0

I feel like I am missing something obvious here. Or just making a noob mistake.

I have a folder structure as shown in the example below. Folder A1 and A2 are inside folder A. Folders B1, B2 are inside folder A1 and so on.

Folder A
|
|
|
|--------Folder A1
|          |---------Folder B1
|          |---------Folder B2
|--------Folder A2
|          |---------Folder C1
|          |---------Folder C2

I want to create a group permission on folder A that prevents users from creating, deleting or moving a file or folder inside of it (i.e. they can't move or delete A1 and A2, etc.), but not affect anything in Folder A1 or A2.

I created the following rules on Folder A Group A (the one i want to limit).

Rule:

Name: Group A
Apply to: this folder and subfolders
    Deny Create files / write data
    Deny Create Folders / append data
    Deny Delete subfolders and files
    Deny Delete

Checkmarked: Apply these permissions to objects and/or containers within this container only.

Rule:

Name: Group A
Apply to: This folder, subfolders and files
Allow everything but Full Control, Delete, change permissions, take ownership

NOT checkmarked: Apply these permissions to objects and/or containers within this container only.

I know many people are against the use of Deny permissions because of the fact it can easily override all others. etc. But I don't feel intelligently set up Deny rules should be ignored as a non option.

Now the actual problem occurs inside Folders B1, B2, etc.

Inside B1, B2, C1, etc. I can delete folders/files and move folders inside of other folders. I can't however create folders or files. I also can't move folders into folders B1, B2, etc. (Even though I can them move out).

When I check the permission on the folders inside of A1 or A2 I see nothing wrong. When I check the permissions ON A1, A2 from A I see the rules only apply to THIS folder and not SUBFOLDERS.

A Microsoft Article (TechNet: Selecting where to apply permissions) says that when I checkmark "Apply these permissions to objects and/or containers within this" the rules should only apply to subfolders within Folder A and not subsequent folders.

Any ideas?

Edit: Note: I tried multiple methods including not using Deny or any kind of implicit rules.

StackzOfZtuff
  • 1,842
  • 13
  • 21
Sarge
  • 502
  • 1
  • 6
  • 17
  • This is really hard to read/follow. I don't know how you can fix it, but consider giving it a look and seeing how you might make it less of a WALL OF TEXT and streamline what you're trying to get to. – MDMarra Nov 14 '12 at 18:54
  • @MDMarra: I tried to reformat the post a bit. (I am not the original author.) – StackzOfZtuff Jun 09 '15 at 12:36

1 Answers1

3

You probably want to break permission inheritance at A and remove the default Users ACL (or maybe not, up to you).

Create an ACL on Folder A for Group A that applies to "This Folder Only" and set it to Read.

Create another ACL on Folder A for Group A that applies to "Subfolders Only and Files" and set it to Modify (or whatever you want).

This will make it so that people in group A cannot change the folder structure directly below A, but can modify anything at a lower level.

As for this:

When I check the permission on the folders inside of A1 or A2 I see nothing wrong. When I check the permissions ON A1, A2 from A I see the rules only apply to THIS folder and not SUBFOLDERS.

Sounds like someone broke inheritance and propagated a different ACL throughout that subfolder structure. You should fix that so that everything below Folder A inherits from Folder A.

Also, in the future, using a folder names the same as a group in your example makes it a little hard for others to follow :)

MDMarra
  • 100,734
  • 32
  • 197
  • 329