File/Folder controls

I am sure I am making the same mistake somehow when it comes to setting file folder security

An area on a server exists shared as Sharedata mapped for all staff as S: drive
Sharedata has subfolders for Administration, Finance, Common, Caseworkers and WHS
File Permisions look like this
D:\--Sharedata                    (Domain_Admins = full control 'this folder, subfolders and files', GRP_CompanyName_Users = ReadOnly 'This folder only')
         +--AFC      (GRP_AFC_Edit = Subfolders and files only, Inherit removed)

ATS permissions are Change for GRP_CompanyName_Users

Using the example, I am trying to:
  • make sure the Root of Sharedata is Read only to prevent them creating new folders on the fly or renaming key folders when someone has a whim,
  • Members of GRP_AFC_Edit can do anything they like to subfolders and files under AFC

I have tried a number of scenarios and can't seem to get it right, so I am assuming I am repeating a mistake somewhere.
Sharedata permissions

AFC perm's
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
on root folder,
1s of all remove "Creator owner" group then,
 "grant authenticated users" group "List folder contents" with "this folder only" as scope
Then on sub folder (AFC), grant modify permissions to required group and also deny delete permissions, this will ensure that group members can add / modify files / folders in AFC folder but cannot delete AFC folder itself

Read best practices from below article for more clarity:
mbkitmgrAuthor Commented:
Many thanks.  Clearly I wasn't thinking about it latterally enough.  Your method works perfectly.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.