The owner of a file can basically do what he wishes with it. You can try denying permissions to the owner, but IMHO it's a poor way of managing files and directories, mostly because trying to keep track of the Deny ACEs is such a pain.
Take ownership for the existing files, and in the future copy files into the directories, at which point the files will inherit the permissions in the directory structure. A move, if done from one directory to another on the same disk partition under Win2k3, will keep the ACLs on the files. This behavior supposedly changes under Win2k8 or Win2k8 R2, but I haven't had a chance to observe it, so can't comment on that. Kurt On Tue, Jan 17, 2012 at 08:15, Bob Hartung <[email protected]> wrote: > We have a group of product engineers who create drawings in PDF format. Once > their designs are certified, they send their PDF files to an individual who > places the files in a directory structure on a Windows 2003 server for > common use. The directory structure is setup so only a couple of users can > make changes to it; everyone else should be read-only. The engineers are not > granted rights to make changes to files in this directory structure. > > However, one of the engineers contacted me and said he was checking one of > his PDF files in the directory structure and had inadvertently deleted it. I > was surprised and a little skeptical but the file was gone. I restored it > from backup and asked him to try to delete it again. Sure enough, he could > delete it. > > After a little testing, I established that even though the directories > prevented him from deleting most files, he could delete any file that listed > him as the owner. > > Is there a way to change the rights in folders that would prevent an owner > from deleting his own files or do I have to explicitly take ownership on > these files in order to protect them? > > ---------------------- > > Bob Hartung > Dir of I.T. > Wisco Industries, Inc. > 736 Janesville St. > Oregon, WI 53575 > Tel: (608) 835-3106 x215 > Fax: (608) 835-7399 > e-mail: bhartung(at)wiscoind.com > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
