Inherited Rights/NTFS Folder Permissions...

Posted on 2004-11-12
Last Modified: 2013-12-04
When assigning NTFS group rights to a folder.  How do I force rights to be inherited by folders that are specifically set NOT to inherit rights.    (I don't want to replace rights... I want to ADD rights and have only the added rights propagate all the way down the folder structure)

Example.  F:\Main\Dept-10\production\wave1\data

F:\Main (rights are not inherited and are specifically defined)
F:\Main\Dept-10 (rights are not inherited and are specifically defined)
F:\Main\Dept-10\production  (rights are inherited)
F:\Main\Dept-10\production\wave1 (rights not inherited)

If I want to give the group "checkers" read rights to F:\Main and everything below it, assigning that group read rights to F:\Main will work ONLY for this directory as the next directory is SET NOT to inherit rights.   This example is only a few layers deep.   If we have directory structures where rights are SET NOT to inherit rights dozens of layers deep, there is no way to quickly identify those nor would we want to have to find each inherited rights break to assign the proper specified rights.

I must be missing something, but where is the magic button to force JUST THE NEWLY ADDED RIGHTS to propagate all the way down the structure?  In the example above.  In order to give the "checkers" group read rights to a file in the F:\Main\Dept-10\production\wave1 folder as well as ALL FILES IN BETWEEN.  I would have to manually assign the "checkers" group to each directory where rights were set NOT to inherit rights.  This just doesn't seem right.

I've played with the "replace all permissions on all child..." options in the advance tab, but all that does is replace everything on all child objects to whatever you currently have on the folder at hand.    I want to apply only NEW changes to all child objects  (basically add the new NTFS group right), not replace or change child objects to the existing set of NTFS rights.

Coming from the Netware world, this seems entirely restrictive in how you can implement different security rights through out a file server structure in an efficient manner.

Question by:rdelrosario
    LVL 4

    Accepted Solution

    Good question.  There is no answer though.  I use the following tool for those situations.  The site license was really reasonable.  3rd party is the only way to do what you're describing.
    LVL 4

    Expert Comment

    The reason I bought it was because the help desk needed specific "special" rights to every file on every file server (about 50 file servers and what feels like billions of files).  We have a mix of inheritance and there was only one tool that MS had to do what we wanted.  These were perl scripts on the 2000 resource kit supp 1.  The tools caused us some pretty severe damage although we never actually pinned our problems to the tools.  The tool was FILEDACLS.PL and requires the active perl extensions be installed.  Why there are perl scripts for ACLS on a W2k res kit is beyond me.  It was run on a handful of servers a majority of them died with identical results (sorry I don't remember what that was, but they were pretty dead).  The good thing is that we have LANMAN shares backed up and good tape backups, and parallel installs of the OS so recovery usually took about 15 minutes.
    LVL 82

    Assisted Solution

    Open a command prompt on the server in question, and enter
    cacls F:\Main /t /e /g checkers:R
    cacls is the command line tool to change NTFS permissions. This will process the folder F:\Main, it will process the folder and its subdirectories (/t), it will edit the ACLs (/e) instead of replacing them (do NOT forget the /e, or you'll have to reassign the permissions ...), and it will grant (/g) the group "checkers" read access (R). If it's a global group, you might have to add the domain name in front of the group name: YourDomain\checkers.
    You can of course try that on a test structure with similar permissions before you use it for real.

    Author Comment

    I looked at the Security Explorer tengage recommended and it is very comprehensive.   It is cheap as well.. I downloaded it and will try it out.   The  command line thingy looks good too, but leaves me nervous about someone making a mistake.

    Can both of you really tell me that this is it... there is really know magic button built in the security tab that I'm just missing?   How can Microsoft leave this functionality out of the GUI?   Is this that uncommon of an issue?

    I really have to say that this is where Novell shines...

    LVL 82

    Expert Comment

    Nope, no magic button, sorry. The "error factor" when using the command line actually isn't much higher (if at all) than in the GUI; changing permissions requires some knowledge about what you're doing, with or without images.
    LVL 4

    Expert Comment

    I used cacls and have had some mixed results.  It seems that when I used it in my situation, it appeared to work but when I went to view the properties of some folders, and click the "security" tab I kept getting these messages "the security acls are incorrectly ordered" or something like that.  If I clicked OK on the message I could view the permissions and they appeared fine, but the message bothered me.  I reverted to XCACLS, but then broke down and bought the tool.  It can be scripted and I especially love its ability to "Back Up" permissions.

    NOVELL is definately more robust here.  I don't know why shares are not a integral part of AD as well as printers as in Novell.
    LVL 82

    Expert Comment

    You probably used cacls on a pre-SP2 system; this error is fixed in the meantime:
    Cacls.exe Orders ACEs Incorrectly When Granting Rights

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now