We help IT Professionals succeed at work.

NTFS Special Permission

Hello Expert,
We already have a shared folder on the fileserver called “Marketing”, inside this “Marketing” shared folder there are lots of other folders, subfolders and files which already created by some other users.  Now I want to add a new user say test1 to this “Marketing” shared folder.

Test1 user should only have the following permissions:-
1) Read all files which are under the “Marketing” shared folder and under all of the subfolders
2) Create new folders and new files under the “Marketing” shared folder and all of the subfolders
3) Modify the contents of all existing files and save changes into it under the “Marketing” shared folder and all of other subfolders
4) Rename all of the folders, subfolders and files under the “Marketing” shared folder
5) User Test1 should be restricted from deleting any folders, subfolders, files and even the “Marketing” shared folder itself
6) User Test1 should be restricted from taking ownership of any folders, subfolders, files and even the “Marketing” shared folder itself

Expert can you please tell me what NTFS special permissions should I give to the user test1 to achieve above abilities?
Steps I already completed are:-
1) Added the user test1 to the shared folder “Marketing”
2) Assigned the Share Permission as:-
Authenticated User = Full Control
3) I am stuck now, what NTFS special permissions should I give next to the user test1

Regards,
Comment
Watch Question

Distinguished Expert 2018

Commented:
Just remove full control  from user test1 for "Marketing" share - and permit everything else. That should be it.
Seth SimmonsSr. Systems Administrator

Commented:
remove delete and delete subfolders and files (at the folder level) also
just removing full control leaves the other check boxes enabled including delete

Author

Commented:
Hello Seth,

You mean Give Share Level Permission as :-
Authenticated User = Change and Read

Folder Level Permission, Uncheck the following:-
1)Full Control
2)Delete Subfolders and Files
3)Delete
4)Change Permissions
5)Take ownership
Architect
Distinguished Expert 2019
Commented:
Point 4 and 5 will not work same time in your case
4) Rename all of the folders, subfolders and files under the “Marketing” shared folder
5) User Test1 should be restricted from deleting any folders, subfolders, files and even the “Marketing” shared folder itself

In order to rename files and folders user must have delete permissions on folders and files, otherwise it cannot rename
Once you grant modify permissions, user can delete files and folders
The 6th point is OK, with modify permissions user cannot take folder ownership provided that creator owner group is removed from folder ACL

To do what you are trying to do with some limitations:
Grant authenticated users \ everyone group full control share perms
On NTFS ACL, disable inheritance on root share with copy option and then remove Creator owner group, ensure administrators group has full control NTFS perms
Now add required user modify permissions on folder root
Now in order to prevent this user from deleting marketing root folder itself, go to marketing folder advance perms and deny delete perms for that user with this folder only as permissions scope.

It should look like below
MarketingU need to add that user account twice on ACL so that one perm will be modify with this folder, sub folders and files with allow
AND
another perm will be deny delete with this folder only

You may check best practice to setup share folders in below article at end.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_17526-NTFS-File-System-Folder-ownership-problems-and-resolution.html