asked on
Disable folder access
I have a Windows 2012 server shared folder to which I have granted folder access to a group of users say "My-Friend-List-DL"
Now I'd like to disable access to this group for a few days.
I don't want to remove them right now, but I want to disable access so that they can't read or write to the folder.
However , I want to allow access to other users other than above group.
Is there a simple solution? I can't use any third party tools. Suggest me something that can be done in windows only.
ASKER
@Dr. Klahn
Not possible. Size is high and many nested folder. I want to avoid move back and forth.
ASKER
Change one checkbox. From "modify" checked to "deny full access" checked.
What would happen if full access is denied? It appears that if I use this option, they will be able to read, which also I do not want.
and also where would you change this settings ? Is it under Share permission or Security permission? ?
Any member of that group will be denied acess.
I agree with the above as a deny wins over an allow...
ASKER
Deny on which settings?
Deny on Modify or Deny on Full Access? Or both?
Make sure to capture what ththe current settings are.
And make sure your admin account is not a member of that group.
Deny takes precedence.
Deny on fullaccess means absolute denial
Deny on read and /or execute will prevent directory navigation and ability to read file contents.
ASKER
I think .. It's bit tricky,
I have two options now
Option # 1. Capture the current settings. Remove the Group from Share and also from Security . ..Add the same Group after few days with same settings to give back access.
Option # 2. Capture the current settings. Edit the Group in Security > apply "Deny Full Access"......Switch to Allow Full access after few days to give back access
Folder size is 80 GB.
Which option is the safest and quick and recommended ?
Note: I see people have complained that deny requires a reboot in server and user machine to be effective
Do you have two accounts?
Add an account to the group, add a deny read right.
And see if this is a sufficient limit
The issue is the attribute change.
The other option. Look at the share side, and see which option you can set for the group potentially denying the group any share rights.
Share + security uses the most restrictive.
What do you have in the share permissions
If you use DFS, turn off the DFS-rep to halt replication of the 80gb. But you will need the attribute change on all members; though you said you have one server.
Icacls or powershell based ACL change might be sufficient if the child objects inherit from parent.... in the settings.
ASKER
Share + security uses the most restrictive.
What do you have in the share permissions
In Share, I have EVERYONE ( Read, Write, Execute) and in Security Permission I have EVERYONE (View).
Groups are added only on Security but not in Share. Groups have full access permission in Security
Can you post the icacls of parent folder?
Test on a temp folder
Icacls
https://superuser.com/questions/741721/setting-deny-permissions-with-icacls-on-this-folder
Some of the users in that group might get access rights based on other selections you have.
The same process that kicks in when a security group is removed as when you make a change to the group's settings.
Glad it worked out.