We help IT Professionals succeed at work.

NTFS Permissions - Best Practice when restructuring users/groups

Last Modified: 2014-09-02
I will be in the process of adding/changing rights for a large file share.

A few things I have noticed:
Inheritance blocked on several folders from the root.  (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights.  (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.

I think my main challenges will be:

Who can become part of a group/new group without over reaching?

How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep.  If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above?  I don't want to force a new group to the bottom folder and lose my current groups and users.)

Are there any new best practices or procedures for cleaning up rights?  Management is not interested in purchasing any tools to automate changes.   As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments.  I don't want to delegate the power to the supervisors to add users.  I like to stay with groups if possible.  I also try to stay away from using any DENY for users or groups.  (However this might happen on the HR / Accounting folder).

I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments.  Maybe it should be security levels such as Engineer Level 1 - 5.  (not each Engineering department name).

Thanks in advance
Watch Question

Natty GregIn Theory (IT)

Use groups and group policy to set the rights,  it will help you big time and one person can be apart of multiple groups to perform different task, in different department.


Seems like a nice way of adding per folder but it still looks like it will wipe out my ACL if I force permissions down the tree.

(see add object box)
In Theory (IT)
This one is on us!
(Get your first solution completely free - no credit card required)


It looks like a good option.  I do like the idea of the GPO enforcement even if someone tried to change permissions.

I will test at a small scale - thanks
Natty GregIn Theory (IT)

your welcome

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.