Link to home
Start Free TrialLog in
Avatar of rookie_b
rookie_bFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Set folders to read only server - 2008R2

We are migrating some data away form a 2008R2 server and would like to set some folders to read-only. It would have been easier if we could use share permissions, but in this case these are various sub-folders, as a opposed to the shared folder. So I am guessing I am looking for a script that blocks inheritance, retains the inherited permissions but changes the group granting RW access to users to  only have RO access.
Avatar of Brian B
Brian B
Flag of Canada image

It's probably just as easy to change the existing groups to read only and keep inheritance the way it is.

If directory structure is not the usual top down and there are exceptions, next nest choice may be to create a specific set of read only groups now and assign them as appropriate.
You could also take the easier approach of setting file attributes to read only and/or hidden and system if you want to -- after all that is to stop users fiddling with the old folders as opposed to  a security concern, i,e,

cd /d X:\somedir
attrib *.* +r /s/d

That will mark all files and folders read only from x:\somedir downwards regardless of NTFS or share permissions.  Of course a user that has suitable ntfs permissions can change the attributes back to write but often suitable for stopping  normal users and simpler than messing with complicated nested NTFS groups and structures?

Avatar of rookie_b


Hi Steve, thank you for your response. Would that prevent users from adding new files, or does it only affect existing files?
Ok, so, I tried using attributes, but it only sets it for files in folders, rather the actual folders. I can still rename files, rename folders, delete files and create new files, so it doesn't work for me.
Sorry, no!
Avatar of Brian B
Brian B
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Brian, it is definitely good advice. Unfortunately, in our case these are sub-folders of the shared folders, so there are no shares that map directly to the actual sub-folders.

With regards to changing the groups to read only the same applies - the groups are inherited from the higher level shared folders,  and there are no groups that only apply to the  individual sub-folders, hence we are having to look at blocking inheritance.
In the end we decided to only use  share permission at top level folders, and if a set of subfolders absolutely had to be read-only, we'd move them to another location and share that as read-only. It is actually turned out to be  less hassle then dealing with ntfs permissions changes/ errors.