Prevent users deleting, moving or drag and drop folders in a file share

I think it’s not uncommon for organisations having file servers to have one or more file shares mapped to end users using various drive letters. These file shares may contain several sub folders, may be for different business functions or units, which users have access depending on the security groups they belong to. One of the challenges of this folder structure is to prevent users accidentally moving or dragging or dropping folders. It may be difficult to control this in sub folder level, but it would be worthwhile to keep the root folder structure secure and intact. I hope the below simple technique can be used to accomplish this and it worked for me in my test/production environments.

For this example, let’s assume a file share that has been mapped to end users using a drive letter. This file share has two sub folders underneath, “Helpdesk” and “Public”.

post4-ntfs2

Let’s assume that domain users have modify access to the “Public” folder, NTFS permissions for the “Public” folder would appear as follows;

post4-ntfs1

Helpdesk folder is a more secure folder and only a security group called “helpdesk” (and server admins) has read and modify access to the folder. See the NTFS permissions below;

post4-ntfs3

Now, let’s assume we have a domain user called “testuser” who is a member of the “helpdesk” group. As this domain user has modify access to both “Public” and “Helpdesk” folders, the user can drag and drop or move folders with in. Therefore, what we want to achieve is to prevent this, while still providing the “testuser” access to create, delete or move sub folders with in the root folders.

To do this, go to the properties of the “Helpdesk” folder and click the security tab. Click the “Advanced” button and click “Change Permissions” button. Now, select the “helpdesk” group under the list of permission entries and click “Edit” button.

Under the permissions entry for the helpdesk folder, scroll down and de-select the allow delete permission. Select the allow “delete sub folders and files” permission. Click OK to close the windows and apply permission changes.

post4-ntfs4      post4-ntfs5

Now login to a workstation as “testuser” and try to drag and drop “Helpdesk” folder to “Public” folder, you will see the following warning message;

post4-ntfs6

Thanks
DJ

 

Advertisements

Tags: , , , ,

2 Responses to “Prevent users deleting, moving or drag and drop folders in a file share”

  1. Joel A Katon Says:

    http://kingsmarket.org/StopDragNDrop.html

  2. John Breakwell (@JohnBrea) Says:

    Thanks – this does prettyy much what I want (except being able to rename folders). Regarding the policy change recommended by Joel, is that supposed to affect Windows Expolorer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: