securing against file deletions by permissions 1

[WillieLoMain]

Many in my office have access to shared files on the file server.

I think I have figured out that the 2 tabs - SHARING and SECURITY - work as follows.

Permissions under the SHARING tab controll the acces when fies are manipulated ACROSS THE NETWORK.

Security permission control how users may manipulate files when sitting locally at the machine (or I guess in a TS Session)

Have I got this much right?? If not what am I missing?

If so I will say that - no one has acces to the server to sit at it and work locally on it - except for me of course.

Also, there is no one who hs TS access except for myself.

Therefore, everyone will access files across the LAN.

The next question then is - SPECIFICALLY - how do I set thhe shared permissions so that users can access the files they need - change , edit manipulate etc these files BUT NOT BE ABLE TO DELETE THEM.

My primary concern here is that, since deletions across the LAN are unrecoverable, I do not want someone to inadvertently make a deletion.

Thanx in advance and sorry for the long post.

 

[MattWray]

Set the Sharing permissions to Everyone Full Control. Set the Security of the directories of which you speak, to Read, List Folder Contents, Read and Execute and Write permissions....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[WillieLoMain]

This has answered and solved my problem thank you.

Simultaneously it has shattered what I thought was my understanding of the way these settings are used.

Please then - can you explain what the diference is between permissions set under the share tab and those set under the security tab.

thanx

 

[MattWray]

The permissions button is the Sharing Permissions. This is very basic and doesn't offer much versatility. The security tab is the NTFS permissions, which are much stronger and versatile. It is MS best practice to set Everyone to Full in Sharing and use the NTFS as they are much better and if you use both it is easy to create conflicts and troubles....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[jgoodman00]

However, by stopping users from deleting files, you also stop them from renaming them, which seems pretty crap to me!

According to the KB, when a user renames a file, the file is dropped & then recreated with the new name (or vice-versa, cannot remember exactly ). Now, I can see there is a danger in allowing users to rename files, but the difference between renaming a file & deleting it (and it being unretrievable across a network) is vast...

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[WillieLoMain]

On the subject of renaming files I have come across the following problem.

I have the lion share of files stored in a single folder with subfolders based on document type. Security is set as described above.

When I remove the modify permission (so as to prevent deletions) I am having the following problem.

When an excel file is accessed - on attempting to save it - first off it takes about 30 seconds to report - and then I get the following error:

"Save not completed. file rename failed. retry?"

after saying no I get the following msg

"Your changes could not be saved to FILENAME but were saved to a temporary document named TEMPNAME. Close the existing document then open the temporary document and save it under a new name"

I am not sure if this is happening under only excel or if other doc formats have the same problem.

when I enable modify permission the problem no longer occurs.

 

[jgoodman00]

Yup, I think this is part of the same phenomenon...

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[MattWray]

Unfortunately that is the way it works. If the user needs to modify the file, he must have modify permissions. You can either have them do a Save As and delegate certain users to modify your particular directory, have them work with their files in their own home directory, or use a good backup strategy. I know of no other way around it...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[WillieLoMain]

seems wacky to me that write and modify are 2 different things.

What does the write permission allow? - I guess it lets you open a file and make changes to it - but then u cant save those changes unless you were given modify and write permissions.

Call me crazy but this seems weak to me.

 

[ghsindian]

The permissions that are discussed in this thread seem to only affect MS Office. If you use Wordpad, the save process works fine. I would be very interested in finding a solution that would work under the Office applications.

 

[WillieLoMain]

Intersteing that you say that - since I just now discovered that my dos application - the data of which is in a different folder with no modifications allowed - seems to be operating just fine.

From the error messages it seems that when office makes the save it does a rename as part of it.

 

[MattWray]

When you are working on an Office document, it creates a temp copy that is hidden. For example when I open a doc titled Migration Plan for NAS.doc, it created ~$gration Plan for NAS.doc that is hidden. Apparently, and I'm guessing, when you save the changes, it overwrites the existing one with the temp and gives it the same name. Which is denied by having delete denied.

Write allows you to write a new document. Modify allows you to modify an existing one. If you want users to modify existing docs, then they must have this permission.

What I have usually done, is create a template. That will not have modify. Then when users need to create something, they can use the template and do a save as to their own working directory, where they have full control.

Can you outline more of what your goals with this are? MAybe we can come up with a work-around....



Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[WillieLoMain]

Another concise answer from Matt - much appreciated!

The goal is to prevent someone who has and needs access from deleting multiple files.

For example: I have 30 or so spreadsheets that are used by 10 or so people in the office - and they all have to have the ability to make changes and save those changes.

My concern is that by accident or on purpose (read malicious)- someone with access could delete any or all of these files and I would have to go to a backup - thereby losing whatever work had been done since the last bak.

I guess I need a better then daily backup strategy.

 

[jgoodman00]

Yup.

Another alternative might be to look at migrating these spreadsheets into a DB, such as access. That way you could have the source data somewhere secure on a server, & only give the users an application front-end. That way they can never delete the db, at worst records. If you then implemented Access security you could stop that as well...

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[ghsindian]

Mattwray, What I am trying to accomplish in a High School environment is to have a location with teachers folders in it, and give everyone the ability to save (drop) a file there. I have given the teacher and administrators the ability to delete their own folder, but Students can't drop any files in unless the delete permission is checked (IE: dropbox). Ideally, I would also like to keep students from opening or coping any of these files. Any ideas?

 

[jgoodman00]

If you create a Teachers group & a Students group. Then give the Teachers group all of the permissions you require, & only give the students group the write permission. This way they should be able to save a file to this location, but they will not be able to view/open it etc...

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[MattWray]

You need to give them List folder contents as well. They will not be able to do a straight save as to the directory, but if they save to their home directory first, they will be able to copy the file over. And they will not be able to copy it back or open it once inside...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[ghsindian]

Mattwray, Great advise! the only part that isn't 100% is that anybody can open the the file that has been placed in the folder, and save it as another name. (plagiarism).

 

[Cogen]

It was suggested above that it is good practice "to set Everyone to Full in Sharing and use the NTFS as they are much better and if you use both it is easy to create conflicts and troubles".
What I was wondering is what if a client using Win98, or something other then an NTFS OS connects to the server? Will that user still be restricted to the settings in the NTFS settings (Security tab), or will they have full access because you put "Everyone" to full access in sharing?

 

[dholbrook]

The permission issue can be divided down to a much finer level than anyone has stated yet. The share tab can be used to also filter access, but usually this just creates many more headaches for you, so unless you have some very tight issues, leave the share at full control for Authenticated uses (not everyone, as this also includes guest accounts which may not need passwords, etc.).

Use the security tab to set what you want. open explorer, right click on the directory in question, select properties, and add the group you want to have access to the list. Next, select the group, and click on advanced tab to open another window. Here select the group again and select view/edit, which will allow you to specifically remove the ability ot delete sub floders, files and/or just remove the delete capability FOR THAT SPECIFIC GROUP!

I recommend the use of different groups for the students and teachers, and you can also fully control the directory to allow only a specific teach, for example, to delete anything from this folder.

Have fun.

David