Delegate User to Set Permissions on File Server

Hello Experts,

I am having an issue setting up a user to be able to change permissions on a folder and subfolders on a file server.

The file server is 2008 R2 and in a domain. I am the only administrator.
I have given this user (userA) the Full control permissions for this folder, and he can make, save, delete just fine. But he cannot change permissions of any subfolders in this folder.

Let me explain the situation….
Management wants all CAD models placed in the “PARTS” folder with userA being the only one to have read, write (full control) of this folder.
Inside the Parts folder is a folder named for each part number. Inside each part number folder is 4 folders (Master, Original, QA, Tooling).
The permissions are inherited from the parent as follows;
  UserA = Full Control
  Engineering = read & execute, list folder contents, read

I would like to have UserA to be in charge of this folder/subfolders and be able to change the permissions on the QA and Tooling folders, so Engineering group would have “Modify” rights on just these two folders.

(hope this all makes since)

How do I delegate rights for this user (UserA) to be able to do this without him being an admin of the server?

Client computers are Windows XP and Windows 7 pro.
The Parts folder is shared and users have the Parts folder mapped to their computers.

Sounds like a lot of micro-managing (and it is), if someone has a better solution, would like to here.


FubrIT AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1st you need to logon on server as administrator (domain admins membership will be just fine)
Then give required user (delegated user) full control share permissions on required folder (parts)

Then from advanced security permissions of parts folder go to owner tab and new entry there for delegated user and grant him folder ownership with "replace owner on subcontaners" checkbox selected

It may warn you, accept the warning and now the delegated user will become owner of folder
Now close all windows, again go to ntfs permissions of parts folder and add delegated user there and give him full control permissions and remove any other users and groups full control permissions except administrator \ administrators and click apply.
Also remove creator owner group from access control list of parts folder.

Then go to advanced security permissions and select replace permissions... checkbox and click apply.
This will ensure that delegated user will have full control permissions on parts folder and subfolders and files in the hierarchy.

The only problem with this method is you may lose all other users permissions from sub folders and root folder that you may need to assign again.

The another option is you can use subinacl tool from MS to change owner of parts folder and sub folders and grant delegated user full control on parts folder and sub folder
subinacl /subdirectories "c:\folder\*.*" /setowner=yourdomain\youraccount

subinacl /subdirectories "c:\folder\" /grant=yourdomain\youraccount =F
subinacl /subdirectories "c:\folder\*.*" /grant=yourdomain\youraccount =F


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FubrIT AdminAuthor Commented:
Hi Mahesh,

I tried both and still get "access denied" when I have the userA try to change permission on QA and Tooling folders.

Now the only thing I did different, was I created a group (GroupA) adding user to this group and use this instead of UserA. Will subinacl still work on a group instead of user?

Permissions show GroupA as Full control
subinacl shows all good in command prompt  
(Done: 2049,  Modified: 2049, Failed: 0,  Syntax errors: 0)

Any ideas??


Yes you can grant ownership and access to groups through Subinacl

The above syntax is for just for reference

Make sure you have logged on server with account having local administrators group membership.
Instead of providing permissions to GroupA grant ownership to local server administrators group

subinacl /subdirectories "c:\folder\*.*" /setowner=servername\administrators
subinacl /subdirectories "c:\folder\" /grant=your_domain\UserA =F

Then just logoff server and user workstation as well once and check if you got access as expected ?

Alternatively you can try GUI method mentioned above

FubrIT AdminAuthor Commented:
Hey Mahesh,

Couldn't get it to work with the subinacl.
But I was able to get it going with the GUI method as you explain.

Thank you


Just check below thread on same topic which shade some more light on this and to avoid this issue in future.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.