Solved

NTFS Permissions - AD

Posted on 2013-10-29
2
237 Views
Last Modified: 2013-10-29
This may seem an easy one. It's been a few years since I involved myself in NTFS permissions.

Company A has a mapped drive which everyone can access. The drive is located on the server.

Within the drive is folders (This is an example, in reality there are 40 folders):
Accounts
HR
Support
Customers
New folder

We want to give permissions to new folder to a group of people. This group can't have access to any other folder.

I've created a domain local security group in AD and added the users who need access to New folder into it. I've then given that group access on new folder.

How do I stop them accessing other folders? Do I have to go through each folder and deny them? Or can I deny them at the root (E:\data)

If I deny at root, will that take precedence over the allow at folder level?
0
Comment
Question by:carrgater31
2 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 39608064
Don't use DENY - simply make sure the users are not in any other group that have been granted access - if they are not in a group that has been granted permissions on the other folders then they will have no permissions on them
0
 
LVL 2

Expert Comment

by:itnifl
ID: 39608189
Using deny can be trouble in the future if some of the users in the local security group require access via other groups that they later become a part of. When they become a part of such a group that is supposed to give them access, it will be overridden by the deny permissions you set via the local security group in question. Many administrators might get confused by this and start a lengthy troubleshoot. However, they should be able to use  The NTFS permissions should be clearly viewable properties of the folder though, and a group with deny permissions should be enough for most to hint what the cause is.

However, if you for some reason know for sure that local security group should never ever have access to the other folders you mentioned, you might want to use the deny permissions.

If you decide to use deny permissions on E:\Data, you can disable inheritance on "New Folder" so that these do not propagate to that part of the folder structure, and in doing so choosing to copy the existing inherited permissions so that you may alter them instead of setting everything up from scratch. Properties in the folder -> security tab -> advanced button -> remove the check on the "Include inheritable permissions from this object's parent." When you do that you will be asked if you want to copy the permissions that are inherited into your new configuration or start from scratch(those are my words, not Microsofts).
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now