Advanced Security Permissions for Shared Drive

2

0

I have a large, shared drive of folders that are automatically created when a client is added to software that we use. I want to allow users to access the folders on the top level of the drive but not write, edit, delete or move any of these (read only). I also want them to be able to access the folders underneath the top folders in the drive with full read/write privileges.

For example:

 Drive X: (shared drive)
 |
 +-- 1. Top Folder 1 (read only)
 |      |
 |      +-- lower folder/files (read/write)  
 |      |
 |      +-- lower folder/files (read/write)  
 |
 |
 +-- 2. Top Folder 2 (read only)
 |      |
 |      +-- lower folder/files (read/write)  
 |      |
 |      +-- lover folder/files (read/write)

How do I achieve this?

NeilR

Posted 2014-11-12T21:51:37.137

Reputation: 21

Answers

0

You can accomplish your goal with what I call Top Level Folder Permissions.

Summary

  • On the drive's root, grant Read permissions to your users which flow down to all subfolders and files throughout the drive.
  • On each "Top Level" folder in the root drive, apply special permissions that grant users Modify permissions to the folders' contents (all files and subfolders) but not to the Top Level folders themselves.

Steps to Implement

  1. On the Root drive, grant Everyone (or another group of your choice) standard Read permissions
  2. Optionally, on the Root drive, consider ensuring SYSTEM and Administrators are granted Full Control, then remove all other permissions (e.g. those granted to CREATOR OWNER or Users)
  3. On each Top-Level folder:
    • Grant the Everyone group Modify permissions, then edit that permission assignment in the Advanced Security Settings to apply to Subfolders and files only
    • Still in Advanced Security Settings make another entry granting the Everyone group the following specific permissions and apply these to This folder only:
      • Create files / write data
      • Create folders / append data
  4. Repeat step #3 for each Top Level folder

How it Works

The effect of #1 is to grant your security group the ability to Read everything on the drive.

The effect of #3 is to grant your security group the ability to Modify all child objects of your Top Level folders without granting them permission to modify the Top Level folders themselves. This isn't sufficient to permit them to Create anything in the Top Level folders, hence the extra explicit 'create' permissions.

Apply to Many Top Level Folders

The permissions of step #3 above must be applied to each "Top Level" folder. This can be time consuming if you have many folders. These permissions can be applied to all subfolders in the drive's root using the FOR and ICACLS run in an Elevated Command Prompt:

For /D %f In (C:\*.*) Do ICACLS "%f" /grant "Everyone":(OI)(CI)(IO)(M)
For /D %f In (C:\*.*) Do ICACLS "%f" /grant "Everyone":(WD,AD)

As shown, these two commands will modify all subfolders in C:\ to grant the permissions outlined in step #3 to the Everyone group. Modify these two elements to suit your needs. Test first before running on a production system!

I say Reinstate Monica

Posted 2014-11-12T21:51:37.137

Reputation: 21 477

Awesome, thanks so much @Twisty, only annoyance is there are thousands of "Top Level Folders" that need to be restricted to read only with subfolder read/write permissions. I would imagine that this would be done quicker with the cmd prompt. – NeilR – 2014-11-23T18:27:08.943

Script provided in updated answer. No more annoyance! Please upvote if this gets you to where you want to be! – I say Reinstate Monica – 2014-12-01T21:59:05.927

Asked: 2014-11-12T21:51:37.137

Viewed: 773 times

Active: 2014-12-01T22:49:45.480