I'm trying to prevent folders moves, really folder delete in NTFS parlance, for series of folders within a network share.
So let's say I have: FolderA, FolderB, FolderC. Each folder has various files and subfolders. I want the Domain Users group to have modify access to all files and folders beneath FolderA, FolderB, and FolderC. However I don't want them to be able to delete these three top level folders.
The issue we are having right now is people keep accidentally dragging one top level folder into another.
I've tried used advanced NTFS permissions to deny domain users delete access to these top level folders, and set the permissions to apply to "This folder only", however it seems to only affect sub-folders, and not the top level.
Platform is Server 2008 Standard.
Thanks in advance.
Best Answer
"Deny" is usually the wrong tool for the job and is a sign that your permission hierarchy is upside-down.
Rather than denying permissions, grant "Domain Users" the "List Folder Contents" permission on "This Folder Only" and "Modify" on "Subfolders and Files". This will allow them to list the contents of the top level folder but will not allow them to delete it. They will still be able to modify subfolders and files within the top level folder and subfolders. This assumes that "Domain Users" isn't inheriting excessive rights from a parent folder, though. If they are then you're going to need to stop permission inheritance (which makes me cry inside).