security page give the group
>>>> read/list/execute
>>>> to the folder. Then go into "advanced" permissions and add the group
>>>> again.
>>>> Then select "folder and subfolder" in the apply onto box and check all
>>>> the
>>>> permissions other than full control and change permissions. What many
>>>> seem
>>>> to miss is that a user or group can be listed multiple times in
>>>> advanced
>>>> permissions. --- Steve
>>>>
>>>>
>>>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
>>>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
>>>> >I want to restrict access to users to be able to create, delete,
>>>> >modify
>>>> > files, but not folders.
>>>> > The security options are not granular enough that I can tell.
>>>> > If I unselect Delete Subfolders and Files AND Delete, then folders
>>>> > cannot
>>>> > be
>>>> > deleted, but either can files.
>>>> > If I unselect just Delete Subfolders and Files, and leave Delete,
>>>> > then
>>>> > both
>>>> > can be deleted. Same is true if just Delete Subfolders and Files is
>>>> > selected.
>>>> >
>>>> > Any recommendations is requested and appreciated.
>>>> >
>>>> > Thank you.
>>>> >
>>>> > Tom Gibson
>>>>
>>>>
>>>>
>>
>>
>
>
!