I have a scenario with lot of child folders and some of them needs to have explicit NTFS permissions without disabling inherited NTFS permissions. Looks something like below
root (contains NTFS group-root)
child1 – Needs explicit permissions(contains group-root, needs to add group-child1)
child2 – Doesn't need a change(contains group-root)
child3 – Needs explicit permissions(contains group-root, needs to add group-child3)
child4 – Needs explicit permissions(contains group-root, needs to add group-child4)
child5 – Needs explicit permissions(contains group-root, needs to add group-child5)
child6 – Doesn't need a change(contains group-root)
child7 – Doesn't need a change(contains group-root)
Is there a way to have only group-childX on child folders that needs explicit permissions without disabling inheritance
Note: The users present in group-root may also be in group-child1, group-child3, group-child4 and group-child5. The reason to have this is because the child folders that needs explicit permissions (without disabling inheritance) is for a particular domain user holding sensitive data that needs to be shared with only group-childX NTFS group. I dont want to remove inherit permissions because that would make folder administration too complicated. I tried adding deny permissions for group-root on the child folders child1, child3, child4, child5 and adding group-childX but it denied access for users in both the groups.
Best Answer
To remove groups or users ACE without disabling inheritance, use
CACLS *folder* /E /R *group/user*
. I know that CACLS is deprecated but I have not found any equivalent when usingiCacls
orSETACL
.