NTFS Security - a rock and a hard place

[coughtryb]

Public school - individual student accounts through AD - we have 'common' folders available for multiple students to save and have access to group work.

We want students to be able to Write but NOT Delete files in this folder. But many applications like MS Publisher save in two steps: creating a file, then overwriting the file with content. This requires at least MODIFY rights, which includes DELETE rights as well.

Is there a way to get these files to save without giving students distructive abilities as well? Any insite would be great.

Thanks again friends,
Ben

 

[stash]

Should be able to do this...on the security tab, click advanced, then edit the ACE entry you want. You'll see a much longer list of permissions and a drop down menu for "apply onto"

You can remove the delete permission from here.

 

[coughtryb]

Thanks for the response! Unfortunatly I've tried this one and get same results. I think the difference between WRITE and MODIFY is the Delete option. As soon as you uncheck Delete on the details screen and return to the broad security settings it changes back to WRITE.

Anything else?

 

[stash]

That's because the permissions on the security tab (modify, read & execute, read, write, etc) are actually groups of more specific permissions. The Write group contains both modify and delete. If you remove delete from the advanced editor and go back to the main security tab, write will be checked, yes. But if you go back into advanced, you should still see that delete is not checked.

 

[Genx87]

Goto the advanced tab and you can set permissions more granular. For example allow to write or append data but not delete.

 

[coughtryb]

Originally posted by: stash
That's because the permissions on the security tab (modify, read & execute, read, write, etc) are actually groups of more specific permissions. The Write group contains both modify and delete. If you remove delete from the advanced editor and go back to the main security tab, write will be checked, yes. But if you go back into advanced, you should still see that delete is not checked.

Correct, I think we're saying the same thing. The problem is a user with such rights will not be able to save a new Publisher or PowerPoint document because of how those applications save. It will create a new file of size 0k and then error out "file already exists...overwrite?" but the user won't be able to..."access denied - read only." This is what happens when I assign users MODIFY rights but uncheck Delete from the advanced tab.

 

[stash]

Ah I see. The app is probably doing a delete to remove the existing file and then it writes the new file with the same name. Not much you can do there.

Delete is typically considered a modify operation anyway, so generally if you trust a person enough to modify a file, you are implicitly trusting them to have the ability to delete it.

 

[Nothinman]

If they really want to mess with the file they can simply open it, delete the contents and save it again.