Restricting root permissions

Dear Experts,

We would like to restrict the permissions on the root level folder of our shared drive so that users cannot save files directly to the root anymore. At the moment we have:

Domain Admins - Full Control - This folder, subfolders and files
Domain Users - Read, write & execute - This folder, subfolders and files
SERVER\Users - Read & Execute - This folder, subfolders and files
SYSTEM - Full control

How do I accomplish this without affecting the folders below some of which do not inherit permissions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Santosh GuptaCommented:
Go to advance security permissions and change it...
Make sure do not inherit or replace permission is selected.
DON'T do that.  You'll deny Administrators too and EVERYONE including the system account.  Your pagefile will error out and your hibernate file and all your other hidden system files will start generating errors.

It's actually best not to use deny unless you're sure that's exactly what you want.  It's better to remove permissions.  Remove Domain Users from the permission list instead.  Be sure that Domain Users still exist in the subfolders that need it.  Make sure you don't propagate the removal to the subdirectories.
Seth SimmonsSr. Systems AdministratorCommented:
Remove Domain Users from the permission list instead.

if you remove domain users from the ACL, they will get access denied when just trying to reach the root of the drive unless they are a domain admin

if you change the domain users permissions by only selecting these items for 'this folder only ' then it should work; they can see everything but can't write to the top-level folder

traverse folder / execute file
list folder / read data
read attributes
read extended attributes
read permissions
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Santosh GuptaCommented:
@serialband, My intention is to show, how to deny to create the files on DATA/root folder as per author request  not SYSTEM DRIVE.  (now i realized that you are referring my screenshot)
Bladey001Author Commented:
Is it best practice to remove the SERVER\Users account and just use 'Domain Users'?

The users will need to be able to create folders just not be able to write files to the root.

So if I use the permissions suggested by Seth but also add Create Folders this should accomplish what I need right?
Santosh GuptaCommented:
try this...

to use those you dont want to give the file creation rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth Simmons is right.  I just saw the deny everyone screenshot and responded quickly, because I saw a disaster about to happen.  No matter what the situation, you don't deny unless you have a very good reason or have exhausted other options.  It's still far better to uncheck the permissions rather than deny them.  You're more likely to run into problems later on if you deny permissions without some planning.  There's already an implicit deny when you're not in the permissions list.

You might also want to uncheck the 5 checkboxes directly below the highlighted section in the image that sgupta1181 provided if you also don't want them to modify the permissions and edit the files.
Create olders/append data
Write attributes
Write extended attributes
Delete subfolders and files
Bladey001Author Commented:
So essentially I've removed Create files / write data from Domain Users (This folder only) and had to add another entry for domain users (subfolders and files only) to give them read, write & execute
Seth SimmonsSr. Systems AdministratorCommented:
does that mean the issue is resolved or do you still need assistance?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.