+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,056

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #1

    Default NTFS permissions help

    okay. We need employees to be able to save a text file to the folder
    but they cannot change or edit or modify the document.

    what the heck NTFS permission is this? I have tried tons of stuff nothing is right? Has anyone experienced this kind of permission?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Dec 2008
    Location
    Denver
    Posts
    1,882

    Certifications
    CCNA:Security,BCNE,Exchange 2007, ITIL
    #2
    You can set permissions on individual files. Set the file they are able to modify appropriately and set the other one likewise. You are probably running into inherited permissions which is granting or denying rights from the parent folder down. Too much to explain in one post if you are unfamiliar with inheritance.
    Reply With Quote Quote  

  4. Member
    Join Date
    Oct 2010
    Posts
    74
    #3
    Are they going to need to have to open the file again? You could just give them only write permission to the folder. Then they could write files to the folder, but they won't be able to open the folder and view anything inside of it. Sounds like that would satisfy not being able to "change or edit or modify the document" but obviously won't be enough if they need to be able to view them again. Just $0.02
    Reply With Quote Quote  

  5. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #4
    This isn't possible with NTFS permissions alone. Even if you drill down past the file/folder permissions of Read and Modify to the special permissions, the Create File / Write Data rights are combined into one permission. As long as they can create a file, they can edit it.

    You will need some type of enterprise content management solution with check-in/check-out and workflow document approvals to really lock this down. If you are only trying to allow for rollback from unauthorized changes, you can use VSS snapshots or automatic version control in SharePoint.

    File and folder permissions
    Permissions for files and folders: User Rights; Security Policy; Security Services
    Reply With Quote Quote  

  6. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #5
    Quote Originally Posted by Claymoore View Post
    This isn't possible with NTFS permissions alone. Even if you drill down past the file/folder permissions of Read and Modify to the special permissions, the Create File / Write Data rights are combined into one permission. As long as they can create a file, they can edit it.

    You will need some type of enterprise content management solution with check-in/check-out and workflow document approvals to really lock this down. If you are only trying to allow for rollback from unauthorized changes, you can use VSS snapshots or automatic version control in SharePoint.

    File and folder permissions
    Permissions for files and folders: User Rights; Security Policy; Security Services
    As long as "Append Data" is not granted, the ability to edit the files once they are saved would be blocked... right? I'd think this could be accomplished with "Write" and "List Folder Contents".
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  7. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #6
    It depends on how the user will be saving this text file.

    For my testing I gave myself Create Files / Write Data and List Folder / Read Data. (and also completely remove any other access) This will allow me to make a new file in here, for example a .txt document but I am unable to view anything in it when I open it. So it depends on how this file is being created.

    If it is output from a command line that is being saved via > file.txt you should be good to go. If people are designing these text files in notepad, it will all work fine, but you will have one small problem. There will be a temporary file left (because the user isn't allowed to delete it)

    Try that and let me know if it accomplishes what you need

    Quote Originally Posted by Claymoore View Post
    As long as they can create a file, they can edit it.
    Not True, with my example I was able to make a file. If I opened the text file I got "access denied" and was given a blank notepad. If I tried to use the redirect to overwrite it, I also was given an access is denied error.
    Last edited by Devilsbane; 04-13-2011 at 09:24 PM.
    Reply With Quote Quote  

  8. Member
    Join Date
    Nov 2010
    Location
    Washington St.
    Posts
    79

    Certifications
    CCNA:Sec, CCNA, CCENT, 70-680, CWTS, Security+, Project+, Network+, A+
    #7
    Quote Originally Posted by unnamedplayer View Post
    Are they going to need to have to open the file again? You could just give them only write permission to the folder. Then they could write files to the folder, but they won't be able to open the folder and view anything inside of it. Sounds like that would satisfy not being able to "change or edit or modify the document" but obviously won't be enough if they need to be able to view them again. Just $0.02
    Exactly what I was thinking. I create dropboxes (just a folder where students can turn in assignments) on a server for K-12 students at work. We have it setup where students only have write access to the "to teacher" folder.

    Example-

    >Dropbox (staff- R&E, List, Read) (students- R&E, List, Read)
    >>teacher1 (all inherited permissions) (teacher1- full control)
    >>>to students (all inherited permissions for staff, students and teacher1)
    >>>to teacher (We do not inherit permissions in this folder. we copy permissions and set the students group to write only) this prevents most of the "I'm copying your assignment" fraud lazy students try.

    The Dropbox folder is the sharepoint on the server. The network path looks something like \\students\dropbox\teacher1\to teacher) and the folder lives at S:\Dropbox on the server. I don't know if this is the best design but it is simple to setup and easy for everyone to understand.
    Reply With Quote Quote  

  9. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #8
    Quote Originally Posted by Devilsbane View Post

    Quote Originally Posted by claymoore
    As long as they can create a file, they can edit it.
    Not True, with my example I was able to make a file. If I opened the text file I got "access denied" and was given a blank notepad. If I tried to use the redirect to overwrite it, I also was given an access is denied error.
    As long as "Creator Owner" modify permission is revoked... I don't remember what the default is for that for the different versions of Windows, but you'd want to take that away if it's there.
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  10. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,056

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #9
    this is what the exactly do. They go to a website and then download the .txt files. they then save them to a specific folder that they create but they do not want to be able to modify these specific text files only read them. but they have to be able to save these text files first time they download and they need to be able to rename them but later on not be able to change the data in the file ? how hard is that without bugging me each time they save the files. can ntfs even do that?
    Reply With Quote Quote  

  11. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,056

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #10

    Default Permisssions Finally work. this is how

    I ask you guys how I could save a file to a folder and name it what I want. But any subsequent changing data in the file is not allowed.

    I did it by (it works) changing the permssions to:

    Perm on the group:
    read
    special
    -List Folder (4 checkmarks down) to Create/Write data (stop).
    Read checked
    Deny (another special window was created when I checked this)-Write Attributes

    works great
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks