0

I have a Windows Server 2012 and I need to configure the privileges to a group called DP_Preven. This is the scenario:

  • I have a folder called X where only a few groups have access, inside that folder there is another one called Y.
  • I want group DP_Preven to access with full privileges to the folder Y, but with no privileges or just read privilege to the folder X.
  • Inside X folder there are more subfolders, but DP_Preven should not have access to those folders.

I need to know which privileges I should give to DP_Preven in X.

Anders
  • 64,406
  • 24
  • 178
  • 215
U. Busto
  • 101
  • 3
  • I have tried to give read and list permisions to DP_PREVEN in X and full control in Y. but didn't work. – U. Busto Apr 16 '18 at 13:51

1 Answers1

1

Always use the Advanced Security Settings, where you can see the inheritance options, too.

Your DP_Preven needs:

  • Allow Read & Execute to folder X\ in order to traverse to Y\
  • Allow Modify to Y\*
  • since Z\ doesn't inherit permissions from X\, there's no need for additional Deny.

Here, the Principal DP_Preven permissions for F\ & file are inherited from Y\:

               Access       Inher.  Applies to

X\             Read & exec  None    This folder only
├── Y\         Modify       None    This, subf., files
|   ├── F\     Modify       X\Y\    This, subf., files
│   └── file   Modify       X\Y\    N/A
└── Z\         ---          ---     ---

The Modify is better than Full control as it doesn't allow deleting self i.e. folder Y\.

If Z\ had Allow permission inherited from X\ or its parents, then you need to either disable inheritance or add a Deny that always overwrites any Allow, but I This folder only easier to manage, since you don't have to remember to change the settings for every new subfolder separately.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55