Windows Server - allow write to child folder, deny write to parent

Asked By techstress

27-Jan-10 09:13 PM

is it possible to deny access to create files on the root of a drive

and still allow modify access to subfolders?

28-Jan-10 04:02 AM

Yes, no problem.

On the child folder, uncheck "Include inheritable permissions from this
object's parent" and adjust permissions as you like.

28-Jan-10 11:37 AM

The problem I am encountering is that we have a drive for user home
folders.  However, some users are saving files to the root of the
drive.  I'd like to deny access to any file saved to the root of the
drive, yet still allow the users to create & modify files to their
home folders.

I think the fix Dusko suggested would allow the user to set custom
permissions on their home folder.

28-Jan-10 01:28 PM

I think Dusko is right on the spot with this.

Have you tried what he suggested?

Also, do your users have admin rights? If not (and you do), then you can
set up security permissions for the folders and they should not be able to
change them ...

02-Feb-10 02:28 PM

o

The users do not have admin rights to the file server.

I think I would need to remove create files permission to the root of
the drive.  this would not allow the users to create files on the root
of the drive.

Then, I can try customizing security on their home folder to allow
full control.  This should allow full access to the user's home
folders.

02-Feb-10 12:02 PM

Yes, that should do it ... but, are you even trying to configure this or
are you just thinking about doing it?

Go ahead, make one 'dummy' user, set just his/hers permissions in the root
folder to deny Write and/or Modify rights, and then set whatever
permissions you like on the users home (sub)folder. Make sure you uncheck
'Inherit permissions from parent ...' like Dusko said you should.

Log in with that user and give it a try ... you cannot mess things up if you
set it up for just that user.

When you have tested it, and you are satisfied with the result, make the
changes for all other users and delete the 'dummy' user.

Then come back here and give us some feedback. If you need some more help,
we will try to help you, if not, we will know its working and other people can
use the same solution if they encounter a similar problem.

06-Feb-10 07:14 AM

Everything said by others on this thread is true but it is easier than that.

1) Create the folder for holding home folders. Lets call it "Home"
2) Set the permissions on this folder to allow those that should be able to see
all home folders. For example Administrators = F/C and "Help Desk" = Modify (or
read as you need). Do not add "Users", "everyone" etc.
3) Use ADUC to set a users home folder, e.g. map H: to \\server\Home$\%username%

ADUC will create the home folder and give the user F/C permissions. The
permissions in step 2) will inherit to the new home folder. The user will be
able to do everything to their own folder.
If the open \\server\home$ they will be able to do anything to their own home
folder but not to other user's home folders no create new files/folders in
Home$.

It you enable Access Based Enumeration then they will not even see any content
in \\server\home$ except their own home folder.

As an alternative you could change the permissions for the user from F/C to
Modify and they will no longer be able to alter the folder permissions. You
cannot stop them changing permissions on files/folders they create in their home
folder as they will be owners.

Normally they will use the mapped drive to access their home folder so will
never see \\server\home$. Having a $ on the share name hides it from the browser
so they will not easily stumble upon it either. It is visible as a path in the
My Computer listing of the mapped drive though so this is a feature to stop idle
browsing not a security feature.

--
Dave Mills
There are 10 types of people, those that understand binary and those that do not.