Link to home
Start Free TrialLog in
Avatar of Jonathan Edwards
Jonathan EdwardsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

NTFS Permissions - AD

This may seem an easy one. It's been a few years since I involved myself in NTFS permissions.

Company A has a mapped drive which everyone can access. The drive is located on the server.

Within the drive is folders (This is an example, in reality there are 40 folders):
Accounts
HR
Support
Customers
New folder

We want to give permissions to new folder to a group of people. This group can't have access to any other folder.

I've created a domain local security group in AD and added the users who need access to New folder into it. I've then given that group access on new folder.

How do I stop them accessing other folders? Do I have to go through each folder and deny them? Or can I deny them at the root (E:\data)

If I deny at root, will that take precedence over the allow at folder level?
ASKER CERTIFIED SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of itnifl
itnifl
Flag of Norway image
Using deny can be trouble in the future if some of the users in the local security group require access via other groups that they later become a part of. When they become a part of such a group that is supposed to give them access, it will be overridden by the deny permissions you set via the local security group in question. Many administrators might get confused by this and start a lengthy troubleshoot. However, they should be able to use  The NTFS permissions should be clearly viewable properties of the folder though, and a group with deny permissions should be enough for most to hint what the cause is.

However, if you for some reason know for sure that local security group should never ever have access to the other folders you mentioned, you might want to use the deny permissions.

If you decide to use deny permissions on E:\Data, you can disable inheritance on "New Folder" so that these do not propagate to that part of the folder structure, and in doing so choosing to copy the existing inherited permissions so that you may alter them instead of setting everything up from scratch. Properties in the folder -> security tab -> advanced button -> remove the check on the "Include inheritable permissions from this object's parent." When you do that you will be asked if you want to copy the permissions that are inherited into your new configuration or start from scratch(those are my words, not Microsofts).