NTFS Permissions - execute but not copy?
I have a group of engineering users who have developed software that is available for use by everyone on site. The question they've asked me is: Is there a way to allow everyone to execute their software, but not copy them? At the moment they are simple compiled executable files sitting on a Windows 2000 server share, and users access them via both their Windows NT domain and Active Directory accounts.
I've experimented a bit with the advanced NTFS permissions on the folders, but haven't had any luck. As soon as they have enough rights to execute the programs, they also have the ability to copy them.
Any thoughts?
I've experimented a bit with the advanced NTFS permissions on the folders, but haven't had any luck. As soon as they have enough rights to execute the programs, they also have the ability to copy them.
Any thoughts?
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
VikingLoki
19 years ago
In the file properties, go to Security, Advanced Settings and make it so only Traverse Folder / Execute File is checked. That will make it so they can see it, run it and nothing else. Also be sure that no other properties are inherited for the object and the users you want to restrict aren't members of other groups which would give them access. That may be why you didn't find the solution.
Posted by:
dfinley
19 years ago
Thank you for the suggestion, that was one of the things I tried early on, but with just that specific right assigned to the user, they immediately get an Access Denied when attempting to browse to the folder. Creating a shortcut for them that points directly to an executable inside the folder doesn't work either, it acts like the executable doesn't exist.
I've tried assigning the following specific permissions (to a specific test ID that is not inheriting any allow/deny rights from other groups) and various combinations of them:
Traverse Folder / Execute File
List Folder / Read Data
Read Permissions
It sure sounds like the first one is exactly what I'm looking for, but apparently I don't understand exactly what rights that is giving the user :(
I've tried assigning the following specific permissions (to a specific test ID that is not inheriting any allow/deny rights from other groups) and various combinations of them:
Traverse Folder / Execute File
List Folder / Read Data
Read Permissions
It sure sounds like the first one is exactly what I'm looking for, but apparently I don't understand exactly what rights that is giving the user :(
Posted by:
VikingLoki
19 years ago
It won't do what you want on the folder level. To prevent copying, you must give the right to execute and deny the right to read. BUT, if you deny the right to read a folder, you can't see anything in it.
This works on the file level. Apply the above instructions to each individual file that you don't want copied.
This works on the file level. Apply the above instructions to each individual file that you don't want copied.
Posted by:
dfinley
19 years ago
ahh, I see, I was only trying it at the folder level. Considering we're talking 4,000+ files that are frequently updated, I think I'll search for another approach to locking these down so they only run while a user is authenticated to our network.
thanks again,
Dave
thanks again,
Dave
Posted by:
VikingLoki
19 years ago
4000+ frequently updated files??? Wow. What does that app DO??
You can do it. One word... INTERNS!!!! [:D]
You can do it. One word... INTERNS!!!! [:D]
Posted by:
dfinley
19 years ago
It's actually a collection of about 125 engineering applications & utilities that are developed internally by my users, I let them update their files directly on the server under the condition that they don't pester me every time they do an update :)
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.