Hi,
Here in my company I installed a File Server with old files (oldest than 2019), and I need to available these files for a consult for all employees. However, these files mustn't be copied by any user into their desktops (without change permissions). In short: this File Server will be an Archive server. Is it possible?
Thank you.
Just change the permissions on the share to allow only a certain local or AD group to access the share. Then add/remove users as they require access. Or remove the share completely.
To expand on DSPatrick's comment, if you allow the users to run Word/Excel on their desktop and read the documents through a file share, then they can do a "file save as" and put it anywhere that their account has write access. Or just use the Explorer and do a copy/paste. You can't stop it if the user has read access.
You have to eliminate the file share from the data access path.
I don't know if any exist, but one thought would be to investigate some 3rd party software that implements a "display only" flavor of Word/Excel in a browser. The users would log on to a web site, select the folders and view the files. The users would be able to see the data but there would be no "save as" option to copy the data. Your organization may have to write your own web application to accomplish that. The web app would need to run on the archive server so that the file can be accessed directly and not through a file share.
Do you have Citrix or a Terminal server where you can publish applications? I am not an expert with MS Office applications, but I would expect that there is some way that you could customize the menu and remove "save as". Turn the archive server into a terminal server and run the published "no save as" versions to allow users to read the data through the published apps.
You could also enable RDP to the archive server and install Office there. Again, you would remove the network share and the users would directly access the file system. You would need to implement firewall rules to block SMB access from the archive server to other file servers and the users desktops.
If you grant read permissions to a file, you also grant the permission to copy it.
--please don't forget to Accept as answer if the reply is helpful--
Hi,
Please check if below post is similar with what you require.
https://serverfault.com/questions/727614/windows-server-share-read-only-from-network-and-write-locally
Otherwise, you might need to search for some third-party softwares to achive your requirement.
Thanks,
Eleven
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi guys,
Thank you for your answers.
I did it in the folders in my File Server, and it works almost fine. The thing is: with this configuration, people in the company I work for can read the docs, but they can't copy their files into their own directory (or whatever directory inside the Archive server). However, they can copy their files to their desktops, or even to another File Server in the environment. This is the thing. I don't wanna allow these copies. The Archive server must be used only for consults. And, this is the issue: each folder has permissions from different departments. Because of it, NTFS permissions must be kept, and copy operations must be denied. That is the scenario, and I don't know how to achieve this...I think I'm almost there...
Thank you.
Hi everyone,
@MotoX80 ,
Thank you for answering. I thought that could be easier...
Ok, I'll try to find another way.
Thank you.
Hi all,
I'm back with another question, like the opposite: Is there a way to avoid copying older files (from 31/12/2018 back) to my current File Server? By this, I'd be avoiding copying files from my Archive server to my File Server.
Thank you
Sorry, I don't quite understand the data flow. Is the user running a process (explorer/word/excel) on their desktop, or via RDP on the file server or on the archive server? Are they going through the network share on the archive server, through the network share on the file server, or accessing the local file system somewhere?
If the combination of user+process+computer has read access to the old files, and write access to new server then you won't be able to stop it.
You could always write a Powershell script that analyzes the files on the new file server and alerts you if it finds a file with a create date from 31/12/2018 or older. Run that script daily on the assumption that in normal cases the users will obey your rules and not copy the files. You'll have to analyze all of your files to see which date property you need to analyze and see if any of the current files would produce a false match.
I have not looked at FSRM in several years, but this is your best bet for a software solution.
https://docs.microsoft.com/en-us/windows-server/storage/fsrm/fsrm-overview
Hi @MotoX80
First of all, thank you for answering. Well, I think FSRM doesn't work in this case since it isn't working with old files. I didn't find a feature so that I could block copying files to my File Server earlier than 31/12/2018, and this resource is what I'm looking for.
Is there a tool, or command to avoid copying older files than 31/12/2018 in my File Server? Or, quite the contrary, there is a command or tool to avoid copying files from my archive server? One of these options would solve my problem.
Thank you
FSRM is the only tool that I know of that attempts to manage files like that.
Even if you find some 3rd party tool that could block the the files, if your users have read access to \\ArchiveServer\Data, then they can copy the files to their desktop, make some trivial change, and then save the files on \\NewFileServer\Data. Your NewFileServer would have no way of knowing where the file came from and it would look like a newly created file.
As I replied earlier you can easily write a Powershell script to analyze the Created and Modified dates on files. There may be a legitimate reason that your users would need to put a file with an "old" timestamp on your new file server. Threaten the users with termination if you catch them copying files from the archive server.
The only way to guarantee that the archived file data can't be copied is to implement a display only application that is used to access the archived files. You have to eliminate the network share.
Hi @MotoX80
I'll give up. I think that's not possible. I hope workers here don't copy back the files to File Server...anyway.
Thank you very much.
5 people are following this question.
