Inheritance of NTFS attributes "P" and "U"

Question

Hi,

Is there any way of making the P and U attributes inheritable from a root folder?

I'm asking as we have several RDS customers with OneDrive and the GPO policies available for OneDrive does not contain any options to forcefully set the equivalent of "attrib +U -P /s", totally disabling the use of locally cached files.

GPO-wise the closest you'll get is the "Convert synced team site files to online-only files" along with the "Use OneDrive Files On-Demand". These though are not enough to enforce a policy where ALL of the users OneDrive content is ALWAYS only available online in order to save disk space on the RDS hosts.

As it is right now I'm getting the feeling I'll have to run a local script on each RDS host executing the "attrib +U -P /s" command on all user folders nightly which is ineffective and sub-optimal.

For RDS hosts, a GPO setting totally disabling the "Always keep on this device" would be preferred even though nightly clearing of locally cached files would be needed as well unless a new GPO setting could be introduced where locally cached files are cleared on user logoff.

Also, worth noting is that it would be nice to be able to set these attributes in the advanced ntfs rights in AD DS when setting general folder permissions.

Answer 1

Hi,

You can try this method:

1. Open File Explorer and navigate to the root folder where you want to set the permissions.
2. Right-click on the folder and select "Properties".
3. In the Properties dialog box, select the "Security" tab.
4. Click on the "Advanced" button to open the Advanced Security Settings dialog box.
5. In the Advanced Security Settings dialog box, click on the "Change Permissions" button.
6. Select the group or user for which you want to configure permissions and click on the "Edit" button.
7. In the Permission Entry dialog box, go to the "Advanced" tab. Here, you can set the permissions to apply to "This folder, subfolders and files".

To set the P and U attributes, scroll down to the "Attributes" section and check the boxes for "Read-only (only applies to files in folder)" and "Exclude files from being indexed".

Click "OK" to save the changes.

These permissions will now be inherited by all subfolders and files within the root folder, effectively disabling the use of locally cached files for OneDrive.

Just checking in to see if the information was helpful. Please let us know if you would like further assistance.

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Sadly this is not possible. When looking at rights in AD DS you can't modify file/folder attributes, only permissions.

Answer 3

Hi, yes if I understand correctly you can make the P and U attributes inheritable from a top level folder. You'll probably want two commands.

//Set the top level attributes - these will be inherited for any new files subsequently created inside this folder.
attrib +u C:\OneDrive\Folder /d & attrib -p C:\OneDrive\Folder /d

//Set the attributes for all subfolders and files inside the directory
attrib +u C:\OneDrive\Folder\*.* /d /s & attrib -p C:\OneDrive\Folder\*.* /d /s

After running those two commands everything in your folder should have a +u -p attribute, including any new files you create subsequently.