Re: How to set up a folder so that only the creator of a file can modify it?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/06/05

• Next message: Steven L Umbach: "Re: Server not configured for transactions"
• Previous message: Hosehead: "Re: Server not configured for transactions"
• In reply to: Roger Abell: "Re: How to set up a folder so that only the creator of a file can modify it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 6 Jul 2005 11:31:27 -0500

Thanks for catching and correcting that. I missed the part on write only to
their folder and read for any folder. You certainly pointed him to the
solution. --- Steve

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:efxCVPfgFHA.824@TK2MSFTNGP14.phx.gbl...
> Actually, that will not satisfy the poster's requirements since
> the read/list/execute/write will result in the file defined within
> having write granted on it to the group rather than only to the
> creating user.
>
> This is a little tricky to accomplish with the NTFS security dialog
> as normally things that you grant to Files (Files only, or This folder,
> subfolders, and Files, This folder and files, Subfolders and Files only)
> will result in the permissions that are applicable to file objects being
> set on those files objects at any of the specified levels.
>
> To accomplish what the OP is after here one needs to make use of
> the Folder ACE called in the interface Create file.
> To do this one may
> Grant List to the group, access the Advanced view and highlight
> the List grant and Edit it, and finally within the detail edit view
> check "Create Files / Write Data". Notice that this is really only
> a grant of Create Files since the ACE applies to This folder and
> subfolders (i.e. not to file objects).
> Then, back on the initial, generic permissions dialog check Read.
> If one now goes to Advanced one should see two ACEs for the
> group. The new one, Read for This folder, subfolders and files,
> and the earlier which shows as Special in the adv dialog and is
> applicable to This folder and subfolders, and is a List with the
> one added ACE bit.
> Another way to do this is
> Grant the group Write, and then use the Advanced view to Edit
> this so that it applies to This folder and subfolders and so that
> all check boxes are cleared except for "Create Files/Write Data".
> Then, back at the generic view highlight the group and grant
> List folder contents and also grant Read
> In both cases one would also grant to Creator Owner , ideally only
> Modify but granting other than Full to Creator Owner is really just
> a misnomer.
> In both cases I have assumed that Execute should not be given to
> the group - that these are information / data files and that we do
> not want members of the group executing from the storage area.
> If they should have execute, then where Read was granted one
> would grant Read/Execute.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eKjRnGbgFHA.2548@TK2MSFTNGP10.phx.gbl...
>> Give the groups read/list/execute/write permissions and creator owner
>> full
>> control which is what creator owner usually has. Creator owner should
>> show
>> as full control for the parent folder of the three folders for acct, eng
> and
>> sales for "subfolders and files only" when you view advanced permissions.
>> Also verify that the file has the owner that you expect after it is
>> created. --- Steve
>>
>>
>> "Thomas Cameron" <thomas.cameron@camerontech.com> wrote in message
>> news:pan.2005.07.05.21.57.45.932691@camerontech.com...
>> > All -
>> >
>> > I've mucked about with advanced permissions and I still can't quite get
>> > what I want to work.
>> >
>> > I would think this would be easy. Say I have three groups -
>> > accounting,
>> > engineering and sales. I create three folders called acct, eng and
> sales.
>> > I want it set up so that anyone in the group can write to their folder,
>> > but only the person who created a file can modify it later. I want
>> > everyone in the group to be able to read any file, but only the creator
>> > t be able to change it.
>> >
>> > How do I do that?
>> >
>> > Thanks,
>> > Thomas
>>
>>
>
>

• Next message: Steven L Umbach: "Re: Server not configured for transactions"
• Previous message: Hosehead: "Re: Server not configured for transactions"
• In reply to: Roger Abell: "Re: How to set up a folder so that only the creator of a file can modify it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: file permissions ... The original tools have a rudimentary Deny, ... I grant everything that I can to This folder, subfolders and file on the ... (microsoft.public.windowsxp.security_admin) Re: Folder and Sub-folder permissions ... Modify to Dept1Mgrs for This folder, subfolders and files ... add a Modify grant to Dept1Users for Subfolders and files ... Create Folders/Append Data for This folder and subfolders ... (microsoft.public.windows.server.security) Re: Screwed up my PC... ... AFAIK a grant to Creator Owner is irrelevant. ... The folder that contains the mdb, ... The folder, not just the mdb, but make ... (microsoft.public.windowsxp.security_admin) Re: Modify rights to single file in a directory with only list per ... least Modify to Creator Owner, but then they would be able to ... a grant to Creator Owner ... I suggested Modify, which is set on the generic NTFS dialog, not ... into Advanced rights on the folder and granted "Create Files/Write Data" ... (microsoft.public.windows.server.security) Re: How to set up a folder so that only the creator of a file can modify it? ... subfolders, and Files, This folder and files, Subfolders and Files only) ... Grant List to the group, access the Advanced view and highlight ... Modify but granting other than Full to Creator Owner is really just ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint