• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 92
  • Last Modified:

How to grant explicity permission modify to a user on a child folder in windows 2012

I am trying to grant explicitly modify access to a domain user on a child object which is 2 level down. Only the system and the local admin along with this user should have full access to this child object/folder. Effective permissions test shows that this user has required access (except- Full Control, take ownership, change permissions), but unable to create folders in it.
1 Solution
cmaohioSenior Systems ManagerCommented:
I would check to make sure the folder is not inheriting permissions from the folder above it, then reapply the permissions
dxrsAuthor Commented:
Inheritance has been disabled, and all inherited permissions removed accept system/local admin/domain admin/specific domain user. In effective access tab in Windows 2012 I found the user doesn't have proper permission though the user has modify permissions. Refer attached.
Effective permissions showing that user only has read access

After you disabling inheritance, have you propagate those permissions to child objects from folder advance permissions?

If here you get errors, 1st you should take folder ownership and grant administrators full control and then try again
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Lionel MMSmall Business IT ConsultantCommented:
I suggest you use a command line utility called icacls http://ss64.com/nt/icacls.html. You can run it as one command or as separate commands. Interested in this approach? If so I can write the required commands for you.
U may try Subinacl utility to enforce specific user permissions to specific folder and sub folders

Subinacl /noverbose /Subdirectories "D:\1st folder\2nd folder\userdata\*" /grant=domain\user=c
Subinacl /noverbose /Subdirectories "D:\1st folder\2nd folder\userdata\*" /grant=domain\user=WD

Replace domain\user with yours
The above command will grant specific user modify (C) OR Write and Delete (WD) permissions on all sub folders and files under Userdata

If you don't have permissions to do so, you might need 1st take ownership of entire folder, check below article for more info on folder ownership \ permissions problem and Subinacl download link as well.

For Subinacl utility help
dxrsAuthor Commented:
Hello All, Thank you for your timely support. I had done a mistake by not granting share level permission ( read and change) to the Domain Users, there by whatever security permission applied where not effective. Now specific user is able to create and delete files in their respective UserData folder.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now