Windows ACL deny move of folders on a hierarchy level

0

I have the goal to prevent Users from accidentally move or delete folders on one specific hierarchy level of an Windows Server 2019 Share.

Example:

Two User Groups: Admin and User

|-RootShareDirecory      <= Directory that is Shared
  |- ProjectFolder1      <= Folder should only be moved / changed / deleted by an admin
     |- File1.doc        <= User has full access to the content it self.
     |- SubFolder2       <= User has full access to the content it self.
  |- ProjectFolder2      <= Folder should only be moved / changed / deleted by an admin
  ...

What have I tried:

I have found multiple solutions for this Issue online, eg:

  1. How to prevent users from deleting one folder, while still giving them modify permissions to other files and folders?
  2. https://blogs.uw.edu/curreri/disable-click-and-drag-on-folders/
  3. https://dilrukj.wordpress.com/2013/01/01/prevent-users-deleting-moving-or-drag-and-drop-folders-in-a-file-share/

So I tried all of them, obviously with no success.

The most of the solutions rely on creating a acl for ProjectFolderX that deny the delete action to the User.

Unfortunately i can only get two different results:

  1. The ProjectFolderX is still moveable, but every other action within the RootShareDirecory is denied.
  2. The ProjectFolderX is not movable but also the direct content within ( eg. File1.doc is not writable.

Can anyone give me a hint, how to solve this issue? Thank you

StaticBR

Posted 2020-02-22T09:03:36.980

Reputation: 101

I usually set permissions on "Traverse Directory" and "List Folders" for directories that shouldn't be changed by users, have you already tried ? – Danfossi – 2020-02-22T09:13:21.753

1

Try https://superuser.com/questions/1367481/prevent-folder-from-being-deleted-moved-renamed-in-windows/1367485

– harrymc – 2020-02-22T10:14:19.940

Answers

0

Thank You @harrymc for the useful Link. Here is the solution how i have solved this issue now.

I'm describing the permissions for the user. Use the Advanced Security dialog to add this permissions. ( Right click / Settings / Security / Advanced )

RootShareDirecory

  • Permission for This Folder, SubFolder and Files only Read, Execute

ProjectFolderX

  • Activate Permission inheritance.
  • Permission for This Folder every permission excluding Delete.
  • Permission for Only Subfolder and Files Full Access.

Explaination

In order to prevent a file from beeing moved, you have to disable the Delete. Unfortunately there are two values which influence if an folder can be deleted:

  1. The Delete Permission on the folder it self
  2. The Delete subfolders and files of the parent Folder.

Please ensure the user which is not allowed to delete, has none of these two permissions.

StaticBR

Posted 2020-02-22T09:03:36.980

Reputation: 101

Asked: 2020-02-22T09:03:36.980

Viewed: 44 times

Active: 2020-02-23T11:14:18.323