Permissions to create files and folders but only modify owned files

The keys you're missing are the CREATOR OWNER identity and the "Apply To" setting.

Apply the following permissions to your shared folder to allow the Everyone identity to create files & folders, but only a file or folder's* owner (CREATOR OWNER identity) to edit/rename/delete it:

+---------------+--------------------------------+----------------------+
| Identity      | Permissions                    | Apply To             |
+---------------+--------------------------------+----------------------+
| Everyone      | Read & Execute                 | This folder,         |
|               |                                | subfolders and files |
+---------------+--------------------------------+----------------------+
| Everyone      | - Create files / write data    | This folder and      |
|               | - Create folders / append data | subfolders           |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Full control                   | Files only           |
+---------------+--------------------------------+----------------------+
| CREATOR OWNER | Delete                         | Subfolders           |
|               |                                | only                 |
+---------------+--------------------------------+----------------------+

What we're doing here is granting Everyone enough permissions to Read everything in the folder and create files & folders, but that's it. Then the CREATOR OWNER permissions take over. When an object is created, Windows applies any permissions granted to the CREATOR OWNER identity to the object's creator.

So Full Control on Files only allows the creator of a file to do anything with it he wishes. The Delete on "Subfolders only" is a bit more obscure; this is necessary to allow the creator of a folder to 1) Rename, and 2) Delete it. However, if a folder owner attempts to delete a folder that contains files or folders he does not own, then the delete operation will fail.


*These permissions allow modifying folders owned by a user, which you did not specifically request. However, if you don't allow this, then users can create a folder but not rename it. This is problematic, for example, if a user creates a folder via the Windows context menu. In this case Windows first creates a folder named New Folder then prompts the user to rename it, but once it's first created the user would in fact not be able to rename it.


I don't have enough reputation to comment, so I must post this as an answer. To add to twisty's answer, I would suggest using "Authenticated Users". Many people use "Everyone" when they really want to use authenticated users. The difference is: Authenticated users only allows valid users who aren't guests or anonymous. Everyone allows anybody access. If you want to grant access to employees with valid accounts, use "Authenticated Users"

The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership.

Reading material: https://www.itprotoday.com/security/authenticated-users-group-vs-everyone-group