Reference posts because many SysAdmin’s get requests to setup directories with certain permissions. It’s best to design your network with Group permissions so that individual users can just be added/removed from groups in AD to access certain folders – usually done by department.
- First is the most common request: I need my team to be the ONLY ONES who can see/access this share:
1a. Create the folder in the share
1b. Right click – Properties – Security – Advanced – Change Permissions – Uncheck “Include inheritable..” – Add. This will make them explicit permissions. Click ok all the way back to the Explorer window.
1c. Now go to Properties – Security and remove all entries. Then add only the people you want to have access.
Ex: Add “domain.com\enterprise admins” full control and “ITStaff” with everything but full control (add full control then uncheck just the full control box – this will enable modify, read, write, ect but remove special permissions).
- To allow everyone to view/open files but not be able to delete or add (read only):
2a. Follow steps in step 1.
2b. Add “authenticated users”
2c. Set permissions to “allow” only on read/execute, list folder contents, and read. Do not deny anything or add anything else.
To have the subfolders match permissions of a parent folder:
Ex: We once had an issue where the root folder was setup right, but all subfolders had stricter permissions.
To fix you just go to the root folder and go to Security – Advanced – Change Permissions – Check the box that says “replace all child permissions…”. This will set all files/folders under the parent folder to have the exact same rights.
If you see a red “x” next to a user in folder permissions: