how to block access to a folder within a shared folder for everyone server

Posted on 2012-08-24
Last Modified: 2012-08-27
Hello Fellow Nerds!

I've been having problems with permissions on folders within a shared folder.  For example, in the main company shared folder there are documents and excel spreadsheets and folders.  Some of these folder must not allow all users to view what is inside of them.  

How do I properly set this up so I don't have wrong permissions set on a file within one of these folder deny the user whom is suppose to see these folders.
Question by:timarnold000
    LVL 12

    Assisted Solution

    break inheritance on the sub-folder.

    Navigate to the file or folder to which you want to set permissions. Right-click the file or folder and choose "Properties."

    Click the "Security" tab and select "Advanced" to view the permissions options.

    Click the box next to "Inherit from parent the permission entries that apply to the child objects" and click "OK" to save the settings. This will disable permission inheritance for the file or folder and its permissions settings can be modified separately from the parent folder.
    LVL 10

    Expert Comment

    You would create an ACL on the folder with the sensitive data. Edit the NTFS permissions of the the subfolder. Only allow access to the required users. Deny rules are generally unnecessary.
    LVL 1

    Accepted Solution

    I use groups to grant access to who needs what.  For example;  if c:\users was a shared folder I give everyone read permissions and and administrators have full access.  Let say you need a data folder under c:\users that  user1 has read permissions but  user2  needs write permissions.  I create two groups such as data_share_RO (for read only) and data_share_admin.  At the folder level under security click advanced, then click edit and uncheck the box "include inheritable permissions from this objects's parent and answer "yes" to the prompt.  This removes all inheritable permissions from the data folder.  click ok twice, this puts you back to the security tab.  Click Edit and add the administrators back with full control.  Now add the two groups and grant them read only rights (group data_share_ro)  and write rights (data_share_admin) respectively.  Click apply and ok.  Now administrators have full control and the group data_share_ro has read permissions and  data_share_admin has everything but full control.   Now add user 1 to data_share_ro and add user2 to data_share_admin.

    This might not be the best way but it works for me.

    Author Comment

    Thank you so far for the information everyone. how do I properly set the permissions so they cant delete the file?
    LVL 1

    Assisted Solution

    If you create a global group as described above and grant read and execute rights only then they will not be able to create or delete files but can read.  Only that group and administrators should have access to the folder.  You must also make sure no rights get inherited by removing inheritance under advanced.   Give administrators and the group you create explicit rights.

    Author Closing Comment

    This works great on sbs2011.  Folders even disappear (within a users profile) in the shared folder if permission have been removed (from that user.) NICE!

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Join & Write a Comment

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now