NTFS Permission Best Practice


I added a temp employee to our active directory.  We want to allow this user to access only a single folder on the public drive.  All other users access public by way of "domain users" permission being permitted to access the mapped drive.  This new user should only be able to access a single folder inside the public drive and be denied access to any other folders.  What's the best way to do this, especially if that folder is a couple levels deep in the directory structure?  Will I have to redo the permissions on all other files?

It seems like it shouldn't be too complicated, but I'm not sure the best way to do this.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
If you're sharing something a couple of levels deep you'll probably need to create a new share on that folder. You can set the permissions appropriately for that folder specifically regardless of outer folders but doing so might make future maintenance a problem.

As for denying permissions to other folders you're traveling down a slippery slope. You can add explicit deny permissions to any folder. Deny permissions take precedence over allow permissions but again you're looking at future maintenance problems.

Here are a few guidelines to go by:

1. Only use explicit deny permissions when absolutely necessary. Instead, prefer restricting allow permissions to only those groups requiring access.
2. Avoid setting permissions by user. Instead, apply permissions by group and assign users to the group(s) as needed. Not only is this more maintainable but it's easier to understand.
3. As you go deeper into a directory, permissions should be more restrictive, not less.

In a nutshell, for your immediate issue I'd do the following:
1. Create a new group, assign the user to this group.
2. Create explicit deny permissions on folders for the new group.
3. Locate the folder you wish the user to access and create a new share for it.
4. Set permissions on that specific folder to allow the group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.