Re: Allow saves and reads but not edits
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/12/05
- Previous message: Vladimir Jirasek: "More than one Enteprise CA in Root domain"
- In reply to: Brian: "Re: Allow saves and reads but not edits"
- Next in thread: Brian: "Re: Allow saves and reads but not edits"
- Reply: Brian: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Apr 2005 07:57:10 -0700
OK. I must be missing something here, not seeing what you
are seeing in the NTFS permissions editor.
Basically, your scenario could be closely approximated if
you have share level allowing Change to Users (you want them
able to save new files), and then for NTFS permissions they
will need grants for users of
List and Read
and Write that is set to Files Only
and due to temp files the Creator Owner Modify
To set the Users effectively if one starts with a grant
that has only Write showing in the generic view and then go
into advanced and edit to change this to Files only, then apply
and ok to get back to where you can add Read/Execute for
Users (which will include List). If you then check in the
advanced view you should see two ACEs for Users.
If you do things in other orders it can get difficult as the
NTFS editor will merge ACEs when it sees they are redundant
and you do not get the change to adjust the advanced settings
the way you want.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Brian" <Brian@discussions.microsoft.com> wrote in message news:B0C9D321-98CE-457A-90EC-0E08C49D3D1F@microsoft.com... > Thanks. I added Creator Owner to permissions but it still will not save to > the share drive folder. Now it tells me it can't find file. It saves a > blank file of same name and a temp file. Share permission allow Domain Users > Change and read so I don't see what else it could be. > > "Roger Abell" wrote: > > > Then very possibly that "save" is attempting to use a temp > > file and rename it. > > You can place a grant to Creator Owner on Modify. > > This will allow the original "saver" to have more permissions > > than you were after, but will not affect the permissions of any > > other account relative to the new file. > > > > -- > > Roger > > "Brian" <Brian@discussions.microsoft.com> wrote in message > > news:DB188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com... > > > I tired this and it doesn't work. The part of already created files > > works, > > > you can read but not save as orginal. Users cannot new save files to the > > > drive. They get a disk is full error 5987 message, even though drive has > > 117 > > > GB free. Anything else to try? Thanks > > > > > > "Roger Abell" wrote: > > > > > > > To what was the ACE applied where you have in advanced > > > > view set Create files/Write data ? > > > > Suppose you have a new folder, and on it there are two > > > > ACEs. One granting Adminstrators Full control and the > > > > other granting Users Full control. > > > > If in the generic rights view you were to highlight the Users > > > > ACE and then uncheck all except List folder content and > > > > also Read, then when you leave the generic view and go to > > > > the detail view by clicking Advanced you will see for Users > > > > that there are two ACEs. One is set for This folder, subfolders > > > > and files and it grants Read. The other is set for This folder > > > > and subfolders and it grants Read & Execute. > > > > Highlight this second one that does not apply to files, and > > > > then click on Edit. > > > > In this edit view of the ACE check Create files / write data > > > > and apply the change so that the Read & Execute ACE is now > > > > shown as a Special grant > > > > Now, one more thing is needed, as a concession to the use of > > > > temporary files, and this does weaken the result from what you > > > > have specified as needed. > > > > In the generic view add a new ACE for Creator Owner, and > > > > uncheck all grants except for Write. Then, switch to the Advanced > > > > view, highlight this new ACE and edit it to remove all grants > > > > except for Delete (not Delete subfolders and files, just Delete). > > > > In the Applies to dropbox set this to Subfolders and files. > > > > So, you end up with a new ACE granting to Creator Owner > > > > Delete which applies to Subfolders and files > > > > > > > > You should now have almost just what you were after, except > > > > that the individual that first dropped a given file into the folder > > > > will be able to delete it. Others will not, but the initial contributor > > > > will have this ability. This weakening is needed in order to allow > > > > that account to delete temp files that are made in the directory in > > > > the process of the initial save. > > > > -- > > > > Roger Abell > > > > Microsoft MVP (Windows Security) > > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > "Brian" <Brian@discussions.microsoft.com> wrote in message > > > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com... > > > > > Dumb question but I can't make this work the way we desire. Shared > > folder > > > > on > > > > > W2k DC. On a particulur folder we want to allow users to read files, > > but > > > > not > > > > > to be able to edit those files directly on shared dive andstill be > > able > > > > to > > > > > save new files to that shared folder. I have allowed permissions for > > > > Read, > > > > > List contents, Read & Exe. In advanced permissions I have allows > > > > Tranverse > > > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended > > Att., > > > > > Create files/Write data. I apply and OK yet folder is listed as read > > only > > > > > and behaves as if it is read only. It never allows to save a file to > > it. > > > > > What am I missing here? I want to allow new files to be saved to this > > > > > folder, just not changes to already existing ones. Thanks > > > > > > > > > > > > > > > > > >
- Previous message: Vladimir Jirasek: "More than one Enteprise CA in Root domain"
- In reply to: Brian: "Re: Allow saves and reads but not edits"
- Next in thread: Brian: "Re: Allow saves and reads but not edits"
- Reply: Brian: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
