Hi, I've been playing with theNTFS permissions for a while but could not manage to do what I want. I'd like to know if there is a way to achieve what I would like to... Here is the structure: Level 1 is a folder that only administrators should be able to modify / delete. Within Level 1, users should be able to create / modify / delete files and folders. When a user tries to delete the Level 1 folder, he gets an 'Access denied' which is right, but the folder contents get deleted, since the user has the right to do so. Is it possible to avoid that? Can I leave control to users within the Level 1 folder, deny the Level 1 folder deletion and make sure the contents are not deleted when trying to delete Level 1 folder? Hope this is clear enough... Thanks in advance!A.

Hi, There is a previous thread on similar requirements. Hope it helps: Folder rights question http://social.technet.microsoft.com/forums/en-US/winserversecurity/thread/3fb7519b-7a81-44a7-9e1b-f02ccad70feb Best regards, Vincent Hu

Hi Vincent,Thank you for your answer but that is not really what I want...Users should be able to:- on the parent folder: nothing! Cannot rename / delete parent folder- on the subfolders and files: everything! They can delete, modify files and folders, append date, create folders, etc.What I have been facing is that though I managed to give the correct effective rights, when a user tries to delete the parent folder (which he should not be able to delete) the user gets an 'access denied' BUT the folder contents (files and subfolders) still get deleted.Deleting a file or folder inside the parent folder is ok but I just try to prevent a user to delete all the parent folder content when trying to delete that specific parent folder.Hope it's clearer - but I don't even know if this is feasible !Thanks in advance!A.

Hi Amarquis, I may a bit misunderstand your concern in the previous post. I suspect you want to set the permission of a shared folder. I perform several test on my computer, and I succeed to set the permission you want. Please configure the security settings as the following to enable read/modify file but disable delete file. 1. Right click the folder to open the Properties dialog. 2. In the Security tab, click Advanced. 3. Uncheck the Include inheritable permissions from this objects parent option, click Copy. 4. Remove unneeded permissions, such as Users and Create Owner (if you do not want users to delete file that they create themselves). 5. Click Add to add the user or group that should have permission to this folder. 6. Configure the permission of this user or group as following: Allow Travers Folders/ Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and files, Read Permissions, Read Permissions 7. Ensure the Apply these permissions to objects and .. item is not checked, and click OK. 8. Check the Replace permission entries on all child objects with entries.. item, and click OK. 9. Click Apply and OK. Back to the Security tab, click on the user or the group and choose: Read & Execute, List Folder Contents, Read, Write. Click OK. Best Regards, Vincent Hu

Thank you Vincent.My description of what I want to achieve might be not easy to understand... my english is not so good and sometimes it's hard to explain.Let me try to be clearer again...Let's say I have a folder called PROJECT- Within PROJECT I have 5 subfolders called ONE, TWO, THREE, FOUR, FIVE - each contain files- Within PROJECT I also have several files- I want my user group to be able to modify/delete anything within the PROJECT folder - users should be able to delete any of the 5 subfolders and any file.- I want my user group NOT TO BE ABLE to modify/rename/delete the PROJECT folder itself.Now, if a user hits delete on the PROJECT folder, with your solution, user will get an ACCESS DENIED - but - all the content will get deleted (all 5 subfolders and all files contained within the PROJECT folder) !Therefore, my question is: Is there a way to prevent the PROJECT folder content to be deleted when you hit delete on the PROJECT folder, while having the right to delete the files and folders once you are in the PROJECT folder?I'd like to do that to prevent massive accidental deletion, since that PROJECT folder will contain tons of files. So I want users to be able to delete files or subfolders by selecting what they want to delete (of course I cannot prevent users to Ctrl+A + delete) but not to do it from the root PROJECT folder. Hope this time it's clearer! :o)Thanks again for your time - much appreciated!Arnaud

Hi Amarquis, Yes, I think I understand your concern completely. I perform the following test: 1, Create a folder TEST on my D drive2, Create several subfolders and TXT files in folder TEST,3, Configure the permission as I provided above4, Log out of the administrator account, log in user account5, Hit on TEST folder, right click and select Delete. At last, I got an ACCESS DENIED. And I check the subfolders and TXT files I created under TEST folder previously, they are all there. Did you follow the process in the above post? Regards,Vincent Hu

Hi Vincent,Yes, I did what you suggested but still get the same results.Maybe I did not mention that this folder is accessed on the network through a share. Everyone is allowed change/read on the share. Does that make any difference? Should I change the share rights?Now there is something I don't understand in your post:"Back to the Security tab, click on the user of the group and choose: Read & Execute, List Folder Contents, Read, Write. Click OK."Why should I do that? Applying the rights from the advanced security tab automatically checks these mentioned rights on the security tab. And what do you mean by 'the user of the group' ? The whole user group should have the same access rights.Well, this is my last attempt today... If I don't manage to do it as I want, I will do it in a simpler way. And will instruct the users not to close their eyes and hit delete!Thanks anyway for your help!Arnaud

Hi, If the folder is accessed on the network through a share, you can just share the PROJECT folder, and give full control to the specific user or group. As a shared folder, it can't be deleted by any users. Best regards,Vincent Hu

Hi Vincent,Thanks for your time. I understand the relation between shares and folders and the way rights should be applied.So basically, that doesn't change anything to my problem.I really tried all kind of combinations to achieve what I wanted but I now have togive up since I cannot spend more time on this. So I will simplify the rights. Still if anyone manages to do what I described in the above posts, I would be interrested to know how - pure interrest!Thanks anyway for all the tips and best regards,Arnaud

Here is what you will do1.assume your top folder is "Dockets"2.Assume your sub folder is"716410 ESA Monthly"3.Assume you have 5 subfolders and files in them.4.make 3 global security group Full control, Modify, Read and Execute5.Keep share permission full control on main "Docket folder" this way users are not blocked on share level we control them through NTFS.4.on "dockets" add "Domain admins" and give full permission.5.on "docket folder add those three group and give them read and execute permission6you are not giving speical permission yet simple ok so this way dont get confuse inheritance and all are defult till this point.7.so now only users who are in full control group and domain admins group can do anything on docket level rest users can not create delete modify anthing at this level.7.now you go to point 2 folder "716410 ESA Monthly" go to permission and go advance you will see its in herited from top which is dockets. 8.dont do anything here since this is what you want go to step 9.9.now go inside the the "716410 ESA Monthly" where yo ahve 5 folders selsct all of them and right click go to permission and advanced.10.remove the inheritacen check when ask copy the permission 11. now click on that secutiry group called modify rest we dont have to change at all. and click on edit.12.make sure that "Apply only to - This folder. subfolder and files13.select all except "change permissions" "Delete" and "full control" do not check any thing else. click ok and come out from special permission.14.click apply on advance security tab.15. go to or log on to machine with one of the user who is in modify level permission group access and try to do what you trying to achive.16all set done.. now if you need this to be automated you will have to create abatch file or script and run through batch file to apply to allfolders this the point where i am working on my quety also.let me know if you get something.thanksimranimmi_im@hotmail.comShift the Ctrl in our hands and we will Alt the world.

Hi, i have s similar issue, I have a folder containing many subfolders, and each subfolder have their own security permissions. I want to copy all the subfolders to a different folder while keep their security permissions. Is there a way to do that? Can any 1 help me? Thanks also, I am doing this on a network, idk if it have anything to do with it. the files are shared pretty much. Rye

Hi,i have s similar issue,I have a folder containing many subfolders, and each subfolder have their own security permissions.I want to copy all the subfolders to a different folder while keep their security permissions. Is there a way to do that? Can any 1 help me?Thanksalso, I am doing this on a network, idk if it have anything to do with it. the files are shared pretty much.Rye *cough cough* scriptlogic secure copy *cough cough*Sorry MS but its a very neat tool and I don't know of any MS way of doing the same...