Changing windows permission non recursively

permissionswindows-server-2008

I have a Windows Storage Server 2008 machine acting as our company file server. I need to give someone access to same folder and files in our Marketing folder (which contains easily 100,000+ files). The user needs access to Marketing/images, but nothing else in the marketing folder. So my thought is to add read privileges to the Marketing folder, and then add read/write to the images folder, subfolders and files.

When I go to add the permissions on the Marketing folder, I select the correct read permissions and then I set the scope to "This folder only". When I click apply, it seems to touch every file within the Marketing folder (which takes forever). In the end it only added his permissions to the Marketing folder like I expected, but it still had to touch every other single file.

What is it doing? All the other files inherit their permissions, so is it telling every single file "Inherit permissions from Marketing except for user John Doe"? Am I doing it wrong?

Best Answer

You can actually just grant the user the appropriate permissions directly on the images folder without giving them any permissions on the parent folder. The "Bypass traverse checking" user right will allow the user to traverse a set of folders to which they have no permissions to get to a folder to which they do have permissions. Note that the user will have to explicitly access the path to the images folder as they won't be able to browse to it.

From the "Bypass traverse checking" user right explanation:

Bypass traverse checking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:

Administrators Backup Operators Users Everyone Local Service Network Service

Default on domain controllers:

Administrators Authenticated Users Everyone Local Service Network Service Pre-Windows 2000 Compatible Access

Related Solutions

Security groups not allowing domain admin to view files

You have the "Grant the user exclusive rights..." box ticked on the "Settings" tab of the folder redirection settings. Turn that off and the Folder Redirection client-side extension (CSE) will add "Administrators" to the permissions on the folders it creates.

Pesonally, I pre-create the subfolders for the users because the Folder Redirection CSE disables inheritance on the subfolders it creates (which I consider a Bad Thing^TM). If you pre-create the folders and add "The User / Full Control" to the subfolder the Folder Redirection CSE will be happy and will leave the inheritance hierarchy on your folders intact.

If you want to "repair" the folders you already have you can use something like the icacls utility in a script to clean up the permissions. Assuming the subfolders are all named for the users' samAccountNames you could do something like the following:

FOR /D %%d in (E:\Home Directories\*) DO (
  TAKEOWN /f "E:\Home Directories\%%d" /r /d y 
  ICACLS "E:\Home Directories\%%d" /reset /T 
  ICACLS "E:\Home Directories\%%d" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F 
  ICACLS "E:\Home Directories\%%d" /setowner "MYDOMAIN\%userDir%" /T 
)

That'll give you a nice, clean inheritance hierarchy again w/ the user specified w/ "Full Control" permission at each subfolder.

“Error Applying Security – Access is denied” while changing file permissions on windows server 2008

This can happen if you really don't have access to that directory. In Windows you CAN lock out the administrator. Ran into this last week, in fact. Check the permissions on that directory to ensure that Administrators is in the list. If you can't even do that, you'll have to take ownership of the folder first (it's a tab in the Advanced Permissions dialog screen).

Best Answer

Related Solutions

Security groups not allowing domain admin to view files

“Error Applying Security – Access is denied” while changing file permissions on windows server 2008

Related Topic