Folder permissions on server 2012

AJ1978
AJ1978 used Ask the Experts™
on
Dear All
I am struggling with folder permissions on server 2012, and would like some help with the following please.
I have a route folder called UMA, under that I have various sub folders like IT, HR, Business Development and so on. I have created the users and groups by department and would like to achieve the following:
1.      All groups to be able to see the UAM share and sub folders within UMA
2.      All groups should not be able to add any extra folders to the main UMA folder (root).
3.      Only groups that the system administrator add to the each sub folders should be accessible by that one group.
4.      Once that group has access to their corresponding folder they should be able to add folders but not be able to delete but can delete file with any sub folder.

permissions
I hope that explain my situation and is following best practice but if not I would be happy to take advice.
Many thank in advance.
Alex
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
So it should look like below...
UMA Share
Share Perms = Everyone Full
NTFS Perms = Domain Admins Full, Domain Users List Folder Content

On Each Department Folder open Advanced Security
- click Change Permissions... button
- Click the Add button and select the group based on the department folder you are modifying
- Grant that group with All Permissions "EXCEPT FOR" (Full Control, Delete, Delete Subfolders and files, Change Permissions and Take Ownership)
- All other permissions should be selected
- make sure that you select Apply To SubFolders and Files Only
- Click Ok and click Add again
- Add the same group back
- Under Apply To Select Files Only
- Select the Delete Permission and click Apply

You will need to go through those steps and apply those permissions on each of the department folders with the cooresponding groups.

Each Advanced permission, if done correctly should have 2 Group Permissions added. One for access to the folder and another one to deleted Files only.

Will.
FOXActive Directory/Exchange Engineer
Top Expert 2015

Commented:
Fairly simple- I assume you have a group created for each of those folders above
1.  Right-click the UAM folder >properties>security tab >click advanced   Now take a screenshot of what you have in there.
2.  Click change permissions, uncheck Include inheritable permissions from this object's parents
3.   Add all the groups that need to see the UAM folder and for each group click edit  and give them list folder/read data "allow"
      Give SYSTEM "full control", Give your "system Administrator user or group"  full control
4.  For each folder for your specific groups you will do steps 1 and 2 and 3, but for the corresponding groups to their folders you will highlight the group click edit and
list folder/read data                         allow
create folders/append data           allow
create files/ write data                    allow
delete subfolders and files             allow
Delete                                                 deny
You can pretty much customize it to your liking in this section.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
My own opinion do not use deny. it is the most restrictive permission and not a good practice. Create multiple ACL permissions using the "Applys To" selection.

Will.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
How can I hire an expert? Just finding this very hard to be honest.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
I am reachable if needed.

Will.

Commented:
Let's start with the UMA folder.

1. Disable inheritance.

Open the folder properties.Click on the 'Security' tab and choose 'Advanced'.Select 'Disable inheritance'.Capture.JPGResults in no inheritance.

2. Remove all permissions with exception to those assigned SYSTEM, CREATOR OWNER and Administrators.

Capture.JPG

3. Add the groups that you want to have read level access and the groups that you want to have Full control access (personally, I would realistically think about providing Read-Access to Authenticated Users).

Example read-only access settings.NOTE:  The 'Applies to' drop-down settings.

4. After adding all of the root level permissions, select the '[b]Replace all child object permission entries with inheritable permission entries from this object[/b]' and press Apply.

Capture.JPGCapture.JPGLet me know what you have these steps completed and we will continue to the next batch of steps.

-saige-

Commented:
Agreed with Will you do not want to Deny permissions.

-saige-

Author

Commented:
Will how do I reach you, would love a team viewer and Skype session on this if at all possible. What is you availability? Where are you based? What would the fee be and how do I pay you?
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Please you the messaging system outside of the question. I have sent you a message.

Will.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial