A little background: I've got a citrix server with about 20 accounts that are used in a round robin fashion by various remote users to access a published application. This application allows users to upload documents to a common directory and these accounts all have the same access to the filesystem. Recently there's been some concern regarding the ability for users to overwrite, rename, or delete files in the upload directory (none of the citrix accounts are tied to users within the published application so app enforced restrictions won't apply).
I'd like to give this group of citrix users the ability to create and read files in the upload directory, but not the ability to rename, delete, or overwrite existing files. Is this possible? I'm thinking something along the lines of the following, but I'm not entirely sure whether this would prevent renaming or overwriting.
revoke delete permissions (D - delete):
icacls <document dir> /deny Everyone:D
grant write data/add file (WD - write data/add file):
icacls <document dir> /grant <citrix group>:WD
grant read (GR - generic read):
icalcs <document dir> /grant <citrix group>:GR
