Restricted access to folders for some users using NTFS

We have a network share containing 50+ folders on a Windows 2003 server accessed by Windows XP clients, for general shared use. Share permissions are Full Control for Everyone, and NTFS permissions set to Read & Execute, List Folder Contents, and Read for the Users group. Sub Folders have the modify right set for the users group, so that users can create, read and delete files.

I need to restrict access to this share by a certain set of users (members of a single group) so that they can only read files from one folder.

How is this best achieved using NTFS permissions?
Who is Participating?
TheMetrixConnect With a Mentor Commented:
You keep adding more and more requirements and complexity with each comment. Make up your mind here and be specific.

1st You have the Everyone Group which is EVERYONE to include the group you want to restrict. And you have Group 1 (The restricted Group)

If you do not want the Everyone Group to see a folder that only Group 1 is to have access to then Move the Folder out of the Common Share. Share the Restricted Folder and Allow only Group 1 Access both by Share Permission and NTFS Permission. Meaning Remove the Everyone Group. Then with the Common Share you will need to Add Group 1 and Deny them permission to the Common Share.

2nd you need to split your users up by group and or OU to give yourself more versatility. To try and restrict users when the majority of your users belong to Only the Everyone Group can be confusing and difficult as you have already noticed.
Change the NTFS Permissions to:

Administrators: Full Control
Users: Read Only
Add the other groups to have Modify Access

It might seem like a bit too much work for something so easy but it will give you more granular control.
sustransAuthor Commented:
I'm not sure I explained myself too well. I need users in a certain group to only see FolderX and none of the other folders on the share.

The others users are (generally) not in specific groups, and I do not want to have to modify the rights on all the other folders (or remember to do so on any new folders in the future).
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

More clearity is good.

If the folder you wish to change permissions for is below the root share - Open up the Security Tab for NTFS Permissions. Click on Advance Button, on the advance tab remove the check mark from "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicityly defince here"

You will a pop-up asking if you want to remove or copy all of the groups/users permissions from the parent. Click on Copy, after you click on Copy you will be taken back to the Properties page, Remove Users/Everyone group and add the Group you want to explicit permissions to that folder. Login as a test users for that Group to test the permissions.
Also, have you thought of using Organizational Units (OU's) to manage you users? You might find it to be much easier to manager your domain this way.
sustransAuthor Commented:
The problem with the above solution is that it restricts the folder to the specific group, but that group can see all the other folders by virtue of its members being in the users group. What I need is for the specific group to be denied access to all folders other than the one I nominate.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.