Posts Tagged ‘file shares’

Prevent users deleting, moving or drag and drop folders in a file share

January 1, 2013

I think it’s not uncommon for organisations having file servers to have one or more file shares mapped to end users using various drive letters. These file shares may contain several sub folders, may be for different business functions or units, which users have access depending on the security groups they belong to. One of the challenges of this folder structure is to prevent users accidentally moving or dragging or dropping folders. It may be difficult to control this in sub folder level, but it would be worthwhile to keep the root folder structure secure and intact. I hope the below simple technique can be used to accomplish this and it worked for me in my test/production environments.

For this example, let’s assume a file share that has been mapped to end users using a drive letter. This file share has two sub folders underneath, “Helpdesk” and “Public”.

post4-ntfs2

Let’s assume that domain users have modify access to the “Public” folder, NTFS permissions for the “Public” folder would appear as follows;

post4-ntfs1

Helpdesk folder is a more secure folder and only a security group called “helpdesk” (and server admins) has read and modify access to the folder. See the NTFS permissions below;

post4-ntfs3

Now, let’s assume we have a domain user called “testuser” who is a member of the “helpdesk” group. As this domain user has modify access to both “Public” and “Helpdesk” folders, the user can drag and drop or move folders with in. Therefore, what we want to achieve is to prevent this, while still providing the “testuser” access to create, delete or move sub folders with in the root folders.

To do this, go to the properties of the “Helpdesk” folder and click the security tab. Click the “Advanced” button and click “Change Permissions” button. Now, select the “helpdesk” group under the list of permission entries and click “Edit” button.

Under the permissions entry for the helpdesk folder, scroll down and de-select the allow delete permission. Select the allow “delete sub folders and files” permission. Click OK to close the windows and apply permission changes.

post4-ntfs4      post4-ntfs5

Now login to a workstation as “testuser” and try to drag and drop “Helpdesk” folder to “Public” folder, you will see the following warning message;

post4-ntfs6

Thanks
DJ

 

Advertisements