For our Benefits Open Enrollment period, we want to setup a file share/mapped drive where a specific user account (autologon to locked down laptops for this specific purpose) can save a PDF of their enrollment options from a website they sign up on.
We don't want the user to have read permissions so they can't open other employees's enrollment files. Then the HR Manager who does have read/write permissions can go into that folder to open and print the pdf file. After it is printed it gets deleted.

I can't figure out the right combination of Advanced permissions to allow this to happen. Can someone point me in the right direction?

UPDATE: Thanks to EricD and Cosmic542, Robocopy is working great for this. The only caveat is that robocopy runs every minute at a minimum, and I want it to check every 5 seconds or maybe less. I found FreeFileSync through another forum, and it's companion app that gets installed beside it, "RealTimeSync". RTS is a nice little app that monitors a folder for new files/changes and runs a command. You can set how many seconds you want it idle after/before running the command. I have it set to run robocopy once every 5 seconds.
Picture: http://bit.ly/1EdItoB

Thanks all for your help!

  • Why not simplify: have a background job which moves all files from the pick up directory every 10s or so, to a drop off directory only accessible to HR? Then you need not worry about possible loopholes and workarounds of nosy people.
    – ErikE
    Commented May 1, 2015 at 19:43
  • 1
    It's not possible to set a combination of NTFS permissions that are sufficient to let a user create a file but not access it. The reason for this is that any file he creates, he becomes its OWNER, and an owner of an object always has the ability to...change permissions on the object.. No matter what permission tricks you pull, being a file's owner lets you "reset" the file's permission to grant yourself Full Control. Commented May 1, 2015 at 20:45
  • 2
    What about instead of locking down read you deny "List Folder Contents"? The users should then be able to submit the files but not list the contents of the folder, or even view it through windows explorer. It's not foolproof, but it would require a bit more sophistication / guesswork to get into another user's file.
    – Kate
    Commented May 1, 2015 at 21:51
  • Although, I'm a bigger fan of @ErikE 's suggestion
    – Kate
    Commented May 1, 2015 at 21:53

1 Answer 1


Create a folder with write permissions for the user. Create a robocopy job which copys everything out of this folder every minute.

Is the only clean way for your thing.

Otherwise you can set the listup permission, read attributes and the permission to write files into a folder.

  • If using robocopy I would suggest the /mov and /mon:1 switches instead, triggering robocopy to watch for changes as well as deleting files from the source.
    – ErikE
    Commented May 1, 2015 at 19:51
  • Thanks Cosmic542 and ErikE. This is the way I'll set it up . I appreciate your help!
    – rjholtz
    Commented May 4, 2015 at 18:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .