Setting up restricted folders in Win 2008 Server


I have a generic share on Win2008 server where all users save documents that they would like backed up every night. In one of the folders on that share, I would like to restrict it so that only 3 users have the ability to see/change any of the items in that folder (HR stuff).

How do I set this up? I thought it should be obvious, but there is sharing AND security, and the security seems to not let me revoke permissions to the whole AD user group ("Users") and grant permissions to the 3 who need access to it.

In other words:

G drive is shared with all authenticated AD users.
    inside the G drive, I have a Human Resources folder. I only want the HR director, the owner, and the admin to have access to this folder.

How do I do this?


Who is Participating?
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Right click on the folder and select properties. Click the security tab, then click advanced. Click change permissions, then remove the check mark from the "Include inheritable permissions from this object's parent" box. Click apply. A box will come up telling you if you proceed that inheritable permissions will no longer propagate. Click the Remove button and that will clear all the inherited permissions on the folder. Once that's done, add the users/groups that you want to allow access to the folder. Do not list the groups that you don't want to have access, and do not use Deny permissions on any groups that the users you want to have access to the folder belong to. Deny permissions will over-ride any allow permissions you have in place.
For simplicity's sake it may be better to set up a new directory ( not inside the one you have ) and do permission from scratch, as well as have your backup system make sure it is backed up seperately.

Other option is to turn off inherited permissions and do it inside the present share

In addition to the above, if you are using a shared folder, you need to verify that everyone has read/write access to the share.  By default, users will only have read access which will deny them access to actually put a file in the shared folder.  The most restrictive permission wins.  I usually give everyone full control in the share permissions and then restrict it with the NTFS permissions (security tab).
Adam BrownSr Solutions ArchitectCommented:
The recommended best practice is to set Share permissions so the Authenticated Users Group (And Domain Computers, if computer accounts need access to the share) has full access to the share. There are some security concerns with setting share permissions to allow Everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.