How to restrict access to just Files, not Folders

Archived from groups: microsoft.public.win2000.security (More info?)

I want to restrict access to users to be able to create, delete, modify
files, but not folders.
The security options are not granular enough that I can tell.
If I unselect Delete Subfolders and Files AND Delete, then folders cannot be
deleted, but either can files.
If I unselect just Delete Subfolders and Files, and leave Delete, then both
can be deleted. Same is true if just Delete Subfolders and Files is selected.

Any recommendations is requested and appreciated.

Thank you.

Tom Gibson
7 answers Last reply
More about restrict access files folders
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Did you use the "Apply onto:" drop down option to match the target object
    such as:

    "This folder only"
    "This folder, subfolders and files"
    "This folder and subfolders"
    "This folder and files"
    etc.

    Another option "Apply these permissions to objects and/or containers within
    this container only" may help as well (found at bottom of the same
    permissions entry dialog box).

    Do let us know if this helps. Thanks!


    "Tom Gibson" wrote:

    > I want to restrict access to users to be able to create, delete, modify
    > files, but not folders.
    > The security options are not granular enough that I can tell.
    > If I unselect Delete Subfolders and Files AND Delete, then folders cannot be
    > deleted, but either can files.
    > If I unselect just Delete Subfolders and Files, and leave Delete, then both
    > can be deleted. Same is true if just Delete Subfolders and Files is selected.
    >
    > Any recommendations is requested and appreciated.
    >
    > Thank you.
    >
    > Tom Gibson
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Tom,
    As Desmond has indicated you must use the selector in the
    advanced editing view to set an ACE of modify so that it
    applies to Files Only.
    All of the security bits have meaning that can differ slightly
    depending on whether an object (file) or container (folder)
    is being considered. That is why you find that the same
    checkbox is titled such as Delete Subfolders and Files
    and it will have that effect as long as the ACE is set to
    Apply to Subfolders and files or This folder, subfolders,
    and files. If you need only the file interpretation then you
    must set it so that it does not apply to folders.
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    > I want to restrict access to users to be able to create, delete, modify
    > files, but not folders.
    > The security options are not granular enough that I can tell.
    > If I unselect Delete Subfolders and Files AND Delete, then folders cannot
    be
    > deleted, but either can files.
    > If I unselect just Delete Subfolders and Files, and leave Delete, then
    both
    > can be deleted. Same is true if just Delete Subfolders and Files is
    selected.
    >
    > Any recommendations is requested and appreciated.
    >
    > Thank you.
    >
    > Tom Gibson
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    This should work. On the main security page give the group read/list/execute
    to the folder. Then go into "advanced" permissions and add the group again.
    Then select "folder and subfolder" in the apply onto box and check all the
    permissions other than full control and change permissions. What many seem
    to miss is that a user or group can be listed multiple times in advanced
    permissions. --- Steve


    "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    >I want to restrict access to users to be able to create, delete, modify
    > files, but not folders.
    > The security options are not granular enough that I can tell.
    > If I unselect Delete Subfolders and Files AND Delete, then folders cannot
    > be
    > deleted, but either can files.
    > If I unselect just Delete Subfolders and Files, and leave Delete, then
    > both
    > can be deleted. Same is true if just Delete Subfolders and Files is
    > selected.
    >
    > Any recommendations is requested and appreciated.
    >
    > Thank you.
    >
    > Tom Gibson
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    to all: thanks for the quick responses.
    I had selected the constraint of Files only, but then my users were not
    permitted to traverse any subfolders.

    I had missed the fact that users could be listed in the Advanced page more
    than once. I shall have to try that.

    My solution:
    Authenticated Users: Traverse Folder / List access - This folder, subfolders
    and files
    Folder Admins: Modify - This folder, subfolders and files
    Folder Users: Modify - Files only

    Then I reset it for all objects below.
    Now, when for each folder, the files have the permissions required. A user
    can add, delete, modify any files. But to traverse the folders, they are
    using the Authenticated Users permissions.

    Thanks

    "Steven L Umbach" wrote:

    > This should work. On the main security page give the group read/list/execute
    > to the folder. Then go into "advanced" permissions and add the group again.
    > Then select "folder and subfolder" in the apply onto box and check all the
    > permissions other than full control and change permissions. What many seem
    > to miss is that a user or group can be listed multiple times in advanced
    > permissions. --- Steve
    >
    >
    > "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    > news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    > >I want to restrict access to users to be able to create, delete, modify
    > > files, but not folders.
    > > The security options are not granular enough that I can tell.
    > > If I unselect Delete Subfolders and Files AND Delete, then folders cannot
    > > be
    > > deleted, but either can files.
    > > If I unselect just Delete Subfolders and Files, and leave Delete, then
    > > both
    > > can be deleted. Same is true if just Delete Subfolders and Files is
    > > selected.
    > >
    > > Any recommendations is requested and appreciated.
    > >
    > > Thank you.
    > >
    > > Tom Gibson
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    It looks like you pretty much did what I suggested with two different groups
    though I believe I misunderstood your original post thinking that you wanted
    to let users create/modify folders but not files for whatever reason. You
    will find that you have great flexibility with advanced permissions and I
    usually try to accomplish a configuration without using deny permissions
    which tend to complicate things, particularly since an explicit allow
    overrides an inherited deny. --- Steve


    "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
    > to all: thanks for the quick responses.
    > I had selected the constraint of Files only, but then my users were not
    > permitted to traverse any subfolders.
    >
    > I had missed the fact that users could be listed in the Advanced page more
    > than once. I shall have to try that.
    >
    > My solution:
    > Authenticated Users: Traverse Folder / List access - This folder,
    > subfolders
    > and files
    > Folder Admins: Modify - This folder, subfolders and files
    > Folder Users: Modify - Files only
    >
    > Then I reset it for all objects below.
    > Now, when for each folder, the files have the permissions required. A
    > user
    > can add, delete, modify any files. But to traverse the folders, they are
    > using the Authenticated Users permissions.
    >
    > Thanks
    >
    > "Steven L Umbach" wrote:
    >
    >> This should work. On the main security page give the group
    >> read/list/execute
    >> to the folder. Then go into "advanced" permissions and add the group
    >> again.
    >> Then select "folder and subfolder" in the apply onto box and check all
    >> the
    >> permissions other than full control and change permissions. What many
    >> seem
    >> to miss is that a user or group can be listed multiple times in advanced
    >> permissions. --- Steve
    >>
    >>
    >> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    >> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    >> >I want to restrict access to users to be able to create, delete, modify
    >> > files, but not folders.
    >> > The security options are not granular enough that I can tell.
    >> > If I unselect Delete Subfolders and Files AND Delete, then folders
    >> > cannot
    >> > be
    >> > deleted, but either can files.
    >> > If I unselect just Delete Subfolders and Files, and leave Delete, then
    >> > both
    >> > can be deleted. Same is true if just Delete Subfolders and Files is
    >> > selected.
    >> >
    >> > Any recommendations is requested and appreciated.
    >> >
    >> > Thank you.
    >> >
    >> > Tom Gibson
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    I am in total agreement on always finding a way to avoid using
    a deny if at all possible.

    There is something of an art in finding out how to set advanced,
    aka special, permissions with the least frustration and re-attempts.
    In example of this post, using only Users group for example, I would
    1. set a grant of Modify for Users
    2. go to Advanced and change the Modify grant to Files only
    3. OK/Apply back to the generic permissions view, and there
    set a grant of List folders
    There are cases where doing the same things in a different order
    causes what has been done to get wiped out because it is implied
    in an ACE through which one only temporarily passes if using the
    generic permissions dialogue. It can be very frustrating until one
    catches on, but so can making sure all the individual checkboxes
    of an advanced edit view are in place.

    --
    Roger
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:umI5CsyBFHA.3416@TK2MSFTNGP09.phx.gbl...
    > It looks like you pretty much did what I suggested with two different
    > groups though I believe I misunderstood your original post thinking that
    > you wanted to let users create/modify folders but not files for whatever
    > reason. You will find that you have great flexibility with advanced
    > permissions and I usually try to accomplish a configuration without using
    > deny permissions which tend to complicate things, particularly since an
    > explicit allow overrides an inherited deny. --- Steve
    >
    >
    > "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    > news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
    >> to all: thanks for the quick responses.
    >> I had selected the constraint of Files only, but then my users were not
    >> permitted to traverse any subfolders.
    >>
    >> I had missed the fact that users could be listed in the Advanced page
    >> more
    >> than once. I shall have to try that.
    >>
    >> My solution:
    >> Authenticated Users: Traverse Folder / List access - This folder,
    >> subfolders
    >> and files
    >> Folder Admins: Modify - This folder, subfolders and files
    >> Folder Users: Modify - Files only
    >>
    >> Then I reset it for all objects below.
    >> Now, when for each folder, the files have the permissions required. A
    >> user
    >> can add, delete, modify any files. But to traverse the folders, they are
    >> using the Authenticated Users permissions.
    >>
    >> Thanks
    >>
    >> "Steven L Umbach" wrote:
    >>
    >>> This should work. On the main security page give the group
    >>> read/list/execute
    >>> to the folder. Then go into "advanced" permissions and add the group
    >>> again.
    >>> Then select "folder and subfolder" in the apply onto box and check all
    >>> the
    >>> permissions other than full control and change permissions. What many
    >>> seem
    >>> to miss is that a user or group can be listed multiple times in advanced
    >>> permissions. --- Steve
    >>>
    >>>
    >>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    >>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    >>> >I want to restrict access to users to be able to create, delete, modify
    >>> > files, but not folders.
    >>> > The security options are not granular enough that I can tell.
    >>> > If I unselect Delete Subfolders and Files AND Delete, then folders
    >>> > cannot
    >>> > be
    >>> > deleted, but either can files.
    >>> > If I unselect just Delete Subfolders and Files, and leave Delete, then
    >>> > both
    >>> > can be deleted. Same is true if just Delete Subfolders and Files is
    >>> > selected.
    >>> >
    >>> > Any recommendations is requested and appreciated.
    >>> >
    >>> > Thank you.
    >>> >
    >>> > Tom Gibson
    >>>
    >>>
    >>>
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    I like that method! It does certainly simplify the task. Simple is good.
    Thanks. --- Steve


    "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    news:OT5yNo0BFHA.3096@TK2MSFTNGP14.phx.gbl...
    >I am in total agreement on always finding a way to avoid using
    > a deny if at all possible.
    >
    > There is something of an art in finding out how to set advanced,
    > aka special, permissions with the least frustration and re-attempts.
    > In example of this post, using only Users group for example, I would
    > 1. set a grant of Modify for Users
    > 2. go to Advanced and change the Modify grant to Files only
    > 3. OK/Apply back to the generic permissions view, and there
    > set a grant of List folders
    > There are cases where doing the same things in a different order
    > causes what has been done to get wiped out because it is implied
    > in an ACE through which one only temporarily passes if using the
    > generic permissions dialogue. It can be very frustrating until one
    > catches on, but so can making sure all the individual checkboxes
    > of an advanced edit view are in place.
    >
    > --
    > Roger
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:umI5CsyBFHA.3416@TK2MSFTNGP09.phx.gbl...
    >> It looks like you pretty much did what I suggested with two different
    >> groups though I believe I misunderstood your original post thinking that
    >> you wanted to let users create/modify folders but not files for whatever
    >> reason. You will find that you have great flexibility with advanced
    >> permissions and I usually try to accomplish a configuration without using
    >> deny permissions which tend to complicate things, particularly since an
    >> explicit allow overrides an inherited deny. --- Steve
    >>
    >>
    >> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    >> news:97E9C963-07EF-4771-91AC-2F56A38AE3DB@microsoft.com...
    >>> to all: thanks for the quick responses.
    >>> I had selected the constraint of Files only, but then my users were not
    >>> permitted to traverse any subfolders.
    >>>
    >>> I had missed the fact that users could be listed in the Advanced page
    >>> more
    >>> than once. I shall have to try that.
    >>>
    >>> My solution:
    >>> Authenticated Users: Traverse Folder / List access - This folder,
    >>> subfolders
    >>> and files
    >>> Folder Admins: Modify - This folder, subfolders and files
    >>> Folder Users: Modify - Files only
    >>>
    >>> Then I reset it for all objects below.
    >>> Now, when for each folder, the files have the permissions required. A
    >>> user
    >>> can add, delete, modify any files. But to traverse the folders, they
    >>> are
    >>> using the Authenticated Users permissions.
    >>>
    >>> Thanks
    >>>
    >>> "Steven L Umbach" wrote:
    >>>
    >>>> This should work. On the main security page give the group
    >>>> read/list/execute
    >>>> to the folder. Then go into "advanced" permissions and add the group
    >>>> again.
    >>>> Then select "folder and subfolder" in the apply onto box and check all
    >>>> the
    >>>> permissions other than full control and change permissions. What many
    >>>> seem
    >>>> to miss is that a user or group can be listed multiple times in
    >>>> advanced
    >>>> permissions. --- Steve
    >>>>
    >>>>
    >>>> "Tom Gibson" <Tom Gibson@discussions.microsoft.com> wrote in message
    >>>> news:EF4D0033-221C-4201-A893-90C536D34349@microsoft.com...
    >>>> >I want to restrict access to users to be able to create, delete,
    >>>> >modify
    >>>> > files, but not folders.
    >>>> > The security options are not granular enough that I can tell.
    >>>> > If I unselect Delete Subfolders and Files AND Delete, then folders
    >>>> > cannot
    >>>> > be
    >>>> > deleted, but either can files.
    >>>> > If I unselect just Delete Subfolders and Files, and leave Delete,
    >>>> > then
    >>>> > both
    >>>> > can be deleted. Same is true if just Delete Subfolders and Files is
    >>>> > selected.
    >>>> >
    >>>> > Any recommendations is requested and appreciated.
    >>>> >
    >>>> > Thank you.
    >>>> >
    >>>> > Tom Gibson
    >>>>
    >>>>
    >>>>
    >>
    >>
    >
    >
Ask a new question

Read More

Security Windows