Bladey001
asked on
Restricting root permissions
Dear Experts,
We would like to restrict the permissions on the root level folder of our shared drive so that users cannot save files directly to the root anymore. At the moment we have:
Domain Admins - Full Control - This folder, subfolders and files
Domain Users - Read, write & execute - This folder, subfolders and files
SERVER\Users - Read & Execute - This folder, subfolders and files
CREATOR OWNER - Special
SYSTEM - Full control
How do I accomplish this without affecting the folders below some of which do not inherit permissions?
We would like to restrict the permissions on the root level folder of our shared drive so that users cannot save files directly to the root anymore. At the moment we have:
Domain Admins - Full Control - This folder, subfolders and files
Domain Users - Read, write & execute - This folder, subfolders and files
SERVER\Users - Read & Execute - This folder, subfolders and files
CREATOR OWNER - Special
SYSTEM - Full control
How do I accomplish this without affecting the folders below some of which do not inherit permissions?
DON'T do that. You'll deny Administrators too and EVERYONE including the system account. Your pagefile will error out and your hibernate file and all your other hidden system files will start generating errors.
It's actually best not to use deny unless you're sure that's exactly what you want. It's better to remove permissions. Remove Domain Users from the permission list instead. Be sure that Domain Users still exist in the subfolders that need it. Make sure you don't propagate the removal to the subdirectories.
It's actually best not to use deny unless you're sure that's exactly what you want. It's better to remove permissions. Remove Domain Users from the permission list instead. Be sure that Domain Users still exist in the subfolders that need it. Make sure you don't propagate the removal to the subdirectories.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@serialband, My intention is to show, how to deny to create the files on DATA/root folder as per author request not SYSTEM DRIVE. (now i realized that you are referring my screenshot)
ASKER
Is it best practice to remove the SERVER\Users account and just use 'Domain Users'?
The users will need to be able to create folders just not be able to write files to the root.
So if I use the permissions suggested by Seth but also add Create Folders this should accomplish what I need right?
The users will need to be able to create folders just not be able to write files to the root.
So if I use the permissions suggested by Seth but also add Create Folders this should accomplish what I need right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So essentially I've removed Create files / write data from Domain Users (This folder only) and had to add another entry for domain users (subfolders and files only) to give them read, write & execute
does that mean the issue is resolved or do you still need assistance?
Make sure do not inherit or replace permission is selected.