I'm currently trying to setup a folder on a file server (Windows Server 2012 r2) where some users can create and edit files, but not create sub-folders. I assumed it would be easy with advanced permissions, just unchecking "Create/append folders" should do the trick, so I did just that.
However, when I do that, users with said permissions can only open files in the folder in read-only mode. Even more confusing, they can still do everything else like save under a different name, create a file, delete a file… so in a way, they can still edit a file (by saving it under name "file2", deleting "file1", then renaming "file2" to "file1"), but it's a huge pain.
I tried with Excel, Word and even .txt files so I can assume all types of files are affected.
I stumbled upon this while googling my problem but adding a deny rule as suggested only gets me to the same result.
Is there something I'm missing?
Btw if this of any importance this happens both on Windows 10 clients and on a W2012R2 RDP.
Best Answer
I would set it up like this:
In case you find the picture hard to read, here are the entries in text form:
(The variant described in your self-answer will work too, doing it this way just makes the intent slightly more clear to someone looking at it later.)
The underlying issue is that files and folders share the same set of permissions, and some of them have a different meaning for files than for folders.
In particular, the "create folders / append data" access right has these effects:
So if an application doesn't have that right to a particular file, it can't make that file any longer than it already is. For that matter, according to a strict reading of the documentation, it can't make it any smaller either - but I'm not sure that's actually true. :-)
At any rate, that will typically mean that the application can't open the file for writing at all. Most applications ask for generic write access when opening files for editing, and that includes the append data right. In this scenario that won't work and the application will typically either fail entirely or fall back to read-only mode.