Tags:








Add leaves and fruit, but don't cut the branches
October 13, 2008 9:27 AM   RSS feed for this thread Subscribe

On a Windows share with a complex file tree, is there any way to lock down the tree so that folders can be added by all, but the directory structure itself can't be changed?

People keep dragging folders or whole sections of a directory tree on a network file server and leaving them inside another location on the tree; so the HR folder and its subfolders suddenly end up inside the Accounting section. (No one admits to moving them, of course.)

Users need to be able to create their own subfolders, and add documents and move them around throughout the tree; but I'm trying to find a way to allow this while also blocking the ability to move folders from one location in the tree to another, or otherwise make change the directory structure.

I'm not coming up with anything; is there something obvious I've missed?
posted by bartleby to computers & internet (2 comments total)
The way you are phrasing this is really awkward and seems self-contradictory.

It sounds like what you want is for a core directory tree to be immutable except that folks should be able to add subdirectories and possibly move them around, but not be able to move around the core directory tree.

In Windows Explorer, I've found that it's possible for even seasoned users to click-drag from one folder to another without realizing it, especially if the system lags on them at a critical instant, so I think it's not uncommon to see folks not admit to that sort of stuff.

I think the setup you're asking for is pretty manual. You have to go through each parent folder (from the top of where you want to start managing this structure) and then set the right perms on that folder and work your way down the tree you want preserved, locking everyone or almost everyone out of being able to move it.

To get to the permissions (in my Windows XP, SP 2 computer), you right click the folder, choose properties, click the security tab, click the advanced button, add the appropriate users or groups, in that popup, you can specify separate permissions down to a very granular level. My guess is that you'd want to tweak "delete" and "delete files and subfolders", given that moving an object is a combination of creating and deleting.
posted by kalessin at 9:47 AM on October 13, 2008


We have a similar problem. We set up a series of top-level folders (such as your HR, Accounting, etc.) with only these permissions:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

Nobody stores things directly beneath these top-level folders. Inside these we have subfolders further classifying the content, like: Forms, Invoices, Common, Customers, etc.

These folders have all permissions except:

Delete
Change Permissions
Take Ownership

All of this is set up using the Advanced button in the permissions dialog.

The consequences of this setup are:

1. People cannot store things in the top-level folders directly. They must choose a top-level folder and one of the subfolders to further classify what they want to store.
2. Folders can't be created until you're beneath one of the sub-folders. This keeps stuff reasonably clean.
3. Top-level folders can't be accidentally dragged into other top-level folders, because this would require permissions to create the subfolder (as well as delete the object being dragged).

There is one caveat: You aren't actually prevented from doing something stupid like dragging \HR into \Sales\Forms\, but what would happen is: HR would be copied, but you'd still be unable to delete HR after the copy was finished.

That being said, the above is not easy to do accidentally.
posted by odinsdream at 9:48 AM on October 13, 2008 [1 favorite]


« Older SEO Help - Meeting in 1 HR...   |   How can I study the server loa... Newer »
This thread is closed to new comments.