Re: Allow saves and reads but not edits
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/13/05
- Next message: Antti: "RE: Disk Full Prompt While save from A Applications from Remote"
- Previous message: Roger Abell: "Re: Issue in demoting users from Admin to Power Users"
- In reply to: Brian: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Apr 2005 23:32:12 -0700
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:972CF792-0671-47F6-B00A-8BC451F43597@microsoft.com...
> Ok thanks I got it working correctly now. I removed the domain users and
> creator owner and started over. I had to give Domain Users List and Read
> generic permission otherwise as files only they could not access folders.
> Then they got special permission on files only to create files but not
append
> data. Then I added Creator/Owner special permissions to files only for
> Modify and it works as intended. Thank you very much for your help and
> patience.
>
No problem. Glad you got it working as intended (nearly).
A first trip into the individual bits of the ACEs can be a
little trying.
-- Roger > "Roger Abell" wrote: > > > OK. I must be missing something here, not seeing what you > > are seeing in the NTFS permissions editor. > > Basically, your scenario could be closely approximated if > > you have share level allowing Change to Users (you want them > > able to save new files), and then for NTFS permissions they > > will need grants for users of > > List and Read > > and Write that is set to Files Only > > and due to temp files the Creator Owner Modify > > To set the Users effectively if one starts with a grant > > that has only Write showing in the generic view and then go > > into advanced and edit to change this to Files only, then apply > > and ok to get back to where you can add Read/Execute for > > Users (which will include List). If you then check in the > > advanced view you should see two ACEs for Users. > > If you do things in other orders it can get difficult as the > > NTFS editor will merge ACEs when it sees they are redundant > > and you do not get the change to adjust the advanced settings > > the way you want. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Brian" <Brian@discussions.microsoft.com> wrote in message > > news:B0C9D321-98CE-457A-90EC-0E08C49D3D1F@microsoft.com... > > > Thanks. I added Creator Owner to permissions but it still will not save > > to > > > the share drive folder. Now it tells me it can't find file. It saves a > > > blank file of same name and a temp file. Share permission allow Domain > > Users > > > Change and read so I don't see what else it could be. > > > > > > "Roger Abell" wrote: > > > > > > > Then very possibly that "save" is attempting to use a temp > > > > file and rename it. > > > > You can place a grant to Creator Owner on Modify. > > > > This will allow the original "saver" to have more permissions > > > > than you were after, but will not affect the permissions of any > > > > other account relative to the new file. > > > > > > > > -- > > > > Roger > > > > "Brian" <Brian@discussions.microsoft.com> wrote in message > > > > news:DB188EB1-5F51-406E-B655-778B31C5ED86@microsoft.com... > > > > > I tired this and it doesn't work. The part of already created files > > > > works, > > > > > you can read but not save as orginal. Users cannot new save files to > > the > > > > > drive. They get a disk is full error 5987 message, even though drive > > has > > > > 117 > > > > > GB free. Anything else to try? Thanks > > > > > > > > > > "Roger Abell" wrote: > > > > > > > > > > > To what was the ACE applied where you have in advanced > > > > > > view set Create files/Write data ? > > > > > > Suppose you have a new folder, and on it there are two > > > > > > ACEs. One granting Adminstrators Full control and the > > > > > > other granting Users Full control. > > > > > > If in the generic rights view you were to highlight the Users > > > > > > ACE and then uncheck all except List folder content and > > > > > > also Read, then when you leave the generic view and go to > > > > > > the detail view by clicking Advanced you will see for Users > > > > > > that there are two ACEs. One is set for This folder, subfolders > > > > > > and files and it grants Read. The other is set for This folder > > > > > > and subfolders and it grants Read & Execute. > > > > > > Highlight this second one that does not apply to files, and > > > > > > then click on Edit. > > > > > > In this edit view of the ACE check Create files / write data > > > > > > and apply the change so that the Read & Execute ACE is now > > > > > > shown as a Special grant > > > > > > Now, one more thing is needed, as a concession to the use of > > > > > > temporary files, and this does weaken the result from what you > > > > > > have specified as needed. > > > > > > In the generic view add a new ACE for Creator Owner, and > > > > > > uncheck all grants except for Write. Then, switch to the Advanced > > > > > > view, highlight this new ACE and edit it to remove all grants > > > > > > except for Delete (not Delete subfolders and files, just Delete). > > > > > > In the Applies to dropbox set this to Subfolders and files. > > > > > > So, you end up with a new ACE granting to Creator Owner > > > > > > Delete which applies to Subfolders and files > > > > > > > > > > > > You should now have almost just what you were after, except > > > > > > that the individual that first dropped a given file into the folder > > > > > > will be able to delete it. Others will not, but the initial > > contributor > > > > > > will have this ability. This weakening is needed in order to allow > > > > > > that account to delete temp files that are made in the directory in > > > > > > the process of the initial save. > > > > > > -- > > > > > > Roger Abell > > > > > > Microsoft MVP (Windows Security) > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > > > "Brian" <Brian@discussions.microsoft.com> wrote in message > > > > > > news:A130BDFD-B6D4-4F17-BE77-1DFB8490B108@microsoft.com... > > > > > > > Dumb question but I can't make this work the way we desire. > > Shared > > > > folder > > > > > > on > > > > > > > W2k DC. On a particulur folder we want to allow users to read > > files, > > > > but > > > > > > not > > > > > > > to be able to edit those files directly on shared dive andstill > > be > > > > able > > > > > > to > > > > > > > save new files to that shared folder. I have allowed permissions > > for > > > > > > Read, > > > > > > > List contents, Read & Exe. In advanced permissions I have allows > > > > > > Tranverse > > > > > > > folder/Exe, List folder/Read data, Read Attributes, Read Extended > > > > Att., > > > > > > > Create files/Write data. I apply and OK yet folder is listed as > > read > > > > only > > > > > > > and behaves as if it is read only. It never allows to save a file > > to > > > > it. > > > > > > > What am I missing here? I want to allow new files to be saved to > > this > > > > > > > folder, just not changes to already existing ones. Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Antti: "RE: Disk Full Prompt While save from A Applications from Remote"
- Previous message: Roger Abell: "Re: Issue in demoting users from Admin to Power Users"
- In reply to: Brian: "Re: Allow saves and reads but not edits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
