Our users map to a share.

Inside this share is 3 folders. Each of these three folders have one or more
subfolders.

My users must be able to open, modify create new folders and rename folders
and files, (within these 3 folders) but not delete or move them. Can this be
done?

I've done a bit of searching to accomplish this, however I am stuck.



All users are in a group called "test." I restricted the permissions to
Modify, Read & Execute, List Folder Contents and Read & Write. (I don't want
users saving files to the root of the share.)

I then removed inheritance from the 3 folders I want the users to be able to
work in.

Our problem is users are accidentally moving/deleting these folders.

When I give special permission to Deny Delete and Delete files and
subfolders, users are not able to create new folders or rename.

HELP!!

On Tue, 30 Mar 2010 10:00:16 -0700, Jeff <Jeff@newsgroup> wrote:

>Our users map to a share.
>
>Inside this share is 3 folders. Each of these three folders have one or more
>subfolders.
>
>My users must be able to open, modify create new folders and rename folders
>and files, (within these 3 folders) but not delete or move them. Can this be
>done?

Define "them", the folder they have created or the three you have made.

If a user creates a folder he is the "owner" of that folder.
Whoever "owns" a folder can change the permissions any way they want.
anyone who can change the permissions can delete the folder by changing the
permissions.

>
>I've done a bit of searching to accomplish this, however I am stuck.
>
>All users are in a group called "test." I restricted the permissions to
>Modify, Read & Execute, List Folder Contents and Read & Write. (I don't want
>users saving files to the root of the share.)

>
>I then removed inheritance from the 3 folders I want the users to be able to
>work in.
>
>Our problem is users are accidentally moving/deleting these folders.
>
>When I give special permission to Deny Delete and Delete files and
>subfolders, users are not able to create new folders or rename.
>
>HELP!!
>

Try this for size it creates a top level folder you type in then three
subfolders with permissions for AllStaff and Users groups as described in the
comments. Obviously this is for my own domain but you should get the idea.
icacle is in W2008 (and W2003 R2)

The key is allowing different permissions for a folder to those that are granted
to the same group for subfolders and files.

---------------------
@ECHO OFF
ECHO.
ECHO.

IF /I "%CD%" == "%windir%" GOTO NOMAP

SET MyDir=%1
IF /I "%MyDir%" == "/?" GOTO Help
IF /I "%MyDir%" == "" SET /P MyDir=Directory to set permissions for =
IF /I "%MyDir%" == "" GOTO Help

If EXIST "%MyDir%" GOTO RESETS
ECHO Creating Folder "%MyDir%"
MD "%MyDir%"
GOTO SETPERM

:RESETS
ECHO Folder "%MyDir%" already exists/

:SETPERM
ECHO.
ECHO Setting permissions and sub-folders in folder "%MyDir%"
ECHO.

REM Department level permission can be inherited as these will be correct

REM Create the sub folder structure (or just reset the permissions)
SETLOCAL
CD "%MyDir%"

SET SubFold="SharedWork"
If EXIST %SubFold% GOTO SETP1
MD %SubFold%
:SETP1
Rem These permissions allow all users including Students to have modify access
\\ad\storage\util\icacls %SubFold% /grant:r BUILTIN\UsersOI)(CI)(IO)(M)
BUILTIN\UsersOI)(CI)(W)

SET SubFold="StaffOnly"
If EXIST %SubFold% GOTO SETP2
MD %SubFold%
:SETP2

Rem These permissions allow all Staff to have modify access and Student no
access
cscript //NoLogo \\ad\storage\util\xcacls.vbs staffonly /I COPY /Q
\\ad\storage\util\icacls %SubFold% /grant:r AD\AllStaffOI)(CI)(IO)(M)
AD\AllStaffOI)(CI)(RX,W) /remove BUILTIN\Users

SET SubFold="StudentResources"
If EXIST %SubFold% GOTO SETP3
MD %SubFold%
:SETP3
Rem These permissions allow all Staff to have modify access and Students to have
read only access
\\ad\storage\util\icacls %SubFold% /grant:r AD\AllStaffOI)(CI)(IO)(M)
AD\AllStaffOI)(CI)(W)

ECHO.
ECHO.
ECHO Folder setup completed. You must now setup quotas and usage reporting in
FSRM
pause
GOTO :EOF


:HELP
ECHO.
ECHO Argument 1 can be the name of the folder you wish to set up.
ECHO If omited it is prompted for.
ECHO e.g. SetFolderPerms "My Folder"
ECHO.
ECHO.
pause
GOTO :EOF

:NOMAP
ECHO.
ECHO Error You must run this command from a mapped drive not a UNC path
pause
-----------------------
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.