Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

NTFS Permissions - AD

This may seem an easy one. It's been a few years since I involved myself in NTFS permissions.

Company A has a mapped drive which everyone can access. The drive is located on the server.

Within the drive is folders (This is an example, in reality there are 40 folders):
Accounts
HR
Support
Customers
New folder

We want to give permissions to new folder to a group of people. This group can't have access to any other folder.

I've created a domain local security group in AD and added the users who need access to New folder into it. I've then given that group access on new folder.

How do I stop them accessing other folders? Do I have to go through each folder and deny them? Or can I deny them at the root (E:\data)

If I deny at root, will that take precedence over the allow at folder level?
0
carrgater31
Asked:
carrgater31
1 Solution
 
KCTSCommented:
Don't use DENY - simply make sure the users are not in any other group that have been granted access - if they are not in a group that has been granted permissions on the other folders then they will have no permissions on them
0
 
itniflCommented:
Using deny can be trouble in the future if some of the users in the local security group require access via other groups that they later become a part of. When they become a part of such a group that is supposed to give them access, it will be overridden by the deny permissions you set via the local security group in question. Many administrators might get confused by this and start a lengthy troubleshoot. However, they should be able to use  The NTFS permissions should be clearly viewable properties of the folder though, and a group with deny permissions should be enough for most to hint what the cause is.

However, if you for some reason know for sure that local security group should never ever have access to the other folders you mentioned, you might want to use the deny permissions.

If you decide to use deny permissions on E:\Data, you can disable inheritance on "New Folder" so that these do not propagate to that part of the folder structure, and in doing so choosing to copy the existing inherited permissions so that you may alter them instead of setting everything up from scratch. Properties in the folder -> security tab -> advanced button -> remove the check on the "Include inheritable permissions from this object's parent." When you do that you will be asked if you want to copy the permissions that are inherited into your new configuration or start from scratch(those are my words, not Microsofts).
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now