How to set NTFS permissions for a folder to deny access for all but one


I need to disable access to certain folder for all user and groups except one user or group.
For example - folder "MyFolder", I need:
Administrators group = deny all access
Users group = deny all access
Trusted Installed = deny all access
(this line is optional) system = deny all access
MySpecialGroup group = enable all access

Optionally, instead of last line could be this line:
MySpecialUser user = enable all access

So, I'm ok with any of two - enable access for one particular group or for one particular user.

Is it possible to do on Windows 7/Server 2008/2012 ?
I mean - Windows 7 Ultimate or Enterprise. Windows server 2008 R2 or Server 2012.

Thank you in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Just clear all ACLs entries and add the SpecialGroup or the SpecialUser.
Sumit GuptaSystem and Virtualization EngineerCommented:
Everyone: Uncheck all boxes
Your user: Check "Full control"
Remove any other user/Groups.
Dmitry_BondAuthor Commented:
Is it possible to do it with standard cmdline (or maybe - with SysInternals tools)? Without PowerShell or other 3rd party tools?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Sumit GuptaSystem and Virtualization EngineerCommented:
This is how you grant John full control over D:\test folder and all its subfolders:

C:>icacls "D:\test" /grant John:(OI)(CI)F

According do MS documentation:

F= Full Control
CI= Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
OI= Object Inherit - This flag indicates that subordinate files will inherit the ACE.

For more details with examples here is the link from Microsoft:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sure you can do it with a standard cmdline. Can't you use the simplest method: the GUI?
Dmitry_BondAuthor Commented:
It works. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.