Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 599
  • Last Modified:

NTFS Permissions

I'm trying to achieve the following but having some difficulty getting it right. Given a folder structure as such:

HOME >
   FOLDER1 >
      file1a.a
      file1b.a
         FOLDERa >
            fileaa.1
            fileab.1
   FOLDER2 >
      file2a.a
      file2b.a
   FOLDER3 >
      file3a.a
      file3b.a
file4a.a
file4b.a

For one particular group:
1. Deny the ability to add files to the HOME folder (only the HOME folder, subfolders okay)
2. Deny the ability to rename, move or delete any of the folders in HOME (create folders is okay, and modifying subfolders is okay)
3. Full control of any file NOT directly in the HOME folder (like file3a.a, but NOT file4a.a)

Anyone want to take a try at this?
0
DVation191
Asked:
DVation191
  • 5
  • 3
1 Solution
 
Netman66Commented:
Hi DV,

Okay, this shouldn't be too bad.

Assign permissions as normal - so that your groups have what they need.  Make sure inheritance is being used so parent permissions flow down through the tree.

Now....

1)  In the Advanced settings of Security on HOME - add the group you want to deny adding files (it may already be there, but add it a second time).  In the permssions applet, make sure in the dropdown there shows only "This folder only" then check the box under Deny for Create Files / Write Data.  That should take care of that one.

2) Same as above - add the group once more (so you may have them 3 times) in Advanced.  Change the scope in the dropdown to This Folder and subfolders.  Deny Delete.

3)  This will depend on you giving them Full Control of files right from the parent first.  Add the group again in Advanced - change the scope to Files.  Give them Full Control.  Make sure the checkbox for "Apply these permissions .... " is checked.  This will give them Full Control all the way down.

3a)  Now, you need to determine what you want to prevent them from doing with the files in HOME.

Let me know.
0
 
DVation191Author Commented:
Ok we are well on our way here. A few problems with this setup...

1) DENY is in effect for the ability to create or rename folders in the HOME folder, but I was able to delete them. DENY delete needs to be in effect...and ONLY for the HOME folder, no subfolders and files in subfolders of HOME should be ALLOW Full Control for all users.

2) DENY is in effect for the ability to create, delete or modify folders and files that are in subfolders of HOME. It's only the first level of HOME that I want the restrictions on,..the rest of the subfolders and files should be Full Control.

3) The files that appear in HOME (not those that are in subfolder, just files that are in HOME itself) are DENY change and DENY create...but I am able to delete files. I want to DENY the ability to delete the files directly in HOME as well.

I'll see if I can solve some of these problems myself...but its a good start. I'll wait to here back from you.
0
 
DVation191Author Commented:
I also had to add the "Traverse Folder/Execute File" and "List Folder/Read Data" ALLOW permission for the group so they could browse the folder and run files.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
DVation191Author Commented:
This could get confusing quick, so let me type out the permissions for this folder so far..maybe I didn't follow your instructions right:

Permission Entries for HOME
DENY      MyGroup <This Folder and Subfolders> DENY 'Delete'
DENY      MyGroup <This Folder Only> DENY 'Create Files/Write Data'
ALLOW   MyGroup <This Folder, Subfolders and Files> ALLOW 'Traverse Folder/Execute File' & ALLOW 'List Folder/ Read Data'
ALLOW   MyGroup <Files Only> ALLOW 'Full Control'
0
 
Netman66Commented:
That looks right.

What's missing?
0
 
DVation191Author Commented:
"What's missing?"
...all the things I pointed on in my first comment :(

Anyway, I've made some modifications since then and I think I'm just about there. This is what I have now:

Permission Entries for HOME
DENY      MyGroup <This Folder and Subfolders> DENY 'Delete'
DENY      MyGroup <This Folder Only> DENY 'Create Files/Write Data', DENY 'Delete Subfolders and Files', DENY 'delete' + "Apply these permissions [...] within this container only"
ALLOW   MyGroup <This Folder, Subfolders and Files> ALLOW *all permissions* except 'Full Control', 'Change Permissions' and 'Take Ownership' .... I decided I didn't want them to be able to change these things
ALLOW   MyGroup <This Folder and Files> ALLOW 'Create Folders/Append Data' + "Apply these permissions [...] within this container only"

So far this seems to work, though I'm still testing :)
0
 
Netman66Commented:
OK, I would have assumed you gave your group the overall permissions at the parent so the are inherited then simply used the restrictions discussed to tighten things up.

As long as the parent propogates the correct "Allows" to the child folders then you should simply be able to restrict this group further down as you are working on.

0
 
DVation191Author Commented:
Got it working. Thanks Netman! Huge help!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now