Re: Allow saves and reads but not edits

From: Brian (Brian_at_discussions.microsoft.com)
Date: 04/11/05 

Date: Mon, 11 Apr 2005 12:33:03 -0700

Thanks. I added Creator Owner to permissions but it still will not save to
the share drive folder. Now it tells me it can't find file. It saves a
blank file of same name and a temp file. Share permission allow Domain Users
Change and read so I don't see what else it could be.

"Roger Abell" wrote:

> Then very possibly that "save" is attempting to use a temp
> file and rename it.
> You can place a grant to Creator Owner on Modify.
> This will allow the original "saver" to have more permissions
> than you were after, but will not affect the permissions of any
> other account relative to the new file.
>
> --
> Roger
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:DB188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com...
> > I tired this and it doesn't work. The part of already created files
> works,
> > you can read but not save as orginal. Users cannot new save files to the
> > drive. They get a disk is full error 5987 message, even though drive has
> 117
> > GB free. Anything else to try? Thanks
> >
> > "Roger Abell" wrote:
> >
> > > To what was the ACE applied where you have in advanced
> > > view set Create files/Write data ?
> > > Suppose you have a new folder, and on it there are two
> > > ACEs. One granting Adminstrators Full control and the
> > > other granting Users Full control.
> > > If in the generic rights view you were to highlight the Users
> > > ACE and then uncheck all except List folder content and
> > > also Read, then when you leave the generic view and go to
> > > the detail view by clicking Advanced you will see for Users
> > > that there are two ACEs. One is set for This folder, subfolders
> > > and files and it grants Read. The other is set for This folder
> > > and subfolders and it grants Read & Execute.
> > > Highlight this second one that does not apply to files, and
> > > then click on Edit.
> > > In this edit view of the ACE check Create files / write data
> > > and apply the change so that the Read & Execute ACE is now
> > > shown as a Special grant
> > > Now, one more thing is needed, as a concession to the use of
> > > temporary files, and this does weaken the result from what you
> > > have specified as needed.
> > > In the generic view add a new ACE for Creator Owner, and
> > > uncheck all grants except for Write. Then, switch to the Advanced
> > > view, highlight this new ACE and edit it to remove all grants
> > > except for Delete (not Delete subfolders and files, just Delete).
> > > In the Applies to dropbox set this to Subfolders and files.
> > > So, you end up with a new ACE granting to Creator Owner
> > > Delete which applies to Subfolders and files
> > >
> > > You should now have almost just what you were after, except
> > > that the individual that first dropped a given file into the folder
> > > will be able to delete it. Others will not, but the initial contributor
> > > will have this ability. This weakening is needed in order to allow
> > > that account to delete temp files that are made in the directory in
> > > the process of the initial save.
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brian" <Brian@discussions.microsoft.com> wrote in message
> > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com...
> > > > Dumb question but I can't make this work the way we desire. Shared
> folder
> > > on
> > > > W2k DC. On a particulur folder we want to allow users to read files,
> but
> > > not
> > > > to be able to edit those files directly on shared dive andstill be
> able
> > > to
> > > > save new files to that shared folder. I have allowed permissions for
> > > Read,
> > > > List contents, Read & Exe. In advanced permissions I have allows
> > > Tranverse
> > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended
> Att.,
> > > > Create files/Write data. I apply and OK yet folder is listed as read
> only
> > > > and behaves as if it is read only. It never allows to save a file to
> it.
> > > > What am I missing here? I want to allow new files to be saved to this
> > > > folder, just not changes to already existing ones. Thanks
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: Permission to Copy Files to Server Folder But Not Edit Them
    ... not need creator owner permissions dues to the user either already having ... needed permissions for his user account or via group membership. ... Group Policy to remove the security tab from folder/file properties for ... Select folder only in the apply onto box and hit OK. ...
    (microsoft.public.security)
  • Re: Allow saves and reads but not edits
    ... I had to give Domain Users List and Read ... > are seeing in the NTFS permissions editor. ... > and due to temp files the Creator Owner Modify ...
    (microsoft.public.win2000.security)
  • Re: Allow saves and reads but not edits
    ... I had to give Domain Users List and Read ... >> are seeing in the NTFS permissions editor. ... >> and due to temp files the Creator Owner Modify ...
    (microsoft.public.win2000.security)
  • Creator Owner Permissions
    ... I have a W2K SP4 server. ... NTFS permissions to either of the two volumes ... I cannot grant Creator Owner ...
    (microsoft.public.win2000.security)
  • Strange NTFS permission problems
    ... I was going through the procedures for setting up IIS 5 with minimum NTFS ... I not only can't apply Creator Owner full access rights on the root drive, ...
    (microsoft.public.windowsxp.security_admin)