file permissions 101 - give some users access to only 1 folder among a bunch

on an Essentials 2012R2 server, if it matters, there's a share, lets call it A (\\server\a).

In there are a bunch of folders, lets call them 1, 2, 3, 4, 5, 6

Most everyone should be able to access all the folders.

there's a group that should only have permission to access folders 3 and 5

How would you do that ?

Conceivably, over time, they may create folder 7, 8 and 9.  That limited group still should only have access to folders 3 and 5.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick de GelderSupport engineerCommented:
I assum you could creating some new group policies and assign those policies to the folders and make the users that requires access a member of those policies.

See URL for more information on Group Policy

Hope this helps,
David Johnson, CD, MVPOwnerCommented:
one sets ntfs or share permissions group policy has nothing to do here.
ntfs permissions inherit from the folder above unless told to not inherit by explicitly editing the permissions. So if you create a folder then you have to edit the permissions to remove access for these users (it really should be a group)

If you enable Access Based Enumeration then a user will only see folders/files that they have access to and not get the access denied message.
Robin CMSenior Security and Infrastructure EngineerCommented:
Several ways:
1) Turn off inheritance on the folder that contains all those folders. Remove "Users" or Everyone" or whatever the users are getting their access via at the moment. Create a group for "general folder access" and one for "restricted folder access" and assign these groups to the appropriate folders and put the relevant users into those groups.
2) Create a group called "restricted folder access" and put the people who only need access to the two folders into it. Edit the permissions on all the other folders to add a "deny" permission to that group.
Note that using deny permissions is generally only used as a last resort. You should not grant people access to stuff in the first place if they're not supposed to be accessing it. This is called "least permissions".
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

NVITEnd-user supportCommented:
> they may create folder 7, 8 and 9.  That limited group still should only have access to folders 3 and 5.

Sounds conflicting. Is "they" the restricted group just allowed to 3 and 5? Yet, they can create 7 8 and 9?
BeGentleWithMe-INeedHelpAuthor Commented:
Sorry. I meant the unrestricted users make more folders. Those new folders should inherit a 'don't allow the restricted people' into them.
NVITEnd-user supportCommented:
If you are starting fresh....

On the main share folder A...
- Adjust permissions, making sure users in group 3_5 are not also Windows default members of Authenticated Users, and Domain Users
- Add group 1_6 permissions.
- OK to close security dialog for main folder A.
- Create folders 1 through 6.
- Add group 3_5 permissions on folders 3 and 5.

If you want to affect existing folders 1-6...

If any group 3_5 users exist in other groups that can currently access folders 1-6, e.g. Authenticated Users, Domain Users...
- You must either Deny permissions on folders 3_5, or adjust the existing folders 1-6 perms, removing the groups those users are currently a part of. Then make and add new group 1_6.
- Add group 3_5 permissions on folders 3 and 5.

Also consider if any of these or their sub-folders / files have unique, un-inherited perms.
To check, you can use Microsoft's AccessEnum to enumerate the share. Differences will show on separate lines.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeGentleWithMe-INeedHelpAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.