Permissions to create files and folders but only modify owned files












2















I want to set permissions on a folder in which every local user should be able to:




  • Create new files or folders

  • But only a file's owner should be able to modify it or delete it


Since we need the Create Files/ Write Data, Create Folders/ Append Data and Write Attributes permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.



What permissions should I be using?










share|improve this question

























  • “how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

    – Ramhound
    Mar 9 '18 at 19:20
















2















I want to set permissions on a folder in which every local user should be able to:




  • Create new files or folders

  • But only a file's owner should be able to modify it or delete it


Since we need the Create Files/ Write Data, Create Folders/ Append Data and Write Attributes permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.



What permissions should I be using?










share|improve this question

























  • “how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

    – Ramhound
    Mar 9 '18 at 19:20














2












2








2


1






I want to set permissions on a folder in which every local user should be able to:




  • Create new files or folders

  • But only a file's owner should be able to modify it or delete it


Since we need the Create Files/ Write Data, Create Folders/ Append Data and Write Attributes permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.



What permissions should I be using?










share|improve this question
















I want to set permissions on a folder in which every local user should be able to:




  • Create new files or folders

  • But only a file's owner should be able to modify it or delete it


Since we need the Create Files/ Write Data, Create Folders/ Append Data and Write Attributes permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.



What permissions should I be using?







windows permissions windows-server ownership






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 17 '18 at 17:59









Twisty Impersonator

18.4k146699




18.4k146699










asked Mar 9 '18 at 19:16









b10zb10z

132




132













  • “how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

    – Ramhound
    Mar 9 '18 at 19:20



















  • “how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

    – Ramhound
    Mar 9 '18 at 19:20

















“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

– Ramhound
Mar 9 '18 at 19:20





“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory

– Ramhound
Mar 9 '18 at 19:20










2 Answers
2






active

oldest

votes


















1














The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.



Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:




+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+


What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.



So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.





*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.






share|improve this answer

































    0














    I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"




    The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.




    Reading material:
    https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1302044%2fpermissions-to-create-files-and-folders-but-only-modify-owned-files%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.



      Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:




      +---------------+--------------------------------+----------------------+
      | Identity | Permissions | Apply To |
      +---------------+--------------------------------+----------------------+
      | Everyone | Read & Execute | This folder, |
      | | | subfolders and files |
      +---------------+--------------------------------+----------------------+
      | Everyone | - Create files / write data | This folder and |
      | | - Create folders / append data | subfolders |
      +---------------+--------------------------------+----------------------+
      | CREATOR OWNER | Full control | Files only |
      +---------------+--------------------------------+----------------------+
      | CREATOR OWNER | Delete | Subfolders |
      | | | only |
      +---------------+--------------------------------+----------------------+


      What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.



      So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.





      *These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.






      share|improve this answer






























        1














        The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.



        Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:




        +---------------+--------------------------------+----------------------+
        | Identity | Permissions | Apply To |
        +---------------+--------------------------------+----------------------+
        | Everyone | Read & Execute | This folder, |
        | | | subfolders and files |
        +---------------+--------------------------------+----------------------+
        | Everyone | - Create files / write data | This folder and |
        | | - Create folders / append data | subfolders |
        +---------------+--------------------------------+----------------------+
        | CREATOR OWNER | Full control | Files only |
        +---------------+--------------------------------+----------------------+
        | CREATOR OWNER | Delete | Subfolders |
        | | | only |
        +---------------+--------------------------------+----------------------+


        What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.



        So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.





        *These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.






        share|improve this answer




























          1












          1








          1







          The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.



          Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:




          +---------------+--------------------------------+----------------------+
          | Identity | Permissions | Apply To |
          +---------------+--------------------------------+----------------------+
          | Everyone | Read & Execute | This folder, |
          | | | subfolders and files |
          +---------------+--------------------------------+----------------------+
          | Everyone | - Create files / write data | This folder and |
          | | - Create folders / append data | subfolders |
          +---------------+--------------------------------+----------------------+
          | CREATOR OWNER | Full control | Files only |
          +---------------+--------------------------------+----------------------+
          | CREATOR OWNER | Delete | Subfolders |
          | | | only |
          +---------------+--------------------------------+----------------------+


          What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.



          So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.





          *These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.






          share|improve this answer















          The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.



          Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:




          +---------------+--------------------------------+----------------------+
          | Identity | Permissions | Apply To |
          +---------------+--------------------------------+----------------------+
          | Everyone | Read & Execute | This folder, |
          | | | subfolders and files |
          +---------------+--------------------------------+----------------------+
          | Everyone | - Create files / write data | This folder and |
          | | - Create folders / append data | subfolders |
          +---------------+--------------------------------+----------------------+
          | CREATOR OWNER | Full control | Files only |
          +---------------+--------------------------------+----------------------+
          | CREATOR OWNER | Delete | Subfolders |
          | | | only |
          +---------------+--------------------------------+----------------------+


          What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.



          So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.





          *These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Mar 18 '18 at 18:48

























          answered Mar 17 '18 at 18:16









          Twisty ImpersonatorTwisty Impersonator

          18.4k146699




          18.4k146699

























              0














              I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"




              The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.




              Reading material:
              https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group






              share|improve this answer




























                0














                I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"




                The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.




                Reading material:
                https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group






                share|improve this answer


























                  0












                  0








                  0







                  I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"




                  The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.




                  Reading material:
                  https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group






                  share|improve this answer













                  I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"




                  The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.




                  Reading material:
                  https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 31 at 17:59









                  The IT GuyThe IT Guy

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1302044%2fpermissions-to-create-files-and-folders-but-only-modify-owned-files%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Probability when a professor distributes a quiz and homework assignment to a class of n students.

                      Aardman Animations

                      Are they similar matrix