NTFS permissions help

okay. We need employees to be able to save a text file to the folder
but they cannot change or edit or modify the document.

what the heck NTFS permission is this? I have tried tons of stuff nothing is right? Has anyone experienced this kind of permission?

Find more posts tagged with

Comments

it_consultant

You can set permissions on individual files. Set the file they are able to modify appropriately and set the other one likewise. You are probably running into inherited permissions which is granting or denying rights from the parent folder down. Too much to explain in one post if you are unfamiliar with inheritance.

unnamedplayer

Are they going to need to have to open the file again? You could just give them only write permission to the folder. Then they could write files to the folder, but they won't be able to open the folder and view anything inside of it. Sounds like that would satisfy not being able to "change or edit or modify the document" but obviously won't be enough if they need to be able to view them again. Just $0.02

Claymoore

This isn't possible with NTFS permissions alone. Even if you drill down past the file/folder permissions of Read and Modify to the special permissions, the Create File / Write Data rights are combined into one permission. As long as they can create a file, they can edit it.

You will need some type of enterprise content management solution with check-in/check-out and workflow document approvals to really lock this down. If you are only trying to allow for rollback from unauthorized changes, you can use VSS snapshots or automatic version control in SharePoint.

File and folder permissions
Permissions for files and folders: User Rights; Security Policy; Security Services

blargoe

Claymoore wrote: »

This isn't possible with NTFS permissions alone. Even if you drill down past the file/folder permissions of Read and Modify to the special permissions, the Create File / Write Data rights are combined into one permission. As long as they can create a file, they can edit it.

You will need some type of enterprise content management solution with check-in/check-out and workflow document approvals to really lock this down. If you are only trying to allow for rollback from unauthorized changes, you can use VSS snapshots or automatic version control in SharePoint.

File and folder permissions
Permissions for files and folders: User Rights; Security Policy; Security Services

As long as "Append Data" is not granted, the ability to edit the files once they are saved would be blocked... right? I'd think this could be accomplished with "Write" and "List Folder Contents".

Devilsbane

It depends on how the user will be saving this text file.

For my testing I gave myself Create Files / Write Data and List Folder / Read Data. (and also completely remove any other access) This will allow me to make a new file in here, for example a .txt document but I am unable to view anything in it when I open it. So it depends on how this file is being created.

If it is output from a command line that is being saved via > file.txt you should be good to go. If people are designing these text files in notepad, it will all work fine, but you will have one small problem. There will be a temporary file left (because the user isn't allowed to delete it)

Try that and let me know if it accomplishes what you need

Claymoore wrote: »

As long as they can create a file, they can edit it.

Not True, with my example I was able to make a file. If I opened the text file I got "access denied" and was given a blank notepad. If I tried to use the redirect to overwrite it, I also was given an access is denied error.

phonetic.man

unnamedplayer wrote: »

Are they going to need to have to open the file again? You could just give them only write permission to the folder. Then they could write files to the folder, but they won't be able to open the folder and view anything inside of it. Sounds like that would satisfy not being able to "change or edit or modify the document" but obviously won't be enough if they need to be able to view them again. Just $0.02

Exactly what I was thinking. I create dropboxes (just a folder where students can turn in assignments) on a server for K-12 students at work. We have it setup where students only have write access to the "to teacher" folder.

Example-

>Dropbox (staff- R&E, List, Read) (students- R&E, List, Read)
>>teacher1 (all inherited permissions) (teacher1- full control)
>>>to students (all inherited permissions for staff, students and teacher1)
>>>to teacher (We do not inherit permissions in this folder. we copy permissions and set the students group to write only) this prevents most of the "I'm copying your assignment" fraud lazy students try.

The Dropbox folder is the sharepoint on the server. The network path looks something like \\students\dropbox\teacher1\to teacher) and the folder lives at S:\Dropbox on the server. I don't know if this is the best design but it is simple to setup and easy for everyone to understand.

blargoe

Devilsbane wrote: »

claymoore wrote:

As long as they can create a file, they can edit it.

Not True, with my example I was able to make a file. If I opened the text file I got "access denied" and was given a blank notepad. If I tried to use the redirect to overwrite it, I also was given an access is denied error.

As long as "Creator Owner" modify permission is revoked... I don't remember what the default is for that for the different versions of Windows, but you'd want to take that away if it's there.

itdaddy

this is what the exactly do. They go to a website and then download the .txt files. they then save them to a specific folder that they create but they do not want to be able to modify these specific text files only read them. but they have to be able to save these text files first time they download and they need to be able to rename them but later on not be able to change the data in the file ? how hard is that without bugging me each time they save the files. can ntfs even do that?

itdaddy

I ask you guys how I could save a file to a folder and name it what I want. But any subsequent changing data in the file is not allowed.

I did it by (it works) changing the permssions to:

Perm on the group:
read
special
-List Folder (4 checkmarks down) to Create/Write data (stop).
Read checked
Deny (another special window was created when I checked this)-Write Attributes

works great