Solved

NTFS Permissions - AD

Posted on 2013-10-29
2
242 Views
Last Modified: 2013-10-29
This may seem an easy one. It's been a few years since I involved myself in NTFS permissions.

Company A has a mapped drive which everyone can access. The drive is located on the server.

Within the drive is folders (This is an example, in reality there are 40 folders):
Accounts
HR
Support
Customers
New folder

We want to give permissions to new folder to a group of people. This group can't have access to any other folder.

I've created a domain local security group in AD and added the users who need access to New folder into it. I've then given that group access on new folder.

How do I stop them accessing other folders? Do I have to go through each folder and deny them? Or can I deny them at the root (E:\data)

If I deny at root, will that take precedence over the allow at folder level?
0
Comment
Question by:carrgater31
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 39608064
Don't use DENY - simply make sure the users are not in any other group that have been granted access - if they are not in a group that has been granted permissions on the other folders then they will have no permissions on them
0
 
LVL 2

Expert Comment

by:itnifl
ID: 39608189
Using deny can be trouble in the future if some of the users in the local security group require access via other groups that they later become a part of. When they become a part of such a group that is supposed to give them access, it will be overridden by the deny permissions you set via the local security group in question. Many administrators might get confused by this and start a lengthy troubleshoot. However, they should be able to use  The NTFS permissions should be clearly viewable properties of the folder though, and a group with deny permissions should be enough for most to hint what the cause is.

However, if you for some reason know for sure that local security group should never ever have access to the other folders you mentioned, you might want to use the deny permissions.

If you decide to use deny permissions on E:\Data, you can disable inheritance on "New Folder" so that these do not propagate to that part of the folder structure, and in doing so choosing to copy the existing inherited permissions so that you may alter them instead of setting everything up from scratch. Properties in the folder -> security tab -> advanced button -> remove the check on the "Include inheritable permissions from this object's parent." When you do that you will be asked if you want to copy the permissions that are inherited into your new configuration or start from scratch(those are my words, not Microsofts).
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question