How to add explicit NTFS permissions without disabling inheritance on child folders

Question

I have a scenario with lot of child folders and some of them needs to have explicit NTFS permissions without disabling inherited NTFS permissions. Looks something like below

root (contains NTFS group-root) child1 - Needs explicit permissions(contains group-root, needs to add group-child1) child2 - Doesn't need a change(contains group-root) child3 - Needs explicit permissions(contains group-root, needs to add group-child3) child4 - Needs explicit permissions(contains group-root, needs to add group-child4) child5 - Needs explicit permissions(contains group-root, needs to add group-child5) child6 - Doesn't need a change(contains group-root) child7 - Doesn't need a change(contains group-root)

Is there a way to have only group-childX on child folders that needs explicit permissions without disabling inheritance

Note: The users present in group-root may also be in group-child1, group-child3, group-child4 and group-child5. The reason to have this is because the child folders that needs explicit permissions (without disabling inheritance) is for a particular domain user holding sensitive data that needs to be shared with only group-childX NTFS group. I dont want to remove inherit permissions because that would make folder administration too complicated. I tried adding deny permissions for group-root on the child folders child1, child3, child4, child5 and adding group-childX but it denied access for users in both the groups.

Answer 1

To remove groups or users ACE without disabling inheritance, use CACLS *folder* /E /R *group/user*. I know that CACLS is deprecated but I have not found any equivalent when using iCacls or SETACL.