We help IT Professionals succeed at work.

How to restrict directory access on network share to small subset of users / Why are "Allow" checkmarks greyed out?

ZuZuPetals
ZuZuPetals used Ask the Experts™
on
We have a network share on our LAN.  It contains some directories.  I wish one of the directories to only appear for about five employees in the company who coincidentally are in the Administrators group..  What is the easiest way to pull that off without access the Active Directory or RDP onto the machine itself?  I can have the Sys Admin guy do that but I was wondering if a user like me could do it.

From my computer I just right-clicked the directory's Properties to view the Security tab.  If I drill in a bit I get the attached screen shot.

It's my understanding if I click "deny" for the Everyone group that will block EVERYONE but me, so that is not the correct way.  Evidently, deny overrides other access.

So, methinks I would just un-check the "Allow" checkboxes for the Everyone... that would alllow the Administrators to have access as desired.

BUT, I can't uncheck the Everyone "Allow" access because they are GREY... locked somehow.

How do I get around this?
What is the most straightforward way to only allow Admins to this "test" directory?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Here is the screen shot.
Permissions-for-test-2012-04-17-.jpg
Steven CarnahanAssistant Vice President\Network Manager
Commented:
The folder is inheriting the rights for "everyone" from the folder above. Since you do not have the ability to edit inherited rights (I don't see the Modify button) you would not be able to change what "everyone" has.
Top Expert 2012
Commented:
They are greyed out more than likely since you aren't an Admin - are you?

The proper way to deny users access to directory is remove Everyone group, not Deny since you are also in the Everyone group and thus will be denied if that is checked

You remove the groups you dont want to allow access to, and leave the groups in that need access...
Steven CarnahanAssistant Vice President\Network Manager

Commented:
I agree with smckeown777 that you are not an admin (refer to my mentioning no modify button before) however you appear to have some authority since you have the Add and Remove buttons.

Following up with smckeown777's remaining comment(s), you should add the group/groups that need access prior to removing the Everyone group.

On another note, it is a good idea for your "sys admin" remove the "everyone" group and add "authenticated users" from all foder permissions if possible.

Everyone = everyone (even if they are not logged into the network
Authenticated Users = ONLY individuals that have authenticated to the domain (logged into the network) will have any access.
Top Expert 2012
Commented:
Yes totally agree @pony10us, missed that one!!

Author

Commented:
I learned I had to un-check "Include inheritable permissions from this object's parent" then I was able to remove the EVERYONE group.  Thanks!

Author

Commented:
(I am part of the Administrators group.)