none
Inherited folder permissions

    Question

  • I'm looking to edit permissions to a folder that's buried 3 folders deep.  I've Googled a few options, but I must not be wording it correctly.

    So I have folder 1, folder 2, folder 3.  Permissions have already been created for folder 1, but when I add another folder, folder 4 and I give permissions to a user that user doesn't have permissions.  I have to give permissions to folder 1 for that user to have permissions in folder 4.  I assume this has something to do with inheriting permissions, but I'm not exactly sure. Can somebody shed some light on how I should have this configured?  I'm pretty sure it's possible, right?  Otherwise users would have permissions to folders they shouldn't have.

    Friday, June 21, 2013 4:34 PM

Answers

  • Hello sheld0r,

    This can be done, not the more elegant way but the only possible way on NTFS. NTFS, differently from other file systems have permission inherited from top-down, I mean, from the top folder to the subfolders, not the opposite. 

    This means that if you give permission to user X on folder 4, which is deep into a file tree where the user does not have any other rights, the user will not see the folder 4 unless he knows or gets the entire path to it. 

    In short, if you give permission to a user deep inside a tree where he is supposed only to have permission to a deep folder you need to give him permission to SEE the folders only to be able to navigate from the top to the bottom.

    You achieve this (the user see the top folder only, and can navigate to the deep levels) by traversing the folders, this means, give the user READ permission to This Folder only. This permission you will achieve in the advanced tab, and you should give to the user only READ applied to THIS FOLDER ONLY.

    Also if you share this folder, mark the option to use Access-based enumeration, this is another security setting to assure the user will only see the folders and files that he was effectively assigned. 

    Please let me know if this answers your question and if so, mark it as an answer, or ask for more info. 


    Thank you,

    F. Schubert
    System Administrator

    MCP | Microsoft Certified Professional
    MCTS 70-640 | Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    MCTS 70-642 | Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    MCTS 70-643 | Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuring
    MCTS 70-680 | Microsoft Certified Technology Specialist: Windows 7, Configuration

    Friday, June 21, 2013 6:06 PM

All replies

  • Hello sheld0r,

    This can be done, not the more elegant way but the only possible way on NTFS. NTFS, differently from other file systems have permission inherited from top-down, I mean, from the top folder to the subfolders, not the opposite. 

    This means that if you give permission to user X on folder 4, which is deep into a file tree where the user does not have any other rights, the user will not see the folder 4 unless he knows or gets the entire path to it. 

    In short, if you give permission to a user deep inside a tree where he is supposed only to have permission to a deep folder you need to give him permission to SEE the folders only to be able to navigate from the top to the bottom.

    You achieve this (the user see the top folder only, and can navigate to the deep levels) by traversing the folders, this means, give the user READ permission to This Folder only. This permission you will achieve in the advanced tab, and you should give to the user only READ applied to THIS FOLDER ONLY.

    Also if you share this folder, mark the option to use Access-based enumeration, this is another security setting to assure the user will only see the folders and files that he was effectively assigned. 

    Please let me know if this answers your question and if so, mark it as an answer, or ask for more info. 


    Thank you,

    F. Schubert
    System Administrator

    MCP | Microsoft Certified Professional
    MCTS 70-640 | Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    MCTS 70-642 | Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    MCTS 70-643 | Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuring
    MCTS 70-680 | Microsoft Certified Technology Specialist: Windows 7, Configuration

    Friday, June 21, 2013 6:06 PM
  • So just to make sure I understood, I would make the top folder READ ONLY for that user, and then provide the READ/WRITE permissions in folder 4, deep within.  Is that correct?

    Thanks for the guidance CoffeineNerd.

    Cheers,

    Friday, June 21, 2013 8:59 PM
  • Did I understand that correctly?
    Monday, July 15, 2013 11:15 PM