NTFS Files & Folder Permissions driving me crazy

I passed 70-270 but NTFS permissions still drive me crazy. Am I not suppost to know this stuff? I looked at technet, bit the info given is all in Windows Help as well.

Basically say I have a share on a Windows 2003 Server.

Users must be able to:

1.) Create new Files & Folders in the share.
2.) Rename files & Folders in the share.
3.) Edit / Append Data to Files.
4.) Not be able to Delete Folders / Files.
5.) Not be able to drag n drop Files & Folders to a different place in the share.

How do I get this working without giving users delete permission. I find that if they dont have delete permission, then they cant rename files / folders.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

bigredfighter

Im sorry if im wrong bcos im only studying for my 70-290 now but why not just give single write permissions.

nazzeem

bigredfighter wrote:

Im sorry if im wrong bcos im only studying for my 70-290 now but why not just give single write permissions.

By doing this then they cannot rename files and folders. But it will stop them from deleting files & folders.

pryde7

It takes two to work the trick!!! NTFS and Share permissions. Make sure you understand both and how u can combine both to obtain a desired permission.

Note that share permissions have no local significance, only when users connect to the share through the network.

You apply both permissions and then take a look at the effective permission of that share. It's much easier if you use groups rather than individual users.

nazzeem

pryde7 wrote:

It takes two to work the trick!!! NTFS and Share permissions. Make sure you understand both and how u can combine both to obtain a desired permission.

Note that share permissions have no local significance, only when users connect to the share through the network.

You apply both permissions and then take a look at the effective permission of that share. It's much easier if you use groups rather than individual users.

Thanks wil give that a try.

Claymoore

Click on the Advanced button beneath the permissions window on the security tab. This will give you far more granular control of the permissions than the Modify or Write NTFS permissions. Select a group and then press the Edit button - now you can set the permissions you want. For example, you can enable a group to Create Files / Write Data and Create Folders / Append Data but not grant them permissions to Delete Subfolders and Files. Play around with the permissions to get an idea how they work together.

Just remember -
NTFS permissions are additive
Explicitly defined permissions trump inherited permissions.
'Deny' trumps all
When you add Share and NTFS permissions, the most restrictive is used.