• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

Best way to configure NTFS Permissions for our requirements?


I am looking for some advice for the best way to configure the NTFS permissions that we require on our T drive on our network.  Server is running windows 2003 enterprise edition.

We have the following folder structure.

T:\ - contains all the client folders

For Example:


Each client folder has up to 6 subfolders for example:

T:\client1\Audit and Accounts
T:\client2\Audit and Accounts

We currently have it setup so that domain admins and power users have full control over all client folders and subfolders & files.  We then have "Domain Users" with Modify NTFS permissions on all the folders.  

The down side to this is that users seem to be accidentally moving the key folder structure.  For example a user might accidentally drag client1 into the client2 folder by mistake.  Or move Permanent into Correspondence by mistake.

Ideally what we need is the following:

Domain Admins / Power Users Full Control to add new client folders or ammend different ones.  Domain Users Read Only.

Domain Admins / Power Users Full Control.  Domain Users Read Only - so they cant move the folders by mistake.

T:\client1\Audit and Accounts
Domain Admins / Power Users Full Control.  Domain Users Read Only.

T:\client1\Audit and Accounts\*.*
Domain Users need read/write/modify here so that they can create their own files and folders within a client area.
Domain Admins / Power Users Full Control.

Is there an easy way to set these permissions up with inheritence so once we configure the permissions for a client folder that is done without giving users the ability to move folders they shouldnt be moving?

Other consideration is what happens when a power user creates a new client folder and adds the subfolders.  Would we need to run a script to reapply permissions to the client folders and the subfolders?


1 Solution
Krzysztof PytkoSenior Active Directory EngineerCommented:
Set at the top read access, and on lower level set modify
cloughsAuthor Commented:
If you set modify on the client sub folders then users can still move the subfolders...

Your structure looks fine, but I see one small problem.

As long as Domain Users have modify rights on T:\Client1\Audits and accounts\ they can't have read only at the same time. To make things easier, here's how I would proceed :

- add one level like T:\Client1\Audits and accounts\Data

- position ACLs as follows :

T : Domain admins / power users : Full control. This folder, subfolders and files (inherited on whole tree)

T:\Client1 : Nothing to add for DA / PU (inherited). Add Domain Users : read only. This folder only (not propagated)

T:\Client1\Audits and Accounts : Nothing to add for DA / PU (inherited). Add Add Domain Users : read only. This folder only (not propagated).

T:\Client1\Audits and Accounts\Data : Nothing to add for DA / PU (inherited). Add Domain Users : Modify. This folder, subfolders and files (inherited on rest of tree).

Hope this helps.
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

cloughsAuthor Commented:
That sounds like one option, only problem being creating the sub folder within each clients subfolder.  There are thousands of client folders so that would be quite a big task to do.

I wonder why Microsoft didnt make a Move permission that was easy to allocate to users/groups...?

T: \
Domain Users - Read - ok

T: \ client1
T: \ client2
Domain Users - Read

If you set up so a customer enters the folder of another client. This may be undesirable. Here it is best to remove the Domain Users group and add the account of each user's own folder with permission to read from here down.

But if a client accesses the folder of another is not a problem, you can leave as is.

T: \ client1 \ Audit and Accounts
T: \ client1 \ Correspondence
T: \ client1 \ Permanent

Put in those folders the user account with Modify permission.

Here, you have to have to go in Security, Advanced, Permissions tab, click the user, the Edit button and select Subfolders and files only.

With this, the user reads, writes, deletes, creates, only moving objects within a folder, just the way you want.

If you want to do it all through scripts, take a studied cacls command in Windows.
As regards to bulk adding the "data" directory, if your whole structure is as shown in your example, here's what you can do :

- create a text file containing your client numbers (only the number, 1 to n)
- name your file dirs.txt

create a .bat file with the following command :

for /F %A IN (dirs.txt) do md Client%A\"Audits and Accounts\data" & md Client%A\"Correspondence\data" & md Client%A\"Permanent\data"

Save this file at root level (on T:)

Execute to bulk create the dir in your structure. I tested it successfully on a sample tree but I still suggest you start by putting only 2 numbers in your dirs.txt :o)

Then you can continue automating using xcacls as roberto suggested.

The advantage is that it will be easier to simply add simple permissions rather than modify effective permissions.

cloughsAuthor Commented:
Thanks for your help everyone going to give it a try this evening :)
Another suggestion to compliment all suggestions above, is to create new AD Security Groups for each level you are applying change.

Being able to manage accessibility via AD Users & Computers far out weighs the effort to setup the groups. You can then nest and control from any PC using MMC.

If you apply directly to security, how do you truly know who has what rights? Trust me that the above will save you a motza amount of time in the long run :-)
cloughsAuthor Commented:
Good plan about the AD Groups that will shorten the job considerably.  Just looking into xcacls.vbs which seems quite powerful
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now