NTFS Permissions

Description:

Reference posts because many SysAdmin’s get requests to setup directories with certain permissions. It’s best to design your network with Group permissions so that individual users can just be added/removed from groups in AD to access certain folders => usually done by department.

To Resolve:

1. First is the most common request: I need my team to be the ONLY ONES who can see/access this share:

   • Create the folder in the share

   • Right click => Properties => Security => Advanced => Change Permissions => Uncheck “Include inheritable…” => Add. This will make them explicit permissions. Click ok all the way back to the Explorer window.

   • Now go to Properties => Security and remove all entries. Then add only the people you want to have access.

   • Example: Add domain.com\enterprise admins full control and ITStaff with everything but full control (add full control then uncheck just the full control box => this will enable modify, read, write, ect but remove special permissions).

2. To allow everyone to view/open files but not be able to delete or add (read only):

   • Follow steps in step 1.

   • Add authenticated users

   • Set permissions to allow only on read/execute, list folder contents, and read. Do not deny anything or add anything else.

3. To have the subfolders match permissions of a parent folder:

   • Example: We once had an issue where the root folder was setup right, but all subfolders had stricter permissions.
   • To fix you just go to the root folder and go to Security => Advanced => Change Permissions => Check the box that says “replace all child permissions…”. This will set all files/folders under the parent folder to have the exact same rights.

4. If you see a red “x” next to a user in folder permissions:

   • It is most likely because you have a local account on that server with the same account name as a domain account and that local account is disabled. See here and here.