NTFS Permissions

1 minute read

Description:

Reference posts because many SysAdmin’s get requests to setup directories with certain permissions. It’s best to design your network with Group permissions so that individual users can just be added/removed from groups in AD to access certain folders – usually done by department.

To Resolve:

  1. First is the most common request: I need my team to be the ONLY ONES who can see/access this share:

1a. Create the folder in the share

1b. Right click – Properties – Security – Advanced – Change Permissions – Uncheck “Include inheritable..” – Add. This will make them explicit permissions. Click ok all the way back to the Explorer window.

1c. Now go to Properties – Security and remove all entries. Then add only the people you want to have access.

Ex: Add “domain.com\enterprise admins” full control and “ITStaff” with everything but full control (add full control then uncheck just the full control box – this will enable modify, read, write, ect but remove special permissions).

  1. To allow everyone to view/open files but not be able to delete or add (read only):

2a. Follow steps in step 1.

2b. Add “authenticated users”

2c. Set permissions to “allow” only on read/execute, list folder contents, and read. Do not deny anything or add anything else.

 

To have the subfolders match permissions of a parent folder:

Ex: We once had an issue where the root folder was setup right, but all subfolders had stricter permissions.

To fix you just go to the root folder and go to Security – Advanced – Change Permissions – Check the box that says “replace all child permissions…”. This will set all files/folders under the parent folder to have the exact same rights.

 

If you see a red “x” next to a user in folder permissions:

It is most likely because you have a local account on that server with the same account name as a domain account and that local account is disabled. See here and here.