Re: Allow saves and reads but not edits
From: Brian (Brian_at_discussions.microsoft.com)
Date: 04/07/05
- Next message: Rich Sidella: "Missing event 538"
- Previous message: Chriss3 [MVP]: "Re: Windows 2003 Remove Schema Changes"
- Next in thread: Roger Abell: "Re: Allow saves and reads but not edits"
- Reply: Roger Abell: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Apr 2005 15:11:02 -0700
I tired this and it doesn't work. The part of already created files works,
you can read but not save as orginal. Users cannot new save files to the
drive. They get a disk is full error 5987 message, even though drive has 117
GB free. Anything else to try? Thanks
"Roger Abell" wrote:
> To what was the ACE applied where you have in advanced
> view set Create files/Write data ?
> Suppose you have a new folder, and on it there are two
> ACEs. One granting Adminstrators Full control and the
> other granting Users Full control.
> If in the generic rights view you were to highlight the Users
> ACE and then uncheck all except List folder content and
> also Read, then when you leave the generic view and go to
> the detail view by clicking Advanced you will see for Users
> that there are two ACEs. One is set for This folder, subfolders
> and files and it grants Read. The other is set for This folder
> and subfolders and it grants Read & Execute.
> Highlight this second one that does not apply to files, and
> then click on Edit.
> In this edit view of the ACE check Create files / write data
> and apply the change so that the Read & Execute ACE is now
> shown as a Special grant
> Now, one more thing is needed, as a concession to the use of
> temporary files, and this does weaken the result from what you
> have specified as needed.
> In the generic view add a new ACE for Creator Owner, and
> uncheck all grants except for Write. Then, switch to the Advanced
> view, highlight this new ACE and edit it to remove all grants
> except for Delete (not Delete subfolders and files, just Delete).
> In the Applies to dropbox set this to Subfolders and files.
> So, you end up with a new ACE granting to Creator Owner
> Delete which applies to Subfolders and files
>
> You should now have almost just what you were after, except
> that the individual that first dropped a given file into the folder
> will be able to delete it. Others will not, but the initial contributor
> will have this ability. This weakening is needed in order to allow
> that account to delete temp files that are made in the directory in
> the process of the initial save.
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > Dumb question but I can't make this work the way we desire. Shared folder
> on
> > W2k DC. On a particulur folder we want to allow users to read files, but
> not
> > to be able to edit those files directly on shared dive andstill be able
> to
> > save new files to that shared folder. I have allowed permissions for
> Read,
> > List contents, Read & Exe. In advanced permissions I have allows
> Tranverse
> > folder/Exe, List folder/Read data, Read Attributes, Read Extended Att.,
> > Create files/Write data. I apply and OK yet folder is listed as read only
> > and behaves as if it is read only. It never allows to save a file to it.
> > What am I missing here? I want to allow new files to be saved to this
> > folder, just not changes to already existing ones. Thanks
>
>
>
- Next message: Rich Sidella: "Missing event 538"
- Previous message: Chriss3 [MVP]: "Re: Windows 2003 Remove Schema Changes"
- Next in thread: Roger Abell: "Re: Allow saves and reads but not edits"
- Reply: Roger Abell: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
