Marathon Griffin Computers and Service - Computer and Laptop Sales - Computer Repairs and Service - Network & Accounting Specialist

 

Windows 2003 Server - Deny Deletion of Folders

Disclaimer: Do to the complex nature of Windows Server permissions these instructions are to be used at your own rish.  It is up to you to fully test everything out prior to applying these kinds of  permission rules in a production system.  Griffin Computers cannot and will not assume any responsibility or liability for undesirable results when following this tutorial.

Back to Tech Tips Index Page

REASON FOR PUBLISHING THIS
One question I keep getting asked over and over again deals with Windows 2003 server user permissions.  How do you stop regular logged in users from deleting top level folders in a network share?
If you Google this you will find many threads where folks are asking this simple and basic question, unfortunately most of the published articles on how to accomplish this seems to be complicated and really does not explain things fully.  Things are complicated, but by fully explaining things and including pictures of where to go and what to do, this will assist you.

My goal here is to provide a simple tutorial on how to accomplish the above question on how to block regular users from deleting top level adminstrative created folders within a network share.  Ok, so lets start off with logging into your Windows 2003 server with an administration account.  If you are running active directory you can also log in as Domain Admins.
For this tutorial I am using the following scenario for demonstration purposes:

  • You want a top level network share called "UserSharedFolders".
  • Under this top level network share you want 3 top level folders called; AdminForms, CustomerDocs, TrainingDocs.
  • You do not want regular users to be able by accident to delete, drag and drop or rename these three top level folders.  These you create as static top level folders for your users as the system administrator.
  • You do want your regular users to be able to create new folders, delete folders, rename folders, create and modify files and delete any files inside of these top level folders.

So lets get going . . .

First you need to create a regular user account called "RegUser".  Making sure this is only a regular user account "non-admin".  Create your RegUser account now.  For the purposes of this tutorial assign a password of "12345678" and set the account to never expire and the user cannot change the password.

Ok, now let create a folder on your server's drive.  See picture below where I just created a folder called "UserSharedFolders".
CreateFolder

Next lets share it our in the normal fashion.  Right click on the UserSharedFolders and select Properties.  Now click the Sharing tab and you will be looking at the picture below.
Share0
On the above Properties window click on Share this folder.

So below is what the Properties window looks like after clicking on Share this folder.
Share1
Now click Apply and then click OK.

After this has been done when you look at your folder in Windows Explorer the icon on the folder will have been changed showing a hand under the folder to denote this as a network shared folder.  See picture below.
Share3

Ok, now right click on the UserSharedFolder and select the Properties option and then click on the Security tab.  You should be looking at a picture as shown below.
Share4

Now on the above Properties screen we are going to make some changes.  You need to click the Add button and first off if you are running active directory add in the Domain Admins account here and check off full control.  This ensures if you are logged in as Domain Admins under AD you have full contorl of this network share resource.
In my example case here I am not running AD so I will not be adding in the Domain Admins account as it does not exit on my Windows 2003 server.
However, I will be adding in the RegUser account I previously created here.  So click on the Add button and add in your RegUser account.

Below you can see this same screen after I have added in the RegUser account.
Share5
Do not change any permissions here for the RegUser account as the default permissions are just fine.
Please note that in my example I am using one regular user account, but what you add in on the Properties window above could be a regular user group containing several regular user accounts.
Now click Apply and then click OK.

Now on this same Properties window click the Sharing tab and click the Permissions button.
Share11

The following screen will pop up.
Share12
On the above Share Permission screen above select the Everyone group and click the Remove button to delete it.  Then click on the Add button and add in your RegUser account.  Once your RegUser account has been added on the same screen above click and Allow Change and Read so they are both checked off.
The Permissions screen should now look like the screen as shown below.
Share21
Click OK and OK again.
Now at this point the only account that has access into this share point on the LAN is the RegUser account.  If more that one account or group needs LAN access into this share you would go ahead and add in any additional users or groups here and allow them Change or Read permissions or both.
Fine tuning permission options can be set here.  Lets say you had one group that needs access to do things such as create new files and folders you would Allow what you see above.  If you had a secondary group that you only wanted to have Read access, "that is they cannot change anything" only provide this group Read permissions.
You could as well here add in a few other administration accounts to this share point if you wanted to such as Adminstrators, System, Domain Admins if running active directory and Allow these accounts Full Control.

Next right click the UserSharedFolders again and select the Security tab as shown below.
Share6
On the above Properites window above click on the Advanced button and the following screen will pop up.
Share7
We are not going to make any security setting changes here, I only brought you here so you can in fact see that your RegUser account has been added into the Permissions on this network share and has only Read & Execute permissions.
Just click OK to close this window and click OK again to close the main Properties window.

Now we are going to double click on the UserSharedFolders folder and move into it.  Here are are now going to create our three top level folders; AdminForms, CustomerDocs and TrainingDocs.

So once these are created you should be looking at the following three top level folders inside of your UserSharedFolders network share.
Share8

Ok, now we are going to test things out to see what the final result of our work has done.

We can use the NET USE command temporarily for this purpose.  Below is my NET USE command to map to our newly created UserShareFolders network share.  This you can create using Notepad and save to a .bat or .cmd file so you can run the NET USE over and over again for testing purposes.  In the example below I am mapping a U:/ drive to the new network share. 
NET USE U: /DELETE
NET USE U: \\DELLWEBS-001\UserSharedFolders 12345678 /User:reguser 

Notice above how I and using UNC \\MyServerName\ShareName to target the new network share.  The next paramater is the RegUser's password of 12345678 and finally /User:reguser.  This manually does the drive mapping for me on a workstation "not the server", to provide a test environment to simulate a login by the RegUser account.

After running the NET USE commands in a .cmd file or .bat file if I now look in Windows Explorer I will see the share as shown below with my top level folders being displayed.
Share13

Ok, now try to delete any one of the above top level folders inside of your new network share. . .

 Here is what you get . . .
Share14

Try to rename one of the folders or drag and drop one of the top level folders into one of the other folders and you get the same Folder Access Denied message.

If logged in as RegUser move inside the AdminForms folder I can create a new folder called Pete, see picture below.
Share16

I can now also create a file inside of the top level folder AdminForms or create a file inside of a sub folder inside of the folder "Pete".

I can at this level delete folders, rename folders, create files, delete files, rename both folders and files, etc. by the user RegUser.  This will hold true for the two other top level folders.

This can be fine tuned even more by right clicking on sub-folders and individually setting special permissions to Deny things at any folder level you wish.  Please know that the Deny permission always over rules any Allow permissions.  So the most restrictive security policies always applies.

A Bit More Advanced Permissions
So lets take this basic tutorial just a bit further so you can see how more advanced permissions can work for you.  Currently you will find that the logged in RegUser can create top level folders within the UserSharedFolders network share, but you do not want them to be able to do this here; you only want them allowed to create folders and files within the top level folders of AdminForms, CustomerDocs and TrainingDocs.
So here is what you do to block this . . .
Logged in as administrator on the server navigate to your UserSharedFolders network share and right click on it.  This brings up the properties windows shown again below.
Share17

Click on the Security tab and then the Advanced button.  This brings up the following screen.
Share18
Above I have navigated down to hi-light my RegUser account.  Then click the Edit button and the following screen will appear.

Notice above I have selected in the Apply onto: drop downbox to apply changes to this folder only.  Notice I have checked off Deny to Create Folders / Append Data, checked off Deny to Create Files / Write Data, Deny to Change Permissions and Deny to Take Ownership.  You really do not need to Deny the Delete option, but I did so anyways.
Share19 
After checking of what to Deny click OK and this window will disappear and you will be again looking at the Advanced Security Setting window and you should see the following.
Share20

Notice the is now a Deny permission setting for the RegUser account that will stop the logged in RegUser from creating things within the UserSharedFolders network share or doing other things that you set for Deny.  Click Apply and OK to close this window. 

So that pretty much does it folks for a Windows 2003 server.  To summarize you now have a network share called UserSharedFolders and inside this network share three top level folders.  If a regular user logs in, he/she can not do anything at the top level folder location, but can navigate downward inside any one of the three top level folders and do what ever he/she wishes.  You could go to any lower sub-folder locations and make and adjust finer permissions by user or groups to fine tune things.

This tutorial is a very simplist example of how permissions work.  In a full network production environment I may have far more permissions that I set at various levels within a network share folder hierarchy, I am just providing you the very basics here.  Also in a active directory environment the same things basically apply, but you are probably dealing with AD user groups instead of one regular user account that I used in this tutorial for demonstration purposes.  You are probably under AD going to write a script to be launched from the Netlogon folder to apply any required mappings for active directory users and groups on the doman controller.

One of the things that I find confuses new network administrators is what permissions to set at the Security tab location versus what permissions to set at the Share permission level.  You have to think of these two as working together to provide permission granularity.  The Security tab holds the actual NTFS hard drive folder and files permissions and what users or groups can do at this level.  The Share permission levels allow what user of groups in the LAN have access into the network share.  So you do need to consider permissions at both of these locations and adjust to obtain your end desired result.  In the example case as explained above, after I got all the Security tab permissions in order, I then went to the Share permission screen and deleted the Everyone group . .  as I do not want everyone having access to the Share.  I added in here my RegUser account so only my RegUser has access from the LAN into this share point.
Very important new network administrators setup something like shown above in a non-production environment and play with the various permission settings at both the NTFS level and the Share level until they understand what does what.

Pete, 

Back to Tech Tips Index Page

SystemsLaptop 
Tower 
Monitor 
Office