Folder security in Windows

[Robor]

We have a site that had someone accidentally delete a bunch of folders/files from a network share. Luckily they didn't lose that much because of a backup but they would like to prevent this from happening in the future. The folders/files deleted were set to full control for the individual. The site asked if we could restrict the folders so they can read, create, and modify the files but not allow deletion of the folders/files. I know there's nothing stopping them from blanking a file and saving it. This wasn't malicious - it was a mistake.

I played around the the security settings and from what I see there's no way to allow a user to modify a file without giving them the ability to delete as well. Also, if I do restrict a folder to prevent deletes if someone opens a Word doc it creates a temporary "~filename.doc" file that is not removed when the document is closed. This could make for a lot of clutter.

Any suggestions? If Windows can't do this is there a 3rd party utility that might help?

 

[rbV5]

Maybe you could mirror it with something like this Robor? Link

 

[ITJunkie]

Originally posted by: Robor
We have a site that had someone accidentally delete a bunch of folders/files from a network share. Luckily they didn't lose that much because of a backup but they would like to prevent this from happening in the future. The folders/files deleted were set to full control for the individual. The site asked if we could restrict the folders so they can read, create, and modify the files but not allow deletion of the folders/files. I know there's nothing stopping them from blanking a file and saving it. This wasn't malicious - it was a mistake.

I played around the the security settings and from what I see there's no way to allow a user to modify a file without giving them the ability to delete as well. Also, if I do restrict a folder to prevent deletes if someone opens a Word doc it creates a temporary "~filename.doc" file that is not removed when the document is closed. This could make for a lot of clutter.

Any suggestions? If Windows can't do this is there a 3rd party utility that might help?

Read, write, execute permissions will give them editing power but not allow them to delete...I believe.

 

[Joemonkey]

Why can't you just put a check on the Deny side for the right to delete?

Like this

 

[Robor]

Thanks for all the replies! I really wish this site would just get a tape backup solution with 31 tapes so we could revert back a month if necessary.

I'll look into that Replikator program - thanks!

I tried Read, Write, and Execute. That didn't allow them to save an existing file with a different name or even create a new folder.

Setting Delete in the advanced security section to Deny results in the "Modify" setting in the main section being turned off resulting in the same situation as above. Unless I'm doing something wrong you can't have delete set to deny and modify allowed at the same time.

 

[Joemonkey]

create a special group that ONLY has deny checked for the two delete options

give the account full control, then add it to the group

 

[mechBgon]

In the event that they happened to have McAfee VirusScan Enterprise 8.0i, you can make a custom Access Protection policy that will do the job. Start > Run > Programs > Network Associates > VirusScan Console. Now right-click Access Protection and go to the File, Share and Folder Protections tab, and make a new rule. You might make a rule that remote processes cannot delete *.* from Folder Such-And-Such.

/ long shot

 

[Robor]

Thanks, Joemonkey - I'll give that a try!

Mech... They're using SAV 10.0.1 right now but thanks for offering the suggestion.