Solved

NTFS Permissions - AD

Posted on 2013-10-29
2
241 Views
Last Modified: 2013-10-29
This may seem an easy one. It's been a few years since I involved myself in NTFS permissions.

Company A has a mapped drive which everyone can access. The drive is located on the server.

Within the drive is folders (This is an example, in reality there are 40 folders):
Accounts
HR
Support
Customers
New folder

We want to give permissions to new folder to a group of people. This group can't have access to any other folder.

I've created a domain local security group in AD and added the users who need access to New folder into it. I've then given that group access on new folder.

How do I stop them accessing other folders? Do I have to go through each folder and deny them? Or can I deny them at the root (E:\data)

If I deny at root, will that take precedence over the allow at folder level?
0
Comment
Question by:carrgater31
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 39608064
Don't use DENY - simply make sure the users are not in any other group that have been granted access - if they are not in a group that has been granted permissions on the other folders then they will have no permissions on them
0
 
LVL 2

Expert Comment

by:itnifl
ID: 39608189
Using deny can be trouble in the future if some of the users in the local security group require access via other groups that they later become a part of. When they become a part of such a group that is supposed to give them access, it will be overridden by the deny permissions you set via the local security group in question. Many administrators might get confused by this and start a lengthy troubleshoot. However, they should be able to use  The NTFS permissions should be clearly viewable properties of the folder though, and a group with deny permissions should be enough for most to hint what the cause is.

However, if you for some reason know for sure that local security group should never ever have access to the other folders you mentioned, you might want to use the deny permissions.

If you decide to use deny permissions on E:\Data, you can disable inheritance on "New Folder" so that these do not propagate to that part of the folder structure, and in doing so choosing to copy the existing inherited permissions so that you may alter them instead of setting everything up from scratch. Properties in the folder -> security tab -> advanced button -> remove the check on the "Include inheritable permissions from this object's parent." When you do that you will be asked if you want to copy the permissions that are inherited into your new configuration or start from scratch(those are my words, not Microsofts).
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question