My objective is to avoid Users from unintentionally relocating or erasing directories within a particular level of hierarchy in a Windows Server 2019 Share.
Example:
Two User Groups: Admin
and User
|-RootShareDirecory <= Directory that is Shared
|- ProjectFolder1 <= Folder should only be moved / changed / deleted by an admin
|- File1.doc <= User has full access to the content it self.
|- SubFolder2 <= User has full access to the content it self.
|- ProjectFolder2 <= Folder should only be moved / changed / deleted by an admin
...
What have I tried:
I have found multiple solutions for this Issue online, eg:
- How to prevent users from deleting one folder, while still giving them modify permissions to other files and folders?
- https://blogs.uw.edu/curreri/disable-click-and-drag-on-folders/
- https://dilrukj.wordpress.com/2013/01/01/prevent-users-deleting-moving-or-drag-and-drop-folders-in-a-file-share/
I attempted all the solutions, but none of them worked. The majority of solutions suggest setting up an access control list (ACL) for ProjectFolderX to restrict Users from deleting it.
However, I only achieved two outcomes: either ProjectFolderX could still be moved, while all other actions in the RootShareDirectory were prohibited, or ProjectFolderX was immovable, and its contents (such as File1.doc) were also unalterable.
Could someone please provide me with guidance on resolving this problem? Thank you.
3 Answers
Introduction
Windows Server 2019 is a powerful operating system that offers various features and tools for managing and securing your network environment. One of the essential components of Windows Server 2019 is the ability to share folders and files across the network. However, when sharing folders, it’s crucial to ensure that users don’t accidentally move or delete critical data. In this blog post, we will discuss how to prevent users from moving or deleting folders in a Windows Server 2019 Share.
Understanding Folder Permissions
Before we dive into the solutions for preventing users from moving or deleting folders, it’s essential to understand how folder permissions work in Windows Server 2019. When you share a folder on a network, you can set permissions for specific users or groups. These permissions determine what actions users can perform on the shared folder, such as read, write, modify, or delete.
By default, Windows Server 2019 assigns the following permissions to shared folders:
- Read – Users can view the contents of the folder but cannot modify or delete them.
- Change – Users can modify the contents of the folder but cannot delete them.
- Full Control – Users can modify the contents of the folder and delete them.
To prevent users from moving or deleting folders, we need to modify the default permissions and assign specific permissions to users or groups.
Preventing Users from Moving or Deleting Folders
There are several ways to prevent users from moving or deleting folders in a Windows Server 2019 Share. In this section, we will discuss some of the most effective solutions.
Solution 1: Use Advanced Security Settings
One way to prevent users from moving or deleting folders is to use advanced security settings in Windows Server 2019. Here’s how you can do it:
- Right-click on the folder that you want to protect and select “Properties.”
- Select the “Security” tab and click on the “Advanced” button.
- Click on the “Add” button to add a new user or group.
- Enter the name of the user or group that you want to restrict from moving or deleting the folder and click on “OK.”
- Select the user or group from the list and click on the “Edit” button.
- In the “Permissions” section, uncheck the “Delete” and “Delete Subfolders and Files” options.
- Click on “OK” to save the changes.
With this solution, the user or group that you added will no longer be able to move or delete the folder. However, they will still be able to modify the contents of the folder.
Solution 2: Use Group Policy
Another way to prevent users from moving or deleting folders is to use Group Policy in Windows Server 2019. Here’s how you can do it:
- Open the Group Policy Management Console.
- Create a new Group Policy Object (GPO) or edit an existing one.
- Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “File System.”
- Right-click on an empty area and select “Add File…” or “Add Folder…”
- Select the folder that you want to protect and click on “OK.”
- Click on the “Edit Security” button.
- Click on the “Advanced” button.
- Select the user or group that you want to restrict from moving or deleting the folder and click on the “Edit” button.
- In the “Permissions” section, uncheck the “Delete” and “Delete Subfolders and Files” options.
- Click on “OK” to save the changes.
- Link the GPO to the appropriate organizational unit (OU) or domain.
With this solution, users or groups that are affected by the GPO will no longer be able to move or delete the folder. However, they will still be able to modify the contents of the folder.
Solution 3: Use Access-Based Enumeration
Access-Based Enumeration (ABE) is a feature in Windows Server 2019 that allows you to hide files and folders from users who do not have permission to access them. By using ABE, you can prevent users from seeing and accessing folders that they should not be able to modify or delete.
To enable ABE, follow these steps:
- Open the Server Manager.
- Navigate to “File and Storage Services” > “Shares.”
- Right-click on the shared folder that you want to protect and select “Properties.”
- Select the “Settings” tab.
- Check the “Enable access-based enumeration” option.
- Click on “OK” to save the changes.
With ABE enabled, users who do not have permission to modify or delete the folder will not be able to see it in the shared folder.
Solution 4: Use File Screens
File Screens is another feature in Windows Server 2019 that allows you to prevent users from storing specific file types in a shared folder. By using File Screens, you can prevent users from accidentally moving or deleting folders that contain critical data.
To enable File Screens, follow these steps:
- Open the File Server Resource Manager.
- Navigate to “File Screening Management” > “File Screens.”
- Click on “Create File Screen Template” to create a new template.
- Enter a name for the template and select the file types that you want to block.
- Click on “Create” to save the template.
- Right-click on the shared folder that you want to protect and select “Properties.”
- Select the “Screens” tab.
- Click on “Add” to add a new file screen.
- Select the file screen template that you created earlier and click on “OK.”
- Click on “OK” to save the changes.
With File Screens enabled, users will not be able to store files that match the blocked file types in the shared folder. This will prevent users from accidentally moving or deleting folders that contain critical data.
Solution 5: Use Third-Party Software
If the above solutions do not meet your requirements, you can consider using third-party software to prevent users from moving or deleting folders. There are many commercial and open-source software solutions available that offer advanced folder protection features.
Some popular third-party software solutions for folder protection include:
- Folder Guard
- Secure Folders
- Folder Lock
Before using any third-party software, make sure to research it thoroughly and test it in a non-production environment.
Conclusion
Preventing users from moving or deleting folders in a Windows Server 2019 Share is essential to ensure the security and integrity of your network environment. In this blog post, we discussed several solutions for achieving this goal, including using advanced security settings, Group Policy, Access-Based Enumeration, File Screens, and third-party software. By implementing one or more of these solutions, you can protect critical data from accidental or intentional deletion.
To prevent users from moving or deleting folders on a specific hierarchy level of a Windows Server 2019 share, you can follow the steps below:
- Open the File Explorer and navigate to the root share directory.
- Right-click on the folder that you want to protect and select “Properties”.
- In the Properties window, go to the “Security” tab.
- Click on the “Edit” button to open the “Permissions” window.
- In the “Permissions” window, select the user or group that you want to restrict.
- In the “Permissions” section, uncheck the “Delete” and “Modify” boxes.
- Click on the “Apply” button and then on the “OK” button to save the changes.
This will prevent the selected user or group from deleting or moving the folder, while still allowing them to access the contents of the folder.
Note: If you want to prevent users from moving or deleting folders on all hierarchy levels of the share, you will need to repeat these steps for each folder that you want to protect.
Here are some additional things to consider:
- If you want to prevent users from moving or deleting specific folders while still allowing them to move or delete other folders, you can create separate user groups for each type of folder and apply the appropriate permissions to each group.
- You may also want to consider using Access Control Lists (ACLs) to fine-tune the permissions for each user or group. This can allow you to specify more granular permissions, such as allowing users to read and execute files in a folder but not modify or delete them.
- It’s also a good idea to regularly review the permissions on your shared folders to ensure that they are set up correctly and to make any necessary changes as your organization’s needs evolve.
I hope this information helps. Let me know if you have any additional questions.
Below is the method I employed to address the problem: I am providing details about the user’s permissions. To add these permissions, utilize the Advanced Security dialog by ( Right click / Settings / Security / Advanced ).
RootShareDirecory
- Permission for
This Folder, SubFolder and Files
onlyRead, Execute
ProjectFolderX
- Activate Permission inheritance.
- Permission for
This Folder
every permission excludingDelete
. - Permission for
Only Subfolder and Files
Full Access.
Explaination
To stop a file from being relocated, it is necessary to deactivate the Delete function. However, there are two factors that affect whether a folder can be deleted:
- The
Delete
Permission on the folder it self - The
Delete subfolders and files
of the parent Folder.
Please ensure the user which is not allowed to delete, has none of these two permissions.