I want to set permissions on a folder in which every local user should be able to:
- Create new files or folders
- But only a file's owner should be able to modify it or delete it
Since we need the Create Files/ Write Data
, Create Folders/ Append Data
and Write Attributes
permissions in order to create files, how do I prevent users from modifying the file of another owner? Further, with Write Attributes
allowed, every modification (except deletion) is permitted. But if I disable this permission, I can not create files.
What permissions should I be using?
Best Answer
The keys you're missing are the
CREATOR OWNER
identity and the "Apply To" setting.Apply the following permissions to your shared folder to allow the
Everyone
identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER
identity) to edit/rename/delete it:What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.
So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.
*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.