Is it possible to create a security group that can read who has permission to do what on NTFS folders but without granting Full Control or letting the group open files within those folders?
How to grant read-only permissions on NTFS Security settings
file-permissionsntfspermissions
Best Answer
The minimum permission required to read a folder's permissions (DACL) is READ_CONTROL ("Read Permission"). If you also want to be able to view the folder's subfolders, FILE_LIST_DIRECTORY ("List Folder") is required.
But beware: When set on a directory, FILE_LIST_DIRECTORY gives you the right to list the children, but when set on a file it allows you to read the content.
So you probably want to use FILE_LIST_DIRECTORY+READ_CONTROL, set that on a root directory and have the permissions apply (inherit) to subfolders only, but not to files.
With SetACL you could set such permissions like this:
SetACL -on PathToDirectory -ot file -actn ace -ace n:UserOrGroup;p:list_dir,read_dacl;i:so