Re: Allow saves and reads but not edits
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/29/05
- Next message: Roger Abell: "Re: Allowing user access to one single file in a folder."
- Previous message: David Cross [MS]: "Re: Uninstalling and reinstalling the Certificate Authority on Win2K"
- In reply to: Brian: "Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Mar 2005 01:14:56 -0700
To what was the ACE applied where you have in advanced
view set Create files/Write data ?
Suppose you have a new folder, and on it there are two
ACEs. One granting Adminstrators Full control and the
other granting Users Full control.
If in the generic rights view you were to highlight the Users
ACE and then uncheck all except List folder content and
also Read, then when you leave the generic view and go to
the detail view by clicking Advanced you will see for Users
that there are two ACEs. One is set for This folder, subfolders
and files and it grants Read. The other is set for This folder
and subfolders and it grants Read & Execute.
Highlight this second one that does not apply to files, and
then click on Edit.
In this edit view of the ACE check Create files / write data
and apply the change so that the Read & Execute ACE is now
shown as a Special grant
Now, one more thing is needed, as a concession to the use of
temporary files, and this does weaken the result from what you
have specified as needed.
In the generic view add a new ACE for Creator Owner, and
uncheck all grants except for Write. Then, switch to the Advanced
view, highlight this new ACE and edit it to remove all grants
except for Delete (not Delete subfolders and files, just Delete).
In the Applies to dropbox set this to Subfolders and files.
So, you end up with a new ACE granting to Creator Owner
Delete which applies to Subfolders and files
You should now have almost just what you were after, except
that the individual that first dropped a given file into the folder
will be able to delete it. Others will not, but the initial contributor
will have this ability. This weakening is needed in order to allow
that account to delete temp files that are made in the directory in
the process of the initial save.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Brian" <Brian@discussions.microsoft.com> wrote in message news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com... > Dumb question but I can't make this work the way we desire. Shared folder on > W2k DC. On a particulur folder we want to allow users to read files, but not > to be able to edit those files directly on shared dive andstill be able to > save new files to that shared folder. I have allowed permissions for Read, > List contents, Read & Exe. In advanced permissions I have allows Tranverse > folder/Exe, List folder/Read data, Read Attributes, Read Extended Att., > Create files/Write data. I apply and OK yet folder is listed as read only > and behaves as if it is read only. It never allows to save a file to it. > What am I missing here? I want to allow new files to be saved to this > folder, just not changes to already existing ones. Thanks
- Next message: Roger Abell: "Re: Allowing user access to one single file in a folder."
- Previous message: David Cross [MS]: "Re: Uninstalling and reinstalling the Certificate Authority on Win2K"
- In reply to: Brian: "Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
