Allow one member of a security group to access a folder, deny access to the remaining members of the same security group

Question

I wish to know if the following is possible and how to apply it within AD structure running on windows server 2012R2.

I apply folder access using security groups. Example = Agents folder can only be viewed by those members of agent security group. Within Agent folder are a number of sub folders that correspond to individual agents name. In order to avoid adding individual accounts to the folders I want to add the agents security group to the individual folders but only allow access and view for the named agent of the folder (who is a member of the security group) excluding all other members of the security group. Is this possible? Or is it more work than just adding individuals Any input would be much appreciated even if is a simple no this is not possible many thanks

Answer 1

In order to avoid adding individual accounts to the folders I want to add the agents security group to the individual folders but only allow access and view for the named agent of the folder (who is a member of the security group) excluding all other members of the security group. Is this possible?

No, it isn't. At least not in the way you've proposed it. You can't simultaneously Allow and Deny access to the folder for a Security Group while granting Allow permissions to a specific member of that security group without adding that specific user to the ACL of the folder with the appropriate permissions. What you can do is to grant the Agents security group the appropriate permissions to the parent folder and then grant the individual agents the appropriate permissions to their own folders. This is no different than granting a "global" group the appropriate permissions to a parent folder and granting individual users the appropriate permissions to their "personal" folder within the parent folder, which is a very common and widely used method.