3

I am setting up a set of scan folders from a scanning copier device, and would like to know the best way to protect the folders (for each department) from moving or deletion, but yet still allow access for the users to modify (i.e. create/add/delete) the scanned files within the folder.

Structure is: Share Name > Departmental Folder > User files

The writing of the files initially is taken care of by a service account which has full control. We'd just like to ensure the users cannot accidentally delete the folder (which has already happened) containing all the files, etc.

This is for a Windows 2003 server, NTFS permissions.

Suggestions would be most appreciated.

thinkdreams
  • 187
  • 2
  • 2
  • 8
  • I just want to add the following information for the sake of completeness, as it wasn't pointed out explicitly and we don't know the current state of Your configuration: For Your aim, it is advisable to create per department user groups and add the department users to their respective groups. Then You simply have to add the department user group in the advanced security permissions settings and configure it according Shaji's guideline. – deploymonkey May 17 '10 at 21:06

2 Answers2

6

This can be done by modifying the advanced security permissions of the folder and make sure that the users do not have the "Delete Subfolders and Files" and "Delete" permissions. The following rights should work:

  • Traverse Folder/Execute File
  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes
  • Create Files/Write Data
  • Create Folders/Append Data
  • Write Attributes
  • Write Extended Attributes
  • Read Permissions

Here is useful article http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html

Sharjeel Aziz
  • 376
  • 3
  • 7
3

I manage to resolve this by adding every domain account twice into the shared folder. One without delete permissions applied to the folders and subfolders, and one with delete permissions applied only to files!

wong boon hong
  • 31
  • 1