How do I deny browse permission while allowing read/write/execute?

[mskennicutt]

I have a server database application that requires all users to have read/write permission to a mapped drive. My big problem with this is that anyone can go to their 'R' drive and delete our entire database. Not good!

I want to see if there is a simple way to deny users the ability to browse the files and folders but still give them read/write ability for files to which they know the exact path. Actually the database program knows what files it needs and where they are and users do not ever need to browse for a file. I believe there is a way to do this using group policy, but almost all of my clients are Windows 98 and I am a post NT administrator (meaning I'm not very familiar with Poledit.)

 

[brontosaurus]

You're complicating the issue. You just need to dig down into the Advanced Security settings for this folder and allow Read and Write/Append Data, but don't allow Delete.

 

[mskennicutt]

Now why didn't I think of that? Thanks... I'm going to check with the software vendor to make sure the application never needs to delete files, but I think that will work.

 

[DanMc]

Be cautious. I tried doing this before with file-server based databases written in Access, and had to give "delete" back. Apps written in Access need to delete the file when they compact or repair the database.

Access appears to be doing this:
1. Compact DATA.MDB
2. Store compacted data in TEMP.MDB
3. Close then Delete DATA.MDB
4. Rename TEMP.MDB to DATA.MDB then re-open.

If the app has a button or menu item for compact/repair, you may be able to make 2 groups of users, though. DB Regular users and DB Maint users, and give Delete only to Maint.

 

[JCDugas]

You could hide the R drive from them? You would also need to disable the command prompt, hide the run command and remove map/disconnect network drives.

 

[mskennicutt]

Well the problem is that our database program is actually coded in such a way that it calls files from the 'R' drive, so on every computer there must be an 'R' drive mapped. I have asked the vendors if they are ever going to change this aspect of the software and they say not in the near future.

 

[JCDugas]

I meant you could "Hide" the R drive from them using a policy.

Are you running AD?

 

[mskennicutt]

Can I use poledit to do that? I'm not familiar with that tool and as I understand it I can't use group policy with Win98 clients. If I can accomplish this using the old NT style poledit, then I will just learn how to use it, but I wanted to make sure it is even possible. The frustrating thing about Group policy is that it is a great tool and very powerful but only Win2000 clients seem to be able to utilize it.

 

[JCDugas]

You'll have to create a policy for your Windows 98 PC's using poledit from a 98 PC. Search on MS web site for how to apply policies to 98 PC's and also search for how to hide drives using system policies.