How do I deny access to everybody but me in Windows 7?

6

I am trying to set up a file server on my my Windows 7 Pro system at home. I set up one common "Share" folder that I have shared/published. Within the share folder I want to have individual folders for me and my wife...that is only I can read/write my folder and only my wife can read/write to her folder and neither of us can read the contents of the other person's folder. Then I want to have a "public" folder where we can both read/write to contents of the folder as well as any sub-folders created, but my "kids" account can only read from this folder and sub folders. It seems really confusing to set up something like this and it really shouldn't. I am really confused between the "allow", "deny", and dimmed check boxes in the security tab.

It seems that if I "Deny" access to "Everyone" on my private folder, then I don't even have access to it. Windows security seems backwards from the rest of the world's security models. If I am in two groups and I deny access to one of the groups but allow access to the other group then Windows security denies me access as I am in one of the groups that has access disallowed. Very confusing.

GregH

Posted 2010-04-11T05:15:48.783

Reputation: 843

Answers

9

I agree, the security tab is certainly confusing.

I think the key thing to understand is you can Deny a privilege to "everyone else" without explicitly checking the Deny box. "Deny" takes precedence over allow, so denying everyone will mean no-one has that privilege, even those to whom you explicitly grant it.

I think you want this set up;

Your folder

  • Everyone: Uncheck all boxes
  • Your user: Check "Full control"
  • Remove any other user

Your wife's folder

  • Everyone: Uncheck all boxes
  • Your wife's user: Check "Full control"
  • Remove any other user

Shared folder

  • Everyone: Uncheck all boxes
  • Your "kids" user: Check "read"*
  • Your user: Check "Full control"
  • Your wife's user: Check "Full control"
  • Remove any other user

Child folders will inherit their permissions from their parents.

*Here you could optionally deny write, but as the kids user and the everyone user does not have a "check" for write, the user does not get that permission. If you wanted "everyone" to write, but not kids, this is where you would use Deny.

RJFalconer

Posted 2010-04-11T05:15:48.783

Reputation: 9 791

I think the cause of a lot of my problems was the child folders inheriting permissions from the parent. Once I modified so as not to inherit permissions, I got everything to work fine. – GregH – 2010-04-12T14:08:07.460

1

Notice administrators always have full control permission to all folders and files. So, If both you and your wife are administrators - you will still have full control over your wife's folder, and your wife will have full control over your folder. Moreover, even if you'll deny access to your folder from your wife user, she still can get full control - since A member of the Administrators group can take ownership of a file or folder or transfer ownership to another user or group—even if administrators are locked out of the resource according to the permissions.

https://technet.microsoft.com/en-us/magazine/ff404240.aspx

Yaron

Posted 2010-04-11T05:15:48.783

Reputation: 11

0

Deny permissions take precedence over Allow permissions. Instead of adding a Deny permission for Everyone, take away the relevant Allow permissions which might be giving access to the wrong accounts. You might have to uncheck "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here", then make sure there are Allow permissions which give you access.

Hugh Allen

Posted 2010-04-11T05:15:48.783

Reputation: 8 620

Asked: 2010-04-11T05:15:48.783

Viewed: 22 615 times

Active: 2016-04-14T09:05:55.693