SBS 2008 Folder Share permissions mess

Question

I came across this question asked a couple of years ago about setting permissions via a script and was hoping that there might be a similar script that would work for me with the issue I am having.

Essentially I have 3 Shared Folders on the Network - two of which have permissions that have become so convoluted that I would like to delete the shares - reset all permissions to what they would have been at the initial setup of my SBS installation and then to start over from scratch.

These shares are not user re-directed folders or anything of the sort - they are simply DocShares that I set up on my D: drive

The one most simplistic share that I have which is available to all authenticated users works as planned and has never been messed with.

The second was also fine until just recently and contains the sensitive accounting data etc. and is only available to three users. There is a folder within this share that I intended to give three additional users access to to facilitate a document workflow that sits inside of our accounting system.

This is where all of the trouble began as I failed to realize that no matter what permissions I gave these three users for the 'document approval only people' - they will never gain appropriate access to the folder inside due to the resultant rule of most restrictive permissions being that they have no rights to parent folder.

That said my plan is to Move this Folder out of the this directory (it doesn't need to be there) and then set everyone up from scratch again but not without resetting all the NTFS permissions across these folders to clean up the mess that I created in the process.

Many thanks in advance for your insight and help as I am truly at a loss and do not want to rebuild this box from scratch to get it all sorted.

Answer 1

While you are asking for a script, I think that using the GUI to just recursively reset all filesystem permissions on a directory would be a much simpler approach if you just have a handful of directories to reset. The basic outline (stolen from a MSDN blog):

1. Launch an instance of Windows Explorer
2. Navigate to the parent of the folder that you want to reset permissions for
3. Right-click on the folder and choose Sharing and Security...
4. Click on the Security tab
5. Click the Advanced button
6. Set the permissions you want - typically you will want to allow Administrators, System, 7. and Creator Owner to have full control
7. Check the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects
8. Click OK
9. Click Yes in the dialog box that appears asking if you are sure
10. Wait while Windows recursively applies the specified permissions to all sub-folders and files

The crucial part is obviously the checkbox to replace permission entries on all child objects:

Also, the idea of having folder permissions narrow down from more restrictive to less restrictive is always an excellent one from the system management standpoint - it is much easier to document and manage this way. However, your observation that

they will never gain appropriate access to the folder inside due to the resultant rule of most restrictive permissions being that they have no rights to parent folder

is inaccurate. Windows does not care about the parent directories when checking access controls. If your users would not click through \server -> \accounting -> document approval in Windows Explorer but simply type (or use a link opening) \\server\accounting\document approval you would see it magically open even when the permissions only allow access for the subdirectory. So don't let it give you a false sense of security, should you ever create such a setup deliberately.