NTFS permissions to modify files but not folder structure

I had a request a little while ago where an end-user wanted a set of users to be able to fully manage the folder structure below a certain folder in share, and for another set of users to be able to create/modify/delete files anywhere within that structure, but be unable to change the structure itself. Sounds very straight forward, but there’s slightly more to it than meets the eye [especially if you’re used to applying one ACE (Access Control Entry) per security group/user].

I’ve created three security groups and am setting permissions on the folder in the share that will contain the managed structure. The groups are:

Root Owners
Root Contributers
Root  Viewers

Root Viewers is purely good practice for limiting access to shares – this could be left out and be replaced with domain users or authenticated users if you wish.

Root Owners have the standard “just less than full administrator” permissions – they do not have Full Control on the parent folder, and are also missing delete, change permissions and take ownership. This ACE is applied to the parent folder, it’s subfolders and files.

It’s the ACE for the Contributers that is where it’s at. Or more importantly, the two ACE’s – one for browsing folders and creating files, and another for modify access on the files.

Let’s start with the files ACE first. Here’s what it looks like:

This is fairly straight forward – it applies to Files Only and contains the permissions to read/write and delete. The important distinction comes from the permissions with two explanations listed:

Traverse Folder / Execute File
List Folder / Read Data
Create Files / Write Data
Create Folders / Append Data

The first items listed are the permissions if the ACE was applied to a folder – the second if the ACE is applied to files. Typically the ACE is applied to “This folder, subfolders and files” so there is no need to separate them out. Since this ACE is being applied to files and we want the security group to be able to save files, we tick the permissions for “Write Data” and “Append Data”. This will not grant this security group the right to create files or folders and the ACE will apply to all files (even ones within subfolders) below the folder where the ACE is applied.

Bearing in mind that the following article applies to Windows 2000 – http://support.microsoft.com/kb/220167 – there is the following stated regarding applying to files only:

“Files only” Apply Onto value, (IO), (OI) ACE flags: ACE does not apply to this container, but propagates to the files it contains. Subfolders do not receive this ACE.

If you were to examine a subfolder you would see that the ACE is received by it and it applies to the files contained within. The same article states the meanings of OI and OI, and it is OI that defines this behaviour:

IO: Inherit Only – This flag indicates that this ACE does not apply to the current object.
CI: Container Inherit – This flag indicates that subordinate containers will inherit this ACE.
OI: Object Inherit – This flag indicates that subordinate files will inherit the ACE.
NP: Non-Propagate – This flag indicates that the subordinate object will not propagate the inherited ACE any further.

The ACE onto folders is somewhat simpler:

We want users in the group to be able to traverse the folder, read data and to be able to create files within subfolders – thus all the relevant boxes are ticked as per the image above – just ensure that this ACE only applies to the main folder and subfolder though.

And that’s it – creating an ACE for read access to the folder is simple enough – but through these two main ACE’s you can deny user’s the ability to alter the folder structure but still allow them to create all the files they like. Quotas notwithstanding of course, but that’s a different matter 😉