We have a small office LAN with a few Windows 10 PCs (without server). One PC has a shared folder which various users create files for sharing. For various reasons some created files are sometimes deleted or moved unexpectedly. We want to limit the right to delete or move any file to the file creator only and not other users who should have only read permission. I believe this could be done on unix or Linux system with umask. For windows I'm not sure how to do it? I understand that Windows file permission uses inheritance concept, so if the users have write permission on the folder a file created by anyone could be modified or deleted by someone else. This is not what we want. What should we do and how? Thanks
5
-
This can be done for new shares/folders by granting Creator/Owner Full Control, and Authenticated Users Create permission in the root folder only. However, existing files/folders would need to be repermissioned manually.– Greg AskewCommented Aug 23, 2022 at 10:58
-
Thanks. If this is the only way, it would be really troublesome for the administrator. (The end users / file owners would not bother doing this 😬)– micCCommented Aug 23, 2022 at 11:41
-
Most organizations don't bother with this scheme though, due to: 1. The data can be restored fairly quickly and easily 2. It's straightforward to determine who/when the files were deleted. I would say this is particularly true now, given the prevalence of ransomware.– Greg AskewCommented Aug 23, 2022 at 12:07
-
Please could you elaborate how to trace who deleted / moved what and when. Thanks.– micCCommented Aug 23, 2022 at 13:37
-
Windows has auditing built in. That can be enabled and show file system events. docs.microsoft.com/en-us/windows/security/threat-protection/…– Greg AskewCommented Aug 23, 2022 at 15:34
Add a comment
|
2 Answers
Since you do not have a DC or you do not have any account manager implemented on your network, use the local SAM of that Windows that hosts the network share folder ("file server").
Create groups and users according your necessitates.
e.g. johndoe, janedoe, ceastwood, cnorthwood, cwestwood, Sales-Group, Accountants, Managers
Train your users to use these accounts when connect to the "file server".
Create Folders under the shared folder and navigate to the Security tab of the folder.
Define the permissions of each users and groups. (Better to operate with groups).
I have got a close solution here :
https://docs.microsoft.com/en-us/answers/questions/978262/windows-10-shared-folder-permission.html