TechNsight

Ask a Question

Protecting a Folder from Being Moved by Users in a Shared Folder on Windows Server 2019

Question:

How can I prevent users from moving a specific folder within a shared folder on Windows Server 2019, while allowing them to access and modify its contents and other files and folders in the share? I have disabled inheritance and applied the following permissions:

“`

This folder only

  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Read permissions

    • Subfolders and files only

  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Read permissions

    • “`

    Administrators

have Full Control. Is there a better way to configure the permissions?

Answer:

How to prevent users from moving a specific folder within a shared folder on Windows Server 2019

If you have a shared folder on Windows Server 2019 that contains a folder that you want to protect from being moved by users, you might be wondering how to configure the permissions for that folder. You want to allow users to access and modify the contents of the folder, as well as other files and folders in the share, but not to move the folder itself. This can prevent accidental or malicious relocation of the folder, which can cause confusion or data loss.

One way to achieve this is to disable inheritance and apply custom permissions for the folder. This will allow you to specify different permissions for the folder and its subfolders and files. However, you need to be careful about which permissions you grant or deny, as some of them can affect the ability to move the folder.

According to the [Microsoft documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/file-system), the permissions that are required to move a folder are:

  • Delete: This allows the user to delete the folder from its original location.
  • Delete subfolders and files: This allows the user to delete the contents of the folder.
  • Write attributes: This allows the user to change the attributes of the folder, such as read-only or hidden.
  • Write extended attributes: This allows the user to change the extended attributes of the folder, such as encryption or compression.

    • Therefore, if you want to prevent users from moving the folder, you need to deny these permissions for the folder itself. However, you also need to grant these permissions for the subfolders and files, so that users can still modify them.

    Permissions to allow accessing and modifying the contents of the folder

    Besides the permissions mentioned above, there are other permissions that are needed to access and modify the contents of the folder. These are:

  • Traverse folder / execute file: This allows the user to navigate through the folder and run executable files.
  • List folder / read data: This allows the user to see the names and contents of the folder and its subfolders and files.
  • Read attributes: This allows the user to see the attributes of the folder and its subfolders and files.
  • Read extended attributes: This allows the user to see the extended attributes of the folder and its subfolders and files.
  • Read permissions: This allows the user to see the permissions of the folder and its subfolders and files.
  • Create files / write data: This allows the user to create new files and write data to existing files.
  • Create folders / append data: This allows the user to create new subfolders and append data to existing files.
  • Write attributes: This allows the user to change the attributes of the subfolders and files.
  • Write extended attributes: This allows the user to change the extended attributes of the subfolders and files.
  • Delete subfolders and files: This allows the user to delete the subfolders and files.
  • Delete: This allows the user to delete the subfolders and files.

    • Therefore, if you want to allow users to access and modify the contents of the folder, you need to grant these permissions for the subfolders and files. However, you also need to deny the delete permission for the folder itself, so that users cannot delete the folder.

    Example configuration

    Based on the above analysis, here is an example configuration of the permissions for the folder that you want to protect from being moved:

    “`

    This folder only

  • Deny Delete
  • Deny Delete

    • subfolders and files

  • Deny Write attributes
  • Deny Write extended attributes
  • Allow List folder / read data
  • Allow Read attributes
  • Allow Read extended attributes
  • Allow Read permissions

    • Subfolders and files only

  • Allow Traverse folder / execute file
  • Allow List folder / read data
  • Allow Read attributes
  • Allow Read extended attributes
  • Allow Read permissions
  • Allow Create files / write data
  • Allow Create folders / append data
  • Allow Write attributes
  • Allow Write extended attributes
  • Allow Delete subfolders and files
  • Allow Delete

    • “`

    Administrators should have Full Control for the folder and its subfolders and files, so that they can manage the folder and override the permissions if needed.

    How to apply the permissions

    To apply the permissions for the folder, you need to follow these steps:

    1. Right-click on the folder and select Properties.

    2. Go to the Security tab and click on Advanced.

    3. Uncheck the box that says “Inherit permissions from parent”.

    4. Click on “Remove” to remove all the inherited permissions.

    5. Click on “Add” to add a new permission entry.

    6. Select the principal (user or group) that you want to apply the permissions to.

    7. Select the type (Allow or Deny) and the applies to (

    This folder only

    or

    Subfolders and files only

    ) options.

    8. Check or uncheck the permissions that you want to grant or deny.

    9. Click on “OK” to save the permission entry.

    10. Repeat steps 5 to 9 for each principal and applies to option that you want to configure.

    11. Click on “Apply” and “OK” to close the Advanced Security Settings window.

    Conclusion

    By

following the above steps, you can prevent users from moving a specific folder within a shared folder on Windows Server 2019, while allowing them to access and modify its contents and other files and folders in the share. This can help you protect the folder from accidental or malicious relocation, which can cause confusion or data loss. However, you should also educate your users about the importance of the folder and its location, and monitor the activity on the share to ensure that the folder is not tampered with.

Related posts:

  1. The Best Mobile Hotspot Deals and Plans for Touring Musicians in 2024
  2. VGA Adapters and Laptops: What You Need to Know for Dual Displays
  3. Navigating the Intricacies of Document Generation with PRF/RTF Tools
  4. GREmail’s Ironclad Defense: Protecting Your Sensitive Data
  5. Mastering the Update Process for SnowRunner-Tool
  6. Hardware and Software Essentials for LogicSim Users

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us