Avatar of Member_2_6346575
Flag for United Arab Emirates asked on

Folder permissions on server 2012

Dear All
I am struggling with folder permissions on server 2012, and would like some help with the following please.
I have a route folder called UMA, under that I have various sub folders like IT, HR, Business Development and so on. I have created the users and groups by department and would like to achieve the following:
1.      All groups to be able to see the UAM share and sub folders within UMA
2.      All groups should not be able to add any extra folders to the main UMA folder (root).
3.      Only groups that the system administrator add to the each sub folders should be accessible by that one group.
4.      Once that group has access to their corresponding folder they should be able to add folders but not be able to delete but can delete file with any sub folder.

I hope that explain my situation and is following best practice but if not I would be happy to take advice.
Many thank in advance.
Windows Server 2012Active DirectoryMicrosoft Legacy OS

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon
Will Szymkowski

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Fairly simple- I assume you have a group created for each of those folders above
1.  Right-click the UAM folder >properties>security tab >click advanced   Now take a screenshot of what you have in there.
2.  Click change permissions, uncheck Include inheritable permissions from this object's parents
3.   Add all the groups that need to see the UAM folder and for each group click edit  and give them list folder/read data "allow"
      Give SYSTEM "full control", Give your "system Administrator user or group"  full control
4.  For each folder for your specific groups you will do steps 1 and 2 and 3, but for the corresponding groups to their folders you will highlight the group click edit and
list folder/read data                         allow
create folders/append data           allow
create files/ write data                    allow
delete subfolders and files             allow
Delete                                                 deny
You can pretty much customize it to your liking in this section.
Will Szymkowski

My own opinion do not use deny. it is the most restrictive permission and not a good practice. Create multiple ACL permissions using the "Applys To" selection.


How can I hire an expert? Just finding this very hard to be honest.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Will Szymkowski

I am reachable if needed.


Let's start with the UMA folder.

1. Disable inheritance.

Open the folder properties.Click on the 'Security' tab and choose 'Advanced'.Select 'Disable inheritance'.Capture.JPGResults in no inheritance.

2. Remove all permissions with exception to those assigned SYSTEM, CREATOR OWNER and Administrators.


3. Add the groups that you want to have read level access and the groups that you want to have Full control access (personally, I would realistically think about providing Read-Access to Authenticated Users).

Example read-only access settings.NOTE:  The 'Applies to' drop-down settings.

4. After adding all of the root level permissions, select the '[b]Replace all child object permission entries with inheritable permission entries from this object[/b]' and press Apply.

Capture.JPGCapture.JPGLet me know what you have these steps completed and we will continue to the next batch of steps.


Agreed with Will you do not want to Deny permissions.

Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Will how do I reach you, would love a team viewer and Skype session on this if at all possible. What is you availability? Where are you based? What would the fee be and how do I pay you?
Will Szymkowski

Please you the messaging system outside of the question. I have sent you a message.