|
Posted by =?Utf-8?B?SmFubmE=?= on July 1, 2006, 9:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On a Windows 2003 Server I would like a specific user to have permission to
add Excel files to a folder on the server from his own workstation, but not
be able to edit the files, once they are placed into the folder. He still
needs to be able to open and read the files, once they are in the folder on
the server, just not be able to make changes to them.
Can anyone tell me what combination of file permissions in Windows 2003
Server would produce this result. Thanks in advance!
|
|
Posted by Shenan Stanley on July 1, 2006, 9:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Janna wrote:
> On a Windows 2003 Server I would like a specific user to have
> permission to add Excel files to a folder on the server from his
> own workstation, but not be able to edit the files, once they are
> placed into the folder. He still needs to be able to open and read
> the files, once they are in the folder on the server, just not be
> able to make changes to them.
>
> Can anyone tell me what combination of file permissions in Windows
> 2003 Server would produce this result. Thanks in advance!
In order to do something like this with file and folder permissions -
something would have to change said permissions on said file as soon as it
was saved. Before the change to the permissions were made - as the
creator/owner of said files - the user could do whatever they wanted. Then
something (a script maybe) would change the permissions to where the
user/group the user is a member of only have read/execute permissions.
There is no native settings I could think of that would result in the
original creator/owner not having write permissions to their file - having
just written it in the first place.
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
|
Posted by Roger Abell [MVP] on July 2, 2006, 10:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Janna wrote:
>> On a Windows 2003 Server I would like a specific user to have
>> permission to add Excel files to a folder on the server from his
>> own workstation, but not be able to edit the files, once they are
>> placed into the folder. He still needs to be able to open and read
>> the files, once they are in the folder on the server, just not be
>> able to make changes to them.
>>
>> Can anyone tell me what combination of file permissions in Windows
>> 2003 Server would produce this result. Thanks in advance!
>
> In order to do something like this with file and folder permissions -
> something would have to change said permissions on said file as soon as it
> was saved. Before the change to the permissions were made - as the
> creator/owner of said files - the user could do whatever they wanted.
> Then something (a script maybe) would change the permissions to where the
> user/group the user is a member of only have read/execute permissions.
>
> There is no native settings I could think of that would result in the
> original creator/owner not having write permissions to their file - having
> just written it in the first place.
>
The precautions you outline are indeed needed due to Ownership
always vesting in the originating account in pre-Vista Windows.
However, if there is no grant to Creator Owner, but say only Users
Read/Execute plus Users Write for Files Only, then the account that
copies the file into the folder would not have Write permissions.
As Owner they could grant themselves those permissions, but they
would not have them from the get go.
This is just intended to clarify your last statement and also to indicate
that the interval during which the evented revocation of ownership
upon new object creation may have a slightly larger opportunity
than if the object was created with Write/Delete initially granted.
Roger
|
|
Posted by Steven L Umbach on July 1, 2006, 11:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options
and the owner can always change permissions though administrators can always
take ownership if need be. However most users will not understand this or
know how to change permissions and you can make it more difficult by using
Group Policy to remove the security tab from folder/file properties for
users under user configuration\administrative templates\Windows
components\Windows Explorer - hide security tab.
You will need to go into the advanced page on the security page to access
special permissions. The link below explains special permissions.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419
Go to the folder and access special permissions. Select add and then find
the user. Select traverse folder/execute file, list folder/read data, read
attributes, read extended attributes, create files/write data, and read
permissions. Select folder only in the apply onto box and hit OK. Select add
again for the user and then traverse folder/execute file, list folder/read
data, read attributes, read extended attributes, and read permissions and
then select files only in the apply onto box and hit OK. Then find creator
owner and select edit and make sure only traverse folder/execute file, list
folder/read data, read attributes, read extended attributes, and read
permissions are selected and hit OK. Note that by modifying creator owner
permissions when any user creates a file in the folder that user account
will show up with explicit permissions that match what creator owner shows
however the user can have greater permissions to folder/files if they are a
member of a group that has greater permissions than creator owner shows. The
key to granting special permissions is that a user/group can be listed
multiple times because of the possibilities in the apply onto box. ---
Steve
> On a Windows 2003 Server I would like a specific user to have permission
> to
> add Excel files to a folder on the server from his own workstation, but
> not
> be able to edit the files, once they are placed into the folder. He still
> needs to be able to open and read the files, once they are in the folder
> on
> the server, just not be able to make changes to them.
>
> Can anyone tell me what combination of file permissions in Windows 2003
> Server would produce this result. Thanks in advance!
|
|
Posted by Roger Abell [MVP] on July 2, 2006, 11:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
This is, as other posts have likely clued you, a difficult criteria to meet.
If you grant generic Read/Execute to your group, and then also add
your group again but remove all except Write on the generic dialogue
and then click Advanced, highlight the Write grant to your group and
click Edit and there change the Applies to to Files Only, and if you
also remove any grants to Creator Owner or to other groups that
contain the accounts to be restricted, then you are close to what you
are after.
With these configured, accounts will not be able to create Office
documents in the folder, but they should be able to copy them there.
This is because Office application tend to use temporary files that
get renamed, etc. so your users will need to be informed that they
should only put file in this area once they have created, proofed,
and are satisfied with them.
Now, you would still need to address the ownership issue by such
as Steve suggested to make their using ownership more difficult
(note that commandline permissions tools exist) or by using such
as Shenan has outlined so that they are no longer owner (this is
the only totally effective solution using a share).
Now, there is a third alternative, which is to use an intermediate,
such as a web interface or sharepoint web. In this case, because
all saves are already mediated by the web server-side code, you
implicitly are already exerting complete contraint over all accesses
and their types to what is there.
Roger
> On a Windows 2003 Server I would like a specific user to have permission
> to
> add Excel files to a folder on the server from his own workstation, but
> not
> be able to edit the files, once they are placed into the folder. He still
> needs to be able to open and read the files, once they are in the folder
> on
> the server, just not be able to make changes to them.
>
> Can anyone tell me what combination of file permissions in Windows 2003
> Server would produce this result. Thanks in advance!
|
| Similar Threads | Posted | | Do not have permission to view or edit permission settings for a folder | June 17, 2005, 7:58 am |
| Copy protection of files on Server | November 7, 2005, 3:56 pm |
| Edit folder permissions via Group Policy | January 23, 2007, 2:42 pm |
| track user's operation to files or folder in windows 2003 server | March 21, 2006, 12:40 am |
| traverse folder permission | August 9, 2006, 9:44 am |
| Shared Folder Permission | April 21, 2007, 6:36 am |
| How to Copy EFS(encrypted) Files.... | December 5, 2005, 1:45 pm |
| Grant permission to a shared folder in XP or W2000 | February 16, 2006, 6:21 am |
| NTFS file/folder permission to a computer... | January 31, 2007, 10:08 am |
| EFS File Copy Decrypts files. How can this be avoided? | January 3, 2006, 4:06 pm |
|
XML site map