Subfolder Folder Permissions - Everyone Group

I have a folder (Folder B) that I am trying to ensure is restricted to authorised employees only.  I’ve been given a screenshot of the folders ACL which shows only a handful of individually listed employees.  I am not on this list but I am able to access the folder.

Looking at the ACL for the folder above (Folder A) this contains the ‘Everyone’ group with Read and Modify permissions for this folder and subfolders.

Can I just confirm that because the Everyone group has permissions listed in Folder A including subfolders, it can fully access Folder B despite it not being explicitly listed in the ACL for Folder B?

If this is the case how can I determine how many user accounts are within the Everyone group, just so I can put this into perspective for management? i.e. Folder B containing sensitive data can potentially be accessed by 8000 employees because of the permission granted to the Everyone Group in Folder A?  Also is there a way to determine if anonymous users are part of the Everyone group?  I’ve read that at around 2008 this was removed from the group but I would like to clarify this.
LVL 2
jdc1944Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Correct,

Go to security, advanced, change permissions and remove inheritable permissions, copy the existing security and then remove what you want.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
The everyone group is a special group and literally means EVERYONE.

Understanding Group Accounts
https://technet.microsoft.com/en-us/library/cc733001(v=ws.11).aspx

Furthermore, whoever set this up:
"I’ve been given a screenshot of the folders ACL which shows only a handful of individually listed employees."

Doesn't understand security.  With RARE exception, NEVER assign users individually to a resource.  Create a group and assign that group.  IDEALLY, the group will be named something logical for what the resource is, but even if it were Group625 it would be better than assigning INDIVIDUALS to the resource.

Indeed, with the exception of user home directories, even when a resource only has ONE user, that one user should be part of a one user group and assigned that way.  Consider that when you need to add or remove users to the resource, you now have to reset permissions on everything when assigning by user.  Depending on the number of files, this can take a while.  Whereas if you assign permissions to a group, you can add and remove users in near an instant and at worst, they only need to log off and back on again to gain access.

The Logon process gets a list of group memberships which doesn't update until the next logon.  So put a user in the "Accounting" group while they are logged on and they won't have access to Accounting until they log off and log on again.
0
jdc1944Author Commented:
Many thanks for your input.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.