I am trying to make it so non administrator users cannot delete files on network shares. I've setup my NTFS permissions to do this and all seems to be working except when a user goes to save a new file onto the shared drive it throws an error stating they do not have permission to do this but looks like the file still saves. I still want them to be able to create new files just not delete files since a lot of them are standard forms that they edit for clients and save as new files specifically for them. Is there a better way of doing this? or maybe some other permission I am missing to have this work properly?
Asked
Active
Viewed 509 times
3 Answers
3
I think you are playing with fire on this. Messing with the NTFS permissions to this level is going to create a management nightmare for you and future admins. The solution isn't scalable and will likely just cause more issues than fixes.
Instead, I suggest you make sure you have a good backup system in place and utilize the Volume Shadow Copies (VSS Snapshots) feature, to cover accidental deletions/ modifications between backups.
Additionally, I would enable File Level Auditing so that if someone does delete something they shouldn't, you can find exactly who, and when.
This is all of course on top of the issues that @longneck points out.
HostBits
- 11,796
- 1
- 25
- 39
2
Give them "Modify" for the folder but read-only for the files. This way they're able to save files into the directory but not delete them afterward. This does have a side effect of making them uneditable, but you'd want that too. After all, someone could just blank the file or make subtle changes to make them unreliable.
Nathan C
- 15,059
- 4
- 43
- 62
2
They problem you are going to run in to is that many programs handle saving by using "write to a new file, delete the old one, rename the new file to the old name" behavior. Denying delete access will prevent these kinds of applications from successfully saving.
longneck
- 23,082
- 4
- 52
- 86