Sign in with
Sign up | Sign in
Your question

Allow saves and reads but not edits

Last response: in Windows 2000/NT
Share
March 28, 2005 2:01:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Dumb question but I can't make this work the way we desire. Shared folder on
W2k DC. On a particulur folder we want to allow users to read files, but not
to be able to edit those files directly on shared dive andstill be able to
save new files to that shared folder. I have allowed permissions for Read,
List contents, Read & Exe. In advanced permissions I have allows Tranverse
folder/Exe, List folder/Read data, Read Attributes, Read Extended Att.,
Create files/Write data. I apply and OK yet folder is listed as read only
and behaves as if it is read only. It never allows to save a file to it.
What am I missing here? I want to allow new files to be saved to this
folder, just not changes to already existing ones. Thanks

More about : saves reads edits

Anonymous
March 29, 2005 5:14:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

To what was the ACE applied where you have in advanced
view set Create files/Write data ?
Suppose you have a new folder, and on it there are two
ACEs. One granting Adminstrators Full control and the
other granting Users Full control.
If in the generic rights view you were to highlight the Users
ACE and then uncheck all except List folder content and
also Read, then when you leave the generic view and go to
the detail view by clicking Advanced you will see for Users
that there are two ACEs. One is set for This folder, subfolders
and files and it grants Read. The other is set for This folder
and subfolders and it grants Read & Execute.
Highlight this second one that does not apply to files, and
then click on Edit.
In this edit view of the ACE check Create files / write data
and apply the change so that the Read & Execute ACE is now
shown as a Special grant
Now, one more thing is needed, as a concession to the use of
temporary files, and this does weaken the result from what you
have specified as needed.
In the generic view add a new ACE for Creator Owner, and
uncheck all grants except for Write. Then, switch to the Advanced
view, highlight this new ACE and edit it to remove all grants
except for Delete (not Delete subfolders and files, just Delete).
In the Applies to dropbox set this to Subfolders and files.
So, you end up with a new ACE granting to Creator Owner
Delete which applies to Subfolders and files

You should now have almost just what you were after, except
that the individual that first dropped a given file into the folder
will be able to delete it. Others will not, but the initial contributor
will have this ability. This weakening is needed in order to allow
that account to delete temp files that are made in the directory in
the process of the initial save.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> Dumb question but I can't make this work the way we desire. Shared folder
on
> W2k DC. On a particulur folder we want to allow users to read files, but
not
> to be able to edit those files directly on shared dive andstill be able
to
> save new files to that shared folder. I have allowed permissions for
Read,
> List contents, Read & Exe. In advanced permissions I have allows
Tranverse
> folder/Exe, List folder/Read data, Read Attributes, Read Extended Att.,
> Create files/Write data. I apply and OK yet folder is listed as read only
> and behaves as if it is read only. It never allows to save a file to it.
> What am I missing here? I want to allow new files to be saved to this
> folder, just not changes to already existing ones. Thanks
Anonymous
March 29, 2005 1:26:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Brian wrote:
> Dumb question but I can't make this work the way we desire. Shared folder on
> W2k DC. On a particulur folder we want to allow users to read files, but not
> to be able to edit those files directly on shared dive andstill be able to
> save new files to that shared folder. I have allowed permissions for Read,
> List contents, Read & Exe. In advanced permissions I have allows Tranverse
> folder/Exe, List folder/Read data, Read Attributes, Read Extended Att.,
> Create files/Write data. I apply and OK yet folder is listed as read only
> and behaves as if it is read only. It never allows to save a file to it.
> What am I missing here? I want to allow new files to be saved to this
> folder, just not changes to already existing ones. Thanks

Explicitly set the Read Permission to Allow for the files you want read
only access to (the already existing ones). Go to the Advanced Security
Settings dialog for those files and uncheck the "Allow inheritable
permissions from the parent to propogte this object..." option. Set the
permissions on the folder level as you want the newly created files to
inherit.

--
Aarohi Johal
MCSE, MCSA, MCDBA
Related resources
April 6, 2005 7:11:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I tired this and it doesn't work. The part of already created files works,
you can read but not save as orginal. Users cannot new save files to the
drive. They get a disk is full error 5987 message, even though drive has 117
GB free. Anything else to try? Thanks

"Roger Abell" wrote:

> To what was the ACE applied where you have in advanced
> view set Create files/Write data ?
> Suppose you have a new folder, and on it there are two
> ACEs. One granting Adminstrators Full control and the
> other granting Users Full control.
> If in the generic rights view you were to highlight the Users
> ACE and then uncheck all except List folder content and
> also Read, then when you leave the generic view and go to
> the detail view by clicking Advanced you will see for Users
> that there are two ACEs. One is set for This folder, subfolders
> and files and it grants Read. The other is set for This folder
> and subfolders and it grants Read & Execute.
> Highlight this second one that does not apply to files, and
> then click on Edit.
> In this edit view of the ACE check Create files / write data
> and apply the change so that the Read & Execute ACE is now
> shown as a Special grant
> Now, one more thing is needed, as a concession to the use of
> temporary files, and this does weaken the result from what you
> have specified as needed.
> In the generic view add a new ACE for Creator Owner, and
> uncheck all grants except for Write. Then, switch to the Advanced
> view, highlight this new ACE and edit it to remove all grants
> except for Delete (not Delete subfolders and files, just Delete).
> In the Applies to dropbox set this to Subfolders and files.
> So, you end up with a new ACE granting to Creator Owner
> Delete which applies to Subfolders and files
>
> You should now have almost just what you were after, except
> that the individual that first dropped a given file into the folder
> will be able to delete it. Others will not, but the initial contributor
> will have this ability. This weakening is needed in order to allow
> that account to delete temp files that are made in the directory in
> the process of the initial save.
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > Dumb question but I can't make this work the way we desire. Shared folder
> on
> > W2k DC. On a particulur folder we want to allow users to read files, but
> not
> > to be able to edit those files directly on shared dive andstill be able
> to
> > save new files to that shared folder. I have allowed permissions for
> Read,
> > List contents, Read & Exe. In advanced permissions I have allows
> Tranverse
> > folder/Exe, List folder/Read data, Read Attributes, Read Extended Att.,
> > Create files/Write data. I apply and OK yet folder is listed as read only
> > and behaves as if it is read only. It never allows to save a file to it.
> > What am I missing here? I want to allow new files to be saved to this
> > folder, just not changes to already existing ones. Thanks
>
>
>
Anonymous
April 9, 2005 6:42:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Then very possibly that "save" is attempting to use a temp
file and rename it.
You can place a grant to Creator Owner on Modify.
This will allow the original "saver" to have more permissions
than you were after, but will not affect the permissions of any
other account relative to the new file.

--
Roger
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:D B188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> I tired this and it doesn't work. The part of already created files
works,
> you can read but not save as orginal. Users cannot new save files to the
> drive. They get a disk is full error 5987 message, even though drive has
117
> GB free. Anything else to try? Thanks
>
> "Roger Abell" wrote:
>
> > To what was the ACE applied where you have in advanced
> > view set Create files/Write data ?
> > Suppose you have a new folder, and on it there are two
> > ACEs. One granting Adminstrators Full control and the
> > other granting Users Full control.
> > If in the generic rights view you were to highlight the Users
> > ACE and then uncheck all except List folder content and
> > also Read, then when you leave the generic view and go to
> > the detail view by clicking Advanced you will see for Users
> > that there are two ACEs. One is set for This folder, subfolders
> > and files and it grants Read. The other is set for This folder
> > and subfolders and it grants Read & Execute.
> > Highlight this second one that does not apply to files, and
> > then click on Edit.
> > In this edit view of the ACE check Create files / write data
> > and apply the change so that the Read & Execute ACE is now
> > shown as a Special grant
> > Now, one more thing is needed, as a concession to the use of
> > temporary files, and this does weaken the result from what you
> > have specified as needed.
> > In the generic view add a new ACE for Creator Owner, and
> > uncheck all grants except for Write. Then, switch to the Advanced
> > view, highlight this new ACE and edit it to remove all grants
> > except for Delete (not Delete subfolders and files, just Delete).
> > In the Applies to dropbox set this to Subfolders and files.
> > So, you end up with a new ACE granting to Creator Owner
> > Delete which applies to Subfolders and files
> >
> > You should now have almost just what you were after, except
> > that the individual that first dropped a given file into the folder
> > will be able to delete it. Others will not, but the initial contributor
> > will have this ability. This weakening is needed in order to allow
> > that account to delete temp files that are made in the directory in
> > the process of the initial save.
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > Dumb question but I can't make this work the way we desire. Shared
folder
> > on
> > > W2k DC. On a particulur folder we want to allow users to read files,
but
> > not
> > > to be able to edit those files directly on shared dive andstill be
able
> > to
> > > save new files to that shared folder. I have allowed permissions for
> > Read,
> > > List contents, Read & Exe. In advanced permissions I have allows
> > Tranverse
> > > folder/Exe, List folder/Read data, Read Attributes, Read Extended
Att.,
> > > Create files/Write data. I apply and OK yet folder is listed as read
only
> > > and behaves as if it is read only. It never allows to save a file to
it.
> > > What am I missing here? I want to allow new files to be saved to this
> > > folder, just not changes to already existing ones. Thanks
> >
> >
> >
April 11, 2005 4:33:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks. I added Creator Owner to permissions but it still will not save to
the share drive folder. Now it tells me it can't find file. It saves a
blank file of same name and a temp file. Share permission allow Domain Users
Change and read so I don't see what else it could be.

"Roger Abell" wrote:

> Then very possibly that "save" is attempting to use a temp
> file and rename it.
> You can place a grant to Creator Owner on Modify.
> This will allow the original "saver" to have more permissions
> than you were after, but will not affect the permissions of any
> other account relative to the new file.
>
> --
> Roger
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:D B188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> > I tired this and it doesn't work. The part of already created files
> works,
> > you can read but not save as orginal. Users cannot new save files to the
> > drive. They get a disk is full error 5987 message, even though drive has
> 117
> > GB free. Anything else to try? Thanks
> >
> > "Roger Abell" wrote:
> >
> > > To what was the ACE applied where you have in advanced
> > > view set Create files/Write data ?
> > > Suppose you have a new folder, and on it there are two
> > > ACEs. One granting Adminstrators Full control and the
> > > other granting Users Full control.
> > > If in the generic rights view you were to highlight the Users
> > > ACE and then uncheck all except List folder content and
> > > also Read, then when you leave the generic view and go to
> > > the detail view by clicking Advanced you will see for Users
> > > that there are two ACEs. One is set for This folder, subfolders
> > > and files and it grants Read. The other is set for This folder
> > > and subfolders and it grants Read & Execute.
> > > Highlight this second one that does not apply to files, and
> > > then click on Edit.
> > > In this edit view of the ACE check Create files / write data
> > > and apply the change so that the Read & Execute ACE is now
> > > shown as a Special grant
> > > Now, one more thing is needed, as a concession to the use of
> > > temporary files, and this does weaken the result from what you
> > > have specified as needed.
> > > In the generic view add a new ACE for Creator Owner, and
> > > uncheck all grants except for Write. Then, switch to the Advanced
> > > view, highlight this new ACE and edit it to remove all grants
> > > except for Delete (not Delete subfolders and files, just Delete).
> > > In the Applies to dropbox set this to Subfolders and files.
> > > So, you end up with a new ACE granting to Creator Owner
> > > Delete which applies to Subfolders and files
> > >
> > > You should now have almost just what you were after, except
> > > that the individual that first dropped a given file into the folder
> > > will be able to delete it. Others will not, but the initial contributor
> > > will have this ability. This weakening is needed in order to allow
> > > that account to delete temp files that are made in the directory in
> > > the process of the initial save.
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > > Dumb question but I can't make this work the way we desire. Shared
> folder
> > > on
> > > > W2k DC. On a particulur folder we want to allow users to read files,
> but
> > > not
> > > > to be able to edit those files directly on shared dive andstill be
> able
> > > to
> > > > save new files to that shared folder. I have allowed permissions for
> > > Read,
> > > > List contents, Read & Exe. In advanced permissions I have allows
> > > Tranverse
> > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended
> Att.,
> > > > Create files/Write data. I apply and OK yet folder is listed as read
> only
> > > > and behaves as if it is read only. It never allows to save a file to
> it.
> > > > What am I missing here? I want to allow new files to be saved to this
> > > > folder, just not changes to already existing ones. Thanks
> > >
> > >
> > >
>
>
>
Anonymous
April 12, 2005 11:57:10 AM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. I must be missing something here, not seeing what you
are seeing in the NTFS permissions editor.
Basically, your scenario could be closely approximated if
you have share level allowing Change to Users (you want them
able to save new files), and then for NTFS permissions they
will need grants for users of
List and Read
and Write that is set to Files Only
and due to temp files the Creator Owner Modify
To set the Users effectively if one starts with a grant
that has only Write showing in the generic view and then go
into advanced and edit to change this to Files only, then apply
and ok to get back to where you can add Read/Execute for
Users (which will include List). If you then check in the
advanced view you should see two ACEs for Users.
If you do things in other orders it can get difficult as the
NTFS editor will merge ACEs when it sees they are redundant
and you do not get the change to adjust the advanced settings
the way you want.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:B0C9D321-98CE-457A-90EC-0E08C49D3D1F@microsoft.com...
> Thanks. I added Creator Owner to permissions but it still will not save
to
> the share drive folder. Now it tells me it can't find file. It saves a
> blank file of same name and a temp file. Share permission allow Domain
Users
> Change and read so I don't see what else it could be.
>
> "Roger Abell" wrote:
>
> > Then very possibly that "save" is attempting to use a temp
> > file and rename it.
> > You can place a grant to Creator Owner on Modify.
> > This will allow the original "saver" to have more permissions
> > than you were after, but will not affect the permissions of any
> > other account relative to the new file.
> >
> > --
> > Roger
> > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > news:D B188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> > > I tired this and it doesn't work. The part of already created files
> > works,
> > > you can read but not save as orginal. Users cannot new save files to
the
> > > drive. They get a disk is full error 5987 message, even though drive
has
> > 117
> > > GB free. Anything else to try? Thanks
> > >
> > > "Roger Abell" wrote:
> > >
> > > > To what was the ACE applied where you have in advanced
> > > > view set Create files/Write data ?
> > > > Suppose you have a new folder, and on it there are two
> > > > ACEs. One granting Adminstrators Full control and the
> > > > other granting Users Full control.
> > > > If in the generic rights view you were to highlight the Users
> > > > ACE and then uncheck all except List folder content and
> > > > also Read, then when you leave the generic view and go to
> > > > the detail view by clicking Advanced you will see for Users
> > > > that there are two ACEs. One is set for This folder, subfolders
> > > > and files and it grants Read. The other is set for This folder
> > > > and subfolders and it grants Read & Execute.
> > > > Highlight this second one that does not apply to files, and
> > > > then click on Edit.
> > > > In this edit view of the ACE check Create files / write data
> > > > and apply the change so that the Read & Execute ACE is now
> > > > shown as a Special grant
> > > > Now, one more thing is needed, as a concession to the use of
> > > > temporary files, and this does weaken the result from what you
> > > > have specified as needed.
> > > > In the generic view add a new ACE for Creator Owner, and
> > > > uncheck all grants except for Write. Then, switch to the Advanced
> > > > view, highlight this new ACE and edit it to remove all grants
> > > > except for Delete (not Delete subfolders and files, just Delete).
> > > > In the Applies to dropbox set this to Subfolders and files.
> > > > So, you end up with a new ACE granting to Creator Owner
> > > > Delete which applies to Subfolders and files
> > > >
> > > > You should now have almost just what you were after, except
> > > > that the individual that first dropped a given file into the folder
> > > > will be able to delete it. Others will not, but the initial
contributor
> > > > will have this ability. This weakening is needed in order to allow
> > > > that account to delete temp files that are made in the directory in
> > > > the process of the initial save.
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > > > Dumb question but I can't make this work the way we desire.
Shared
> > folder
> > > > on
> > > > > W2k DC. On a particulur folder we want to allow users to read
files,
> > but
> > > > not
> > > > > to be able to edit those files directly on shared dive andstill
be
> > able
> > > > to
> > > > > save new files to that shared folder. I have allowed permissions
for
> > > > Read,
> > > > > List contents, Read & Exe. In advanced permissions I have allows
> > > > Tranverse
> > > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended
> > Att.,
> > > > > Create files/Write data. I apply and OK yet folder is listed as
read
> > only
> > > > > and behaves as if it is read only. It never allows to save a file
to
> > it.
> > > > > What am I missing here? I want to allow new files to be saved to
this
> > > > > folder, just not changes to already existing ones. Thanks
> > > >
> > > >
> > > >
> >
> >
> >
April 12, 2005 1:08:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Ok thanks I got it working correctly now. I removed the domain users and
creator owner and started over. I had to give Domain Users List and Read
generic permission otherwise as files only they could not access folders.
Then they got special permission on files only to create files but not append
data. Then I added Creator/Owner special permissions to files only for
Modify and it works as intended. Thank you very much for your help and
patience.

"Roger Abell" wrote:

> OK. I must be missing something here, not seeing what you
> are seeing in the NTFS permissions editor.
> Basically, your scenario could be closely approximated if
> you have share level allowing Change to Users (you want them
> able to save new files), and then for NTFS permissions they
> will need grants for users of
> List and Read
> and Write that is set to Files Only
> and due to temp files the Creator Owner Modify
> To set the Users effectively if one starts with a grant
> that has only Write showing in the generic view and then go
> into advanced and edit to change this to Files only, then apply
> and ok to get back to where you can add Read/Execute for
> Users (which will include List). If you then check in the
> advanced view you should see two ACEs for Users.
> If you do things in other orders it can get difficult as the
> NTFS editor will merge ACEs when it sees they are redundant
> and you do not get the change to adjust the advanced settings
> the way you want.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:B0C9D321-98CE-457A-90EC-0E08C49D3D1F@microsoft.com...
> > Thanks. I added Creator Owner to permissions but it still will not save
> to
> > the share drive folder. Now it tells me it can't find file. It saves a
> > blank file of same name and a temp file. Share permission allow Domain
> Users
> > Change and read so I don't see what else it could be.
> >
> > "Roger Abell" wrote:
> >
> > > Then very possibly that "save" is attempting to use a temp
> > > file and rename it.
> > > You can place a grant to Creator Owner on Modify.
> > > This will allow the original "saver" to have more permissions
> > > than you were after, but will not affect the permissions of any
> > > other account relative to the new file.
> > >
> > > --
> > > Roger
> > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > news:D B188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> > > > I tired this and it doesn't work. The part of already created files
> > > works,
> > > > you can read but not save as orginal. Users cannot new save files to
> the
> > > > drive. They get a disk is full error 5987 message, even though drive
> has
> > > 117
> > > > GB free. Anything else to try? Thanks
> > > >
> > > > "Roger Abell" wrote:
> > > >
> > > > > To what was the ACE applied where you have in advanced
> > > > > view set Create files/Write data ?
> > > > > Suppose you have a new folder, and on it there are two
> > > > > ACEs. One granting Adminstrators Full control and the
> > > > > other granting Users Full control.
> > > > > If in the generic rights view you were to highlight the Users
> > > > > ACE and then uncheck all except List folder content and
> > > > > also Read, then when you leave the generic view and go to
> > > > > the detail view by clicking Advanced you will see for Users
> > > > > that there are two ACEs. One is set for This folder, subfolders
> > > > > and files and it grants Read. The other is set for This folder
> > > > > and subfolders and it grants Read & Execute.
> > > > > Highlight this second one that does not apply to files, and
> > > > > then click on Edit.
> > > > > In this edit view of the ACE check Create files / write data
> > > > > and apply the change so that the Read & Execute ACE is now
> > > > > shown as a Special grant
> > > > > Now, one more thing is needed, as a concession to the use of
> > > > > temporary files, and this does weaken the result from what you
> > > > > have specified as needed.
> > > > > In the generic view add a new ACE for Creator Owner, and
> > > > > uncheck all grants except for Write. Then, switch to the Advanced
> > > > > view, highlight this new ACE and edit it to remove all grants
> > > > > except for Delete (not Delete subfolders and files, just Delete).
> > > > > In the Applies to dropbox set this to Subfolders and files.
> > > > > So, you end up with a new ACE granting to Creator Owner
> > > > > Delete which applies to Subfolders and files
> > > > >
> > > > > You should now have almost just what you were after, except
> > > > > that the individual that first dropped a given file into the folder
> > > > > will be able to delete it. Others will not, but the initial
> contributor
> > > > > will have this ability. This weakening is needed in order to allow
> > > > > that account to delete temp files that are made in the directory in
> > > > > the process of the initial save.
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > > > > Dumb question but I can't make this work the way we desire.
> Shared
> > > folder
> > > > > on
> > > > > > W2k DC. On a particulur folder we want to allow users to read
> files,
> > > but
> > > > > not
> > > > > > to be able to edit those files directly on shared dive andstill
> be
> > > able
> > > > > to
> > > > > > save new files to that shared folder. I have allowed permissions
> for
> > > > > Read,
> > > > > > List contents, Read & Exe. In advanced permissions I have allows
> > > > > Tranverse
> > > > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended
> > > Att.,
> > > > > > Create files/Write data. I apply and OK yet folder is listed as
> read
> > > only
> > > > > > and behaves as if it is read only. It never allows to save a file
> to
> > > it.
> > > > > > What am I missing here? I want to allow new files to be saved to
> this
> > > > > > folder, just not changes to already existing ones. Thanks
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
Anonymous
April 13, 2005 3:32:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Brian" <Brian@discussions.microsoft.com> wrote in message
news:972CF792-0671-47F6-B00A-8BC451F43597@microsoft.com...
> Ok thanks I got it working correctly now. I removed the domain users and
> creator owner and started over. I had to give Domain Users List and Read
> generic permission otherwise as files only they could not access folders.
> Then they got special permission on files only to create files but not
append
> data. Then I added Creator/Owner special permissions to files only for
> Modify and it works as intended. Thank you very much for your help and
> patience.
>

No problem. Glad you got it working as intended (nearly).
A first trip into the individual bits of the ACEs can be a
little trying.

--
Roger

> "Roger Abell" wrote:
>
> > OK. I must be missing something here, not seeing what you
> > are seeing in the NTFS permissions editor.
> > Basically, your scenario could be closely approximated if
> > you have share level allowing Change to Users (you want them
> > able to save new files), and then for NTFS permissions they
> > will need grants for users of
> > List and Read
> > and Write that is set to Files Only
> > and due to temp files the Creator Owner Modify
> > To set the Users effectively if one starts with a grant
> > that has only Write showing in the generic view and then go
> > into advanced and edit to change this to Files only, then apply
> > and ok to get back to where you can add Read/Execute for
> > Users (which will include List). If you then check in the
> > advanced view you should see two ACEs for Users.
> > If you do things in other orders it can get difficult as the
> > NTFS editor will merge ACEs when it sees they are redundant
> > and you do not get the change to adjust the advanced settings
> > the way you want.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > news:B0C9D321-98CE-457A-90EC-0E08C49D3D1F@microsoft.com...
> > > Thanks. I added Creator Owner to permissions but it still will not
save
> > to
> > > the share drive folder. Now it tells me it can't find file. It saves
a
> > > blank file of same name and a temp file. Share permission allow Domain
> > Users
> > > Change and read so I don't see what else it could be.
> > >
> > > "Roger Abell" wrote:
> > >
> > > > Then very possibly that "save" is attempting to use a temp
> > > > file and rename it.
> > > > You can place a grant to Creator Owner on Modify.
> > > > This will allow the original "saver" to have more permissions
> > > > than you were after, but will not affect the permissions of any
> > > > other account relative to the new file.
> > > >
> > > > --
> > > > Roger
> > > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > > news:D B188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> > > > > I tired this and it doesn't work. The part of already created
files
> > > > works,
> > > > > you can read but not save as orginal. Users cannot new save files
to
> > the
> > > > > drive. They get a disk is full error 5987 message, even though
drive
> > has
> > > > 117
> > > > > GB free. Anything else to try? Thanks
> > > > >
> > > > > "Roger Abell" wrote:
> > > > >
> > > > > > To what was the ACE applied where you have in advanced
> > > > > > view set Create files/Write data ?
> > > > > > Suppose you have a new folder, and on it there are two
> > > > > > ACEs. One granting Adminstrators Full control and the
> > > > > > other granting Users Full control.
> > > > > > If in the generic rights view you were to highlight the Users
> > > > > > ACE and then uncheck all except List folder content and
> > > > > > also Read, then when you leave the generic view and go to
> > > > > > the detail view by clicking Advanced you will see for Users
> > > > > > that there are two ACEs. One is set for This folder, subfolders
> > > > > > and files and it grants Read. The other is set for This folder
> > > > > > and subfolders and it grants Read & Execute.
> > > > > > Highlight this second one that does not apply to files, and
> > > > > > then click on Edit.
> > > > > > In this edit view of the ACE check Create files / write data
> > > > > > and apply the change so that the Read & Execute ACE is now
> > > > > > shown as a Special grant
> > > > > > Now, one more thing is needed, as a concession to the use of
> > > > > > temporary files, and this does weaken the result from what you
> > > > > > have specified as needed.
> > > > > > In the generic view add a new ACE for Creator Owner, and
> > > > > > uncheck all grants except for Write. Then, switch to the
Advanced
> > > > > > view, highlight this new ACE and edit it to remove all grants
> > > > > > except for Delete (not Delete subfolders and files, just
Delete).
> > > > > > In the Applies to dropbox set this to Subfolders and files.
> > > > > > So, you end up with a new ACE granting to Creator Owner
> > > > > > Delete which applies to Subfolders and files
> > > > > >
> > > > > > You should now have almost just what you were after, except
> > > > > > that the individual that first dropped a given file into the
folder
> > > > > > will be able to delete it. Others will not, but the initial
> > contributor
> > > > > > will have this ability. This weakening is needed in order to
allow
> > > > > > that account to delete temp files that are made in the directory
in
> > > > > > the process of the initial save.
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > > > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > > > > > Dumb question but I can't make this work the way we desire.
> > Shared
> > > > folder
> > > > > > on
> > > > > > > W2k DC. On a particulur folder we want to allow users to read
> > files,
> > > > but
> > > > > > not
> > > > > > > to be able to edit those files directly on shared dive
andstill
> > be
> > > > able
> > > > > > to
> > > > > > > save new files to that shared folder. I have allowed
permissions
> > for
> > > > > > Read,
> > > > > > > List contents, Read & Exe. In advanced permissions I have
allows
> > > > > > Tranverse
> > > > > > > folder/Exe, List folder/Read data, Read Attributes, Read
Extended
> > > > Att.,
> > > > > > > Create files/Write data. I apply and OK yet folder is listed
as
> > read
> > > > only
> > > > > > > and behaves as if it is read only. It never allows to save a
file
> > to
> > > > it.
> > > > > > > What am I missing here? I want to allow new files to be saved
to
> > this
> > > > > > > folder, just not changes to already existing ones. Thanks
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >
!