How to deny copy permission to AD user for network shared folder?

contact 0 Reputation points
2024-08-28T12:18:15.9433333+00:00

AD user only allow read permission on shared folder. Deny copy permission AD user.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,318 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,938 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Mathijs van der Hoek 0 Reputation points
    2024-08-28T13:13:35.5733333+00:00

    I'm sorry, but you can't deny copy per missions without taking away the Read & execute permissions in NTFS.

    However I think the closest way to accomplish your goal is to configure FSRM on your fileserver and create an Active Filescreen that blocks specific file types (you can create a Filegroup by using * for all file types) from being saved or copied.

    The good thing about this is that you optionally are able to generate notifications which tells you who is trying to copy or save the file.

    The bad thing is that it doesnt totally fits your requirment as this will block these actions for everyone with access on this fileshare. You can workaround this by adding the files that may not be copied or saved to a separate folder.

    In the end NTFS is not designed to prevent copy actions so this is the best you can get.
    Perhaps there are some 3th party tools but I guess that's out of scope.


  2. Daisy Zhou 22,716 Reputation points Microsoft Vendor
    2024-08-28T14:25:04.65+00:00

    Hello contact,

    Thank you for posting in Q&A forum.

    In Active Directory (AD), you can set up read permissions on a shared folder but still deny copy permissions through more granular control over the actions a user can perform. However, traditional permission settings do not include an explicit "deny copy" option.

    Instead, you can approach this problem with a combination of security measures. Here are a few strategies:

    1.Deny Write and Modify Permissions:

    If a user only has read permissions and is not allowed to modify or write to the files, they won't be able to perform any significant changes. However, this won't explicitly prevent them from copying the files to another location.

    2.Prevent Data Extraction Tools:

    Use Group Policy to restrict access to certain tools that can be used to copy data.

    Disable USB ports to prevent users from copying data to external drives.

    3.Auditing and Monitoring:

    Enable file system auditing to keep track of which files are accessed and by whom. This won’t prevent copying but can help you keep track of file access and identify misuse.

    4.Third-Party Tools:

    Use third-party Data Loss Prevention (DLP) software that offers more granular control over what users can do with the data, such as restricting the ability to copy, print, or email it.

    5.Network Share Permissions:

    Ensure that the share permissions are set to "Read" and NTFS permissions (security tab) are also set to "Read", ensuring that users cannot make changes to the files.

    Here's a basic overview of how to set read-only permissions on a shared folder:

    1.Set NTFS Permissions:

    Right-click the shared folder and select "Properties."

    Go to the "Security" tab.

    Click "Edit" to change permissions.

    Add the specific AD user or group.

    Set the permission to "Read & Execute," "List folder contents," and "Read."

    2.Set Share Permissions:

    Go to the "Sharing" tab in the folder properties.

    Click on "Advanced Sharing."

    Click on "Permissions."

    Add the specific AD user or group.

    Set the permission to "Read."

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.