If it's a specific share you can make the share read-only except for specific groups or users, IIRC this would preclude the NTFS ACL on said folder.
While I hate mixing share and file level ACL's, I do exactly this for a client where I robocopy move files older than 5 years into an O: (for old) drive that users have only read access to - if they want to edit the file, they have to copy it to an "active" share. From: Kennedy, Jim [mailto:[email protected]] Sent: Tuesday, January 17, 2012 8:28 AM To: NT System Admin Issues Subject: RE: File rights issue Nuke the Creator Owner permissions on the folder. You will often find Creator Owner with Full Control on Subfolders and Files Only under special permissions. So yes as the owner they have full control. From: Bob Hartung [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, January 17, 2012 11:15 AM To: NT System Admin Issues Subject: File rights issue We have a group of product engineers who create drawings in PDF format. Once their designs are certified, they send their PDF files to an individual who places the files in a directory structure on a Windows 2003 server for common use. The directory structure is setup so only a couple of users can make changes to it; everyone else should be read-only. The engineers are not granted rights to make changes to files in this directory structure. However, one of the engineers contacted me and said he was checking one of his PDF files in the directory structure and had inadvertently deleted it. I was surprised and a little skeptical but the file was gone. I restored it from backup and asked him to try to delete it again. Sure enough, he could delete it. After a little testing, I established that even though the directories prevented him from deleting most files, he could delete any file that listed him as the owner. Is there a way to change the rights in folders that would prevent an owner from deleting his own files or do I have to explicitly take ownership on these files in order to protect them? ---------------------- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
