Manage Learn to apply best practices and optimize your operations.

Managing Windows folders and files on a network share

Windows hardening expert Jonathan Hassell gives a step-by-step analysis of problems you may experience when trying to prevent users from deleting and moving files on a network share.

I am trying to prevent users from deleting and moving folders and files on a network share. They should only be able to create, read, execute and write files and folders.

I have already created the group and deny delete and delete subfolder and files. This option is not working for...


Once the deny delete and delete subfolder is applied

  1. Users cannot delete files and folder "First task accomplish"
  2. Users cannot move a folder into another folder "Second task accomplish". However it creates an empty folder with the same name of the source folder inside the destination folder. This cannot be deleted and creates confusion for the user and starts filing in the wrong location
  3. All files created under the share respond to the deny option however it's not possible to create excel files. Error message cannot save the "file name". The folder is marked as a read only.
  4. User cannot move or delete files inside the share but they can creates copies on theirs desktop for security could this be control it.

Let me address your issues as best I can. To be honest, it sounds like things are largely performing as you wanted.
  1. This is expected behavior. You mentioned you don't want users deleting folders and files, so I assume this is the way you want this to behave.
  2. Moving a folder is effectively a delete operation with a second create operation (delete the folder at the old destination and recreate it at the new destination), so this won't work with your permissions set the way they are. Of course, this sounds like expected behavior, since you don't want users deleting folders.
  3. Are Excel files the only files that respond in this way when you're trying to save them?
  4. You can't really control copying data from the server if a user has read access to it. You would essentially have the remove any writeable areas on the local computer, which isn't practical.

In the future, the RSoP tools in Windows Server 2003 are very helpful at diagnosing permission oddities and figuring out exactly what effect a permissions change will have on your users. You don't mention if you're using Windows Server 2003, so I can't officially recommend that route, but other users will likely find the tool useful.

For more information:

  • Domain Management: Expert Advice Collection
    In this expert advice collection, networking security expert Wes Noonan shares his advice on some popular domain management and Group Policy questions. Visit Wes's entire archive of advice and see if he has already answered a question specific to your networking needs or even ask him a question of your own.

  • Network Access Control Learning Guide
    Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures.
This was last published in July 2006

Dig Deeper on Network intrusion detection and prevention and malware removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.