Ad - leaderboard

Saturday, April 06, 2013

Windows Technical: Preventing Users from Deleting Folders

 We must see if we can apply these rights. Steve
Preventing Users from Deleting Folders

well, first rule is NO user should ever have "FULL CONTROL" on anything. "MODIFY" is the most they get no matter how much they complain.
otherwise you end up with some numpty user rearranging folder permissions and you then have to come in, take ownership, and rearrange the permissions.
messing around with "deny" can become a tricky business when you need to figure out who has what kind of permissions on a folder/file.
we always assign permissions to groups to a folder. 1 group has "read & execute" and the other group has "modify" permissions. users become members of the respective groups depending on what they need to do. that's it.
"modify" does not include the permissions to delete subfolders and files.
this means the user can delete an individual file but not the whole folder or a subfolder and thereby, everything in it.
you could still go into the advanced options and untick "delete" but that will cause a problem with the *.tmp files word and excel create. every change you make to such a file creates another *.tmp file until the main file is closed.
if you deny a user the permission to "delete", the *.tmp file are not deleted and you'll end up with a load of *.tmp files and a shortage of disk space.
so, it's kind of a compromise. we let some users have delete permissions and they are, thereby responsible for what is in a folder. if they accidentally delete something, we restore it from the backup. much less hassle then having to do everything for the user.

A short but excellent note from Microsoft on how to configure the root folder: 
More on  the structure of your folders: 
This is what I would do:
Level 1 & 2 - Admin Group - Write, Modify, Read, etc. Users - Read, List Folder Contents, Read and execute
Bottom levels - Users - add Write and Modify permissions.
You can add permissions at the lower levels w/ no problems. Taking away permissions at lower levels is where you have to remove the inheritance and then copy permissions, then remove what you don't want.