How to restrict users moving folders?

We have one folder that was constantly getting moved on accident into a neighboring folders, so we created a hidden folder called '~Anchor' that users don't have rights to do anything with. This seems to be the first thing that the system attempts to move and so it prevents any other part of the folder tree from being moved. Yet, still leaving users the ability to rename and move all the sub folders and files around if they need to.

This is what I would do:

Level 1 & 2 - Admin Group - Write, Modify, Read, etc. Users - Read, List Folder Contents, Read and execute

Bottom levels - Users - add Write and Modify permissions.

You can add permissions at the lower levels w/ no problems. Taking away permissions at lower levels is where you have to remove the inheritance and then copy permissions, then remove what you don't want.

It is much better to deny the delete privilege for the target users, since "Modify" permissions imply "Delete", which is what happens when you move the directory.

This is significantly faster and easier (instead of the GUI) if you use the Xcacls.vbs tool. The command might look something like this:

cscript xcacls.vbs "<target_directory>" /e /d "<domain\username>":;A

cscript xcacls.vbs "D:\Level1\Level2a" /e /d "MyDomain\LUsers":;A

The options I chose include the "This folder and subfolders only", so it will not inherit to prevent people from deleting or moving files, but you will want to run the command for each directory you want to protect.

You'll have to create a read-only ACL on the top-level folder itself and remove inheritance/propagation, then read-write to it's contents and possible sub-folders. Sounds like a mess. Good luck.

If your users are anything like ours, the most likely cause of accidental moves is inadvertent clumsiness during drag and drop operations. Maybe some tuning of the DragHeight and Dragwidth settings under HKCU\Control Panel\Desktop might be a less radical solution?