Permissions to create files and folders but only modify owned files
I want to set permissions on a folder in which every local user should be able to:
- Create new files or folders
- But only a file's owner should be able to modify it or delete it
Since we need the Create Files/ Write Data
, Create Folders/ Append Data
and Write Attributes
permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes
allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.
What permissions should I be using?
windows permissions windows-server ownership
add a comment |
I want to set permissions on a folder in which every local user should be able to:
- Create new files or folders
- But only a file's owner should be able to modify it or delete it
Since we need the Create Files/ Write Data
, Create Folders/ Append Data
and Write Attributes
permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes
allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.
What permissions should I be using?
windows permissions windows-server ownership
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20
add a comment |
I want to set permissions on a folder in which every local user should be able to:
- Create new files or folders
- But only a file's owner should be able to modify it or delete it
Since we need the Create Files/ Write Data
, Create Folders/ Append Data
and Write Attributes
permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes
allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.
What permissions should I be using?
windows permissions windows-server ownership
I want to set permissions on a folder in which every local user should be able to:
- Create new files or folders
- But only a file's owner should be able to modify it or delete it
Since we need the Create Files/ Write Data
, Create Folders/ Append Data
and Write Attributes
permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes
allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.
What permissions should I be using?
windows permissions windows-server ownership
windows permissions windows-server ownership
edited Mar 17 '18 at 17:59
Twisty Impersonator
18.4k146699
18.4k146699
asked Mar 9 '18 at 19:16
b10zb10z
132
132
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20
add a comment |
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20
add a comment |
2 Answers
2
active
oldest
votes
The keys you're missing are the CREATOR OWNER
identity and the "Apply To" setting.
Apply the following permissions to your shared folder to allow the Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:
+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+
What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.
add a comment |
I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"
The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.
Reading material:
https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1302044%2fpermissions-to-create-files-and-folders-but-only-modify-owned-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The keys you're missing are the CREATOR OWNER
identity and the "Apply To" setting.
Apply the following permissions to your shared folder to allow the Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:
+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+
What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.
add a comment |
The keys you're missing are the CREATOR OWNER
identity and the "Apply To" setting.
Apply the following permissions to your shared folder to allow the Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:
+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+
What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.
add a comment |
The keys you're missing are the CREATOR OWNER
identity and the "Apply To" setting.
Apply the following permissions to your shared folder to allow the Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:
+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+
What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.
The keys you're missing are the CREATOR OWNER
identity and the "Apply To" setting.
Apply the following permissions to your shared folder to allow the Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:
+---------------+--------------------------------+----------------------+
| Identity | Permissions | Apply To |
+---------------+--------------------------------+----------------------+
| Everyone | Read & Execute | This folder, |
| | | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone | - Create files / write data | This folder and |
| | - Create folders / append data | subfolders |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control | Files only |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete | Subfolders |
| | | only |
+---------------+--------------------------------+----------------------+
What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.
edited Mar 18 '18 at 18:48
answered Mar 17 '18 at 18:16
Twisty ImpersonatorTwisty Impersonator
18.4k146699
18.4k146699
add a comment |
add a comment |
I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"
The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.
Reading material:
https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group
add a comment |
I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"
The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.
Reading material:
https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group
add a comment |
I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"
The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.
Reading material:
https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group
I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"
The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.
Reading material:
https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group
answered Jan 31 at 17:59
The IT GuyThe IT Guy
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1302044%2fpermissions-to-create-files-and-folders-but-only-modify-owned-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
“how do we prevent users from modifying the file of another owner?” You have to specifically remove the write permission from the file individually. So move read only files to their own directory
– Ramhound
Mar 9 '18 at 19:20