Locking down Top Level Folders

From: Dave Morschhauser (someone_at_microsoft.com)
Date: 09/02/05 

Date: Fri, 2 Sep 2005 12:11:16 -0400

Hi --

OS: Win2K3
Clients: Win98, Win2K, WinXP
Running Active Domain - all users members of Domain Users, as well as a
couple of organizational User Groups.

Does anyone have a solution to be able to lock down top level folders in a
share for a group of users while maintaining modify control over all the
files and folders under them?

I am trying to solve what I call "Fumble Fingering", where users
inadvertently move one top level folder into another one (usually done while
attempting a legitimate drag and drop and they let their finger bounce on
the right mouse button, thus the name). This causes a lot of anxiety at
times as usually the user doesn't know what folder they moved the other
folder into (if they even realize they moved the folder at all), and the
folder in question just seems to disappear. Unfortunately, there are more
top level folders than there are organizational groups, so it is impractical
to assign group permissions for each folder - I would only end up with users
in multiple groups, and they would still be able to mess things up.

I tried creating a DenyTLFolders group with deny { Delete Subfolders and
Files, Delete}, and putting all the users into it, but all I succeeded in
doing was to prevent the deletion of the top level folder itself. If a user
moves folder A so protected into folder B with the same protections, a new
subfolder A is created in B with all the contents of A. The original A
folder is empty, and the user gets a message that they can not delete A.
Makes sense logically if you break the actions up atomically as the OS
allows all the actions that are permissible, but only balks on the final
deletion of the folder.

Does anyone know how to set a flag that says "if you try and do a task that
includes this object, but you don't have permission to do it to this object,
do not do any part of the task"?

TIA
  Dave Morschhauser

Quantcast