Our directory structure does need refactoring and as a solution to this, we're
strongly encouraging our users to move their files to SharePoint Online. Once
we have departmental buy-in, we plan to "flip" all user permissions to
read-only. We have a mess of permissions - everything from group based,
explicit, broken inheritance, etc. Each top level folder on our network share
is a departmental folder with folders within it a few levels deep. We will be
working with each department individually, one at a time.
From your experience, what is the best/easiest/cleanest way to "flip"
permissions to read-only for all users one departmental folder at a time?
Options I've considered thus far -
Run a report of the current permissions and then using icacls, modify
all to read-only. (stumbled on this today -
https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83)
I just downloaded Quest's Security Explorer and plan to test it out.
Many thanks.
- Tammy
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Kurt Buff
Sent: Tuesday, November 14, 2017 2:51 PM
To: ntsysadm <[email protected]>
Subject: Re: [NTSysADM] Accessing only a lower level folder in a share
You need to adjust the permissions in the directory tree, and breaking
inheritance is the wrong way of doing it.
Change the permissions at each level so that they are explicitly defined to
allow "This Folder and Files" for those who only need to see the files in that
directory, but not other subdirectories.
Also, it seems as if your directory structure needs refactoring - it's way too
complex if you're running into these kinds of permission problems.
Kurt
On Tue, Nov 14, 2017 at 8:51 AM, Michael Leone <[email protected]> wrote:
> It's been so long since I've had to do this, I need a check. I'm doing
> something fundamentally wrong, I think.
>
> We use groups to set share/ACLs on folders. I got a request to share a
> 4th level sub-folder with other employees not in the ACL. So what I
> have is:
>
> Folder A1 (shared)
> -->>B2
> -->>C3
> -->> D4 (this is the one I want to allow access to)
>
> Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS
> permissions are the same. Those permissions just flow down to B2, C3
> and D4 (i.e., normal inheritance).
>
> Now, I'm pretty sure the only way to allow access to only D4, and not
> allow access to B2 and C3 or even see files there, is to enable ABE.
> But I've never done that, and am leery of enabling it in production,
> without a whole more testing and forethought (I shudder to think of
> all the help desk calls, if I get something wrong).
>
> Am I correct that only ABE will do what I am thinking of (allow access
> only to D4 and hide contents of A1, B2, C3)?
>
> Barring ABE, there's nothing I can do, short of granting a new group
> access to D4, and living with the consequences?
>
> Thoughts? At this point, I want to just add the new group to the NTFS
> permissions of D4 only, and live with the fact that these new group
> members can see everything higher up.
>
>
