Delegate User to Set Permissions on File Server

Posted on 2014-01-10
Last Modified: 2014-01-19
Hello Experts,

I am having an issue setting up a user to be able to change permissions on a folder and subfolders on a file server.

The file server is 2008 R2 and in a domain. I am the only administrator.
I have given this user (userA) the Full control permissions for this folder, and he can make, save, delete just fine. But he cannot change permissions of any subfolders in this folder.

Let me explain the situation….
Management wants all CAD models placed in the “PARTS” folder with userA being the only one to have read, write (full control) of this folder.
Inside the Parts folder is a folder named for each part number. Inside each part number folder is 4 folders (Master, Original, QA, Tooling).
The permissions are inherited from the parent as follows;
  UserA = Full Control
  Engineering = read & execute, list folder contents, read

I would like to have UserA to be in charge of this folder/subfolders and be able to change the permissions on the QA and Tooling folders, so Engineering group would have “Modify” rights on just these two folders.

(hope this all makes since)

How do I delegate rights for this user (UserA) to be able to do this without him being an admin of the server?

Client computers are Windows XP and Windows 7 pro.
The Parts folder is shared and users have the Parts folder mapped to their computers.

Sounds like a lot of micro-managing (and it is), if someone has a better solution, would like to here.


Question by:Fubr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39771963
1st you need to logon on server as administrator (domain admins membership will be just fine)
Then give required user (delegated user) full control share permissions on required folder (parts)

Then from advanced security permissions of parts folder go to owner tab and new entry there for delegated user and grant him folder ownership with "replace owner on subcontaners" checkbox selected

It may warn you, accept the warning and now the delegated user will become owner of folder
Now close all windows, again go to ntfs permissions of parts folder and add delegated user there and give him full control permissions and remove any other users and groups full control permissions except administrator \ administrators and click apply.
Also remove creator owner group from access control list of parts folder.

Then go to advanced security permissions and select replace permissions... checkbox and click apply.
This will ensure that delegated user will have full control permissions on parts folder and subfolders and files in the hierarchy.

The only problem with this method is you may lose all other users permissions from sub folders and root folder that you may need to assign again.

The another option is you can use subinacl tool from MS to change owner of parts folder and sub folders and grant delegated user full control on parts folder and sub folder
subinacl /subdirectories "c:\folder\*.*" /setowner=yourdomain\youraccount

subinacl /subdirectories "c:\folder\" /grant=yourdomain\youraccount =F
subinacl /subdirectories "c:\folder\*.*" /grant=yourdomain\youraccount =F


Author Comment

ID: 39779914
Hi Mahesh,

I tried both and still get "access denied" when I have the userA try to change permission on QA and Tooling folders.

Now the only thing I did different, was I created a group (GroupA) adding user to this group and use this instead of UserA. Will subinacl still work on a group instead of user?

Permissions show GroupA as Full control
subinacl shows all good in command prompt  
(Done: 2049,  Modified: 2049, Failed: 0,  Syntax errors: 0)

Any ideas??


LVL 37

Expert Comment

ID: 39780180
Yes you can grant ownership and access to groups through Subinacl

The above syntax is for just for reference

Make sure you have logged on server with account having local administrators group membership.
Instead of providing permissions to GroupA grant ownership to local server administrators group

subinacl /subdirectories "c:\folder\*.*" /setowner=servername\administrators
subinacl /subdirectories "c:\folder\" /grant=your_domain\UserA =F

Then just logoff server and user workstation as well once and check if you got access as expected ?

Alternatively you can try GUI method mentioned above


Author Comment

ID: 39791816
Hey Mahesh,

Couldn't get it to work with the subinacl.
But I was able to get it going with the GUI method as you explain.

Thank you

LVL 37

Expert Comment

ID: 39791853

Just check below thread on same topic which shade some more light on this and to avoid this issue in future.


Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question