Folder Permissions Windows Server 2008R2

Posted on 2014-11-14
Last Modified: 2014-12-02
Windows Server 2008R2

Our employees routinely move folders on accident.  

We have all of our client folders in the same place, but quite often Client A gets accidentally moved into Client B's folder.  I get that Windows search is the easy solution, haha.  

How can I apply permissions so that they can't move the client's folder any more?  

They should be able to have full permissions to all of Client A's subfolders & files however.  Is this possible?
Question by:2_under_par
  • 5
  • 5
LVL 12

Expert Comment

by:Steven Wells
ID: 40443856

you should look to apply read or list folder content permissions to top level folders only. the modify rights underneath. that way the top level folder structure will remain intact.
LVL 18

Expert Comment

ID: 40444037
Agree Steven if you need more help let us know.

Author Comment

ID: 40450515
With regards to the Top Level Folder, I created Allow & Deny Permissions for a specific group of users.  So, there's 2 separate sets of permissions & when combined are the following... (see the pics for more detail)

Full Control: Deny
Traverse Folder / Execute File:  Allow
List Folder / Read Data: Allow
Read Attributes: Allow
Read Extended Attributes: Allow
Create Files / Write Data: Deny
Create Folders / Append Data: Deny
Write Attributes: Deny
Write Extended Attributes: Deny
Delete Subfolders & files: Deny
Delete: Deny
Read Permissions: Allow
Change Permissions: Deny
Take Ownership: Deny

Unfortunately, when I log in as a user in this group, I can move this folder into another folder.... which is what I am trying to avoid.  Any advice?  Thanks in advance.
LVL 12

Expert Comment

by:Steven Wells
ID: 40450533
Try not to use any denies. You can use the security tab to view effective permissions to ensure they are what you expect them to be.  Top level only needs to be list folder contents permission

Author Comment

ID: 40450597
OK.  I removed the deletes, & set List Data / Read Data to Allow.  This folder is not inheriting permissions & not passing permission to child folders.  When logging on as a user, the folder is not visible.  Weird.
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

LVL 12

Expert Comment

by:Steven Wells
ID: 40450604
You must at least have list otherwise folder won't be viewable by user.  This is called access based enumeration.

Author Comment

ID: 40450624
LVL 12

Expert Comment

by:Steven Wells
ID: 40450706
Hi,These are templates?  Can you show me what it looks like in the real world? Also show me the advanced tab too?

Author Comment

ID: 40450850
No, sorry, the name of the top level folder is "Template".  I was hoping this folder could be used going forward as a client folder, where the permissions would be the same for every client.  They would just copy the "Template" folder & rename it to the Client name.
LVL 12

Accepted Solution

Steven Wells earned 500 total points
ID: 40450931
Ok. That is fine. I think you should be ok. however I suspect the administrator would need to create and edit permissions for all top level folders, as if you just create a new folder, it will inherit permission from the folder above it.

ie, create a new folder with the client name

set the permission not to inherit.

Apply explicit permissions for this folder, but not sub folders

then you can adjust permissions below.

It may not be exactly what you are after but that is how NTFS permissions work.

Author Closing Comment

ID: 40477080
I didn't initially get this to work, because I wasn't applying it to the root folder.  (The one I shared)

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASDM device NT domain question 4 36
Creating and Connection two new domains 5 80
vmdk greater than 2TB 2 31
Virtual Machine Consolidation needed status 6 61
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now