Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Shared folder, write but not delete

25 Mar 2016   #1
MiMadreMia87

Windows 7 - 64bit
 
 
Shared folder, write but not delete

I am applying a solution to take backup from clients machine to a shared folder location, the share management will be done through their AD accounts through a backup application.

However, I want to prevent user from accessing the shared folder location and deleting contents
it would be possible to use another account for shared file access but am looking for better option.

if Anything from the following can be done it should be great:
- Modifying permissions to allow writing and modifying content but not deleting
- Disable web access to shared location through windows explorer
- Only allowing access to shared location through the backup application in any way


Really appreciate any help.


My System SpecsSystem Spec
.
25 Mar 2016   #2
Barman58

Windows 10 Pro x64 x2 Windows 10 Enterprise x64, Ubuntu
 
 

not done any Active Directory work for a while but I'm sure the delete permission was separate so a deny could be applied the the delete for the group concerned who would have the other permissions, you would need to check the stacking of the actual permissions to be sure though, a deny is a dangerous thing for sysdmins as you often forget what groups you've assigned yourself as for testing

Also it's worth having a look at Sysinternals as I think they still have some advanced AD tools

As most of the others should be possible through normal NTFS permissions and even the parental controls it should be possible using Group Policy
My System SpecsSystem Spec
25 Mar 2016   #3
Alejandro85

Windows 7 Ultimate x64
 
 

What is this "backup application"? Is a program running on a server that accesses all computers and copies to a backup server? Or is installed in each computer and they copy whatever necessary into a server? Something else?
Both options are possible, but the approach can be different in each case.

Quickly answering the questions, but without a good background of the situation:
Quote   Quote: Originally Posted by MiMadreMia87 View Post
Modifying permissions to allow writing and modifying content but not deleting
That's not possible with SMB shares permissions (that only allow read/write/full control), but normal NTFS permissions can separate creating new files from deleting and modifying existing files. Allow read and write to the share, but in the underlying NTFS permissions for the shared folder allow creating but not modification or deletion. An obvious drawback if that the logical drive hosting the shared folder must be NTFS for this to work. BTW, you really want to prevent both deletions and modifications, contrary to what you request, because users should not only be unable to delete backups, but also tamper with them in any way.


Quote   Quote: Originally Posted by MiMadreMia87 View Post
Disable web access to shared location through windows explorer
This don't make any sense to me, could you explain what did you mean? "web" hasn't anything to do with SMB shares and Windows Explorer, which is in turn unrelated to anything web based.


Quote   Quote: Originally Posted by MiMadreMia87 View Post
Only allowing access to shared location through the backup application in any way
This would be the ideal option, but depends on the setup, hence my initial question.

As a separate question, why do you want to backup client machines anyway? That's not the best thing to do, because the numerous different things each one does his job and manages their files. Ideally, only the servers should be backed up, with people instructed to drop anything important there.
My System SpecsSystem Spec
.

26 Mar 2016   #4
MiMadreMia87

Windows 7 - 64bit
 
 

The backup application is Iperius, installed on every client machine and backs up date to a NAS Storage.
This is more of a requirement, to have backup of files that match specific criteria to a central location..

It is not actually SMB shares, its NTFS, but I cannot manage to find the suitable share combination to enable the client of doing its job while still prohibiting users from deleting them.. I assume modification would be required since the backup client installs the latest version of each document, writing the changes only.

Firewall didn't do the trick, I tried disabling access to the NAS IP with allowing that Application, yet it didn't work.

Web access I was referring to normal windows explorer navigation to the shares.. my bad
My System SpecsSystem Spec
27 Mar 2016   #5
Alejandro85

Windows 7 Ultimate x64
 
 

Having the backup program in each computer has certain security implications, but it's possible to deal with those. Yes, accesing with Windows Explorer implies standard SMB shares, but if it's a NAS it's quite unlikely to be an underlying NTFS filesystem there, as they run Linux almost always.
Have a look at what access permission the NAS allows to setup, no idea what it's even possible exactly in your case, but it should be possible to configure them correctly.

I insist in that permission to change files is the wrong way to go. For one, permission to modify implies that the user can, instead of delete, just empty the file, or change it in arbitrary ways, which still destroy the backup value.
Moreover, replacing each document on each backup makes the backup itself vulnerable to accidents. Suppose that a virus destroys the file on client machine, or the user makes a mistake he wants to revert, by overwriting the file you lose the original without chances to revert to the old, safe version. That's called a "mirror backup" and is of little value against some incidents.

A better aproach could be to give users only create file access to the shared backup location. The backup program creates a new file each day for each document (named after the data for example), so you only need read and create access (not delete nor modify) and gives you the last days worth of copies, in case of an incident you can go back further is need arrises. A scheduled tasks could purge the oldest ones to preserve disk space.

Firewall are no good here. They can block access to the server completely or allow it, but have nothing to do with what is done there exactly.

Have a look at the NAS configuration panel, look for what file access restrictions it supports exactly.
My System SpecsSystem Spec
Reply

 Shared folder, write but not delete




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Can't Write to Shared Folder
I'm having no luck making a Windows 7 folder write accessible to XP. I've turned off password protected sharing and given both "Everyone" and "Guest" read/write permission. I can access the folder, but whenever I try to transfer a file to it, I get: "Error Copying File or Folder - Cannot copy...
Network & Sharing
New files aren't shared in shared folder
Hello everyone, I'm using a laptop (with Windows 7 Home Premium 64-bit installed) as a DVR and media streamer to all other devices in the house. My TV recordings are recorded into a temporary folder and when the recording is finished the program moves the files into the My Videos folder. ...
Network & Sharing
Shared drive doesn't let to write or delete!
Hi I have shared one *drive* on my desktop (full permission, everyone) pc so that I can sync it with my laptop. But my sync software kept giving error that it can't write few files on it so when I checked I found that I am not able delete or write any file to the drive from other laptop (via...
Network & Sharing
Shared Shortcut to non-shared folder.
Hey everyone. I use both Linux (Ubuntu 10.04, 2.6.33-AMD64) and Windows 7 professional, and sometimes I get a little boggled at the apparent lack of functionality in W7 in the following situation. I have a network share in the root of my drive that I've called "DropBox" where my boss and I...
Network & Sharing
Read/Write Access But Not Delete
Guys and Gals, Is there a way to setup a folder's permissions so that users on the network can read it, write to it but not delete anything? I want the users to be able to contribute to a directory, but not delete anything off of it? Thanks! Mario
Network & Sharing
Homegroup shared libraries; Write protection?
Hello. I've recently set up a HomeGroup for my computers to easily share my media files over many computers, especially between my desktop computer and my Sony Vaio (since it's missing a DVD-player and I often bring it with me when traveling to watch movies. However, when I send files through...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:30.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App