Folder permissions on server 2012

Dear All
I am struggling with folder permissions on server 2012, and would like some help with the following please.
I have a route folder called UMA, under that I have various sub folders like IT, HR, Business Development and so on. I have created the users and groups by department and would like to achieve the following:
1.      All groups to be able to see the UAM share and sub folders within UMA
2.      All groups should not be able to add any extra folders to the main UMA folder (root).
3.      Only groups that the system administrator add to the each sub folders should be accessible by that one group.
4.      Once that group has access to their corresponding folder they should be able to add folders but not be able to delete but can delete file with any sub folder.

I hope that explain my situation and is following best practice but if not I would be happy to take advice.
Many thank in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
So it should look like below...
UMA Share
Share Perms = Everyone Full
NTFS Perms = Domain Admins Full, Domain Users List Folder Content

On Each Department Folder open Advanced Security
- click Change Permissions... button
- Click the Add button and select the group based on the department folder you are modifying
- Grant that group with All Permissions "EXCEPT FOR" (Full Control, Delete, Delete Subfolders and files, Change Permissions and Take Ownership)
- All other permissions should be selected
- make sure that you select Apply To SubFolders and Files Only
- Click Ok and click Add again
- Add the same group back
- Under Apply To Select Files Only
- Select the Delete Permission and click Apply

You will need to go through those steps and apply those permissions on each of the department folders with the cooresponding groups.

Each Advanced permission, if done correctly should have 2 Group Permissions added. One for access to the folder and another one to deleted Files only.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FOXActive Directory/Exchange EngineerCommented:
Fairly simple- I assume you have a group created for each of those folders above
1.  Right-click the UAM folder >properties>security tab >click advanced   Now take a screenshot of what you have in there.
2.  Click change permissions, uncheck Include inheritable permissions from this object's parents
3.   Add all the groups that need to see the UAM folder and for each group click edit  and give them list folder/read data "allow"
      Give SYSTEM "full control", Give your "system Administrator user or group"  full control
4.  For each folder for your specific groups you will do steps 1 and 2 and 3, but for the corresponding groups to their folders you will highlight the group click edit and
list folder/read data                         allow
create folders/append data           allow
create files/ write data                    allow
delete subfolders and files             allow
Delete                                                 deny
You can pretty much customize it to your liking in this section.
Will SzymkowskiSenior Solution ArchitectCommented:
My own opinion do not use deny. it is the most restrictive permission and not a good practice. Create multiple ACL permissions using the "Applys To" selection.

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

AJ1978Author Commented:
How can I hire an expert? Just finding this very hard to be honest.
Will SzymkowskiSenior Solution ArchitectCommented:
I am reachable if needed.

Let's start with the UMA folder.

1. Disable inheritance.

Open the folder properties.Click on the 'Security' tab and choose 'Advanced'.Select 'Disable inheritance'.Capture.JPGResults in no inheritance.

2. Remove all permissions with exception to those assigned SYSTEM, CREATOR OWNER and Administrators.


3. Add the groups that you want to have read level access and the groups that you want to have Full control access (personally, I would realistically think about providing Read-Access to Authenticated Users).

Example read-only access settings.NOTE:  The 'Applies to' drop-down settings.

4. After adding all of the root level permissions, select the '[b]Replace all child object permission entries with inheritable permission entries from this object[/b]' and press Apply.

Capture.JPGCapture.JPGLet me know what you have these steps completed and we will continue to the next batch of steps.

Agreed with Will you do not want to Deny permissions.

AJ1978Author Commented:
Will how do I reach you, would love a team viewer and Skype session on this if at all possible. What is you availability? Where are you based? What would the fee be and how do I pay you?
Will SzymkowskiSenior Solution ArchitectCommented:
Please you the messaging system outside of the question. I have sent you a message.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.