ICACLS permissions to make a folder and it's contents unchangeable?

Ken Morley 21 Reputation points
2021-06-15T16:48:58.51+00:00

We have a document management system on a Windows Server 2019 system (NTFS filesystem) that holds many PDF documents. The DM is organized by subject (customer name, vendor name, etc.) with sub-folders for each individual year as in the following example:

\SRV-DOCUMENTS\DM\Vendors\Contoso:

  • 2019
  • 2020
  • 2021

New documents are added to the current year sub-folders. Previous year sub-folders are historical and should never change again. All folders and files are currently owned by the domain administrator.

All folders must allow read for all users. Other than that, we want to lock down the permissions such that only one specific domain account can add new files to only current year sub-folders and no one other than domain administrator (the owner) can modify previous year sub-folders in any way. We want the previous year sub-folders to be unchangeable except by domain administrator.

It would be nice if we could develop permissions to apply at the parent folder level (DM in this example) that would be inherited by all sub-folders. That would provide everyone read access, the one specific domain account permission to add new files and make the domain administrator the only account capable of modifying anything. Then, I would go back and add the more restrictive permission (denying that one specific user the ability to add new files) to each of the previous years folders.

Going forward, at the beginning of each new year I would build the new year sub-folders and then add the more restrictive permission to the previous year sub-folders.

I think this can be done using ICACLS, but I am not clear as to which permissions to grant and which to deny for which users. Also, I would appreciate a recursive command example that targets all sub-folders named with a given year. For example, a recursive command that targets all sub-folders named exactly "2019". Does anyone have any suggestions?

Thanks in advance!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,695 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sunny Qi 11,031 Reputation points Microsoft Vendor
    2021-06-17T10:12:25.597+00:00

    Hi,

    Welcome to our Q&A platform.

    My understanding is that permission to subfolders of users in Domain users group was inherited from DM. And you need these domain users only have read access to folder 2019, 2020 and have read, write, or modify permission to the specific folder 2021. Please help confirm if my understanding is correct.

    Please kindly note that permissions inherited form parent folder cannot be modified, I would like to confirm with you which permission you want to grant to these domain users for further troubleshooting.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Ken Morley 21 Reputation points
    2021-06-17T12:27:42.867+00:00

    Thank you for the reply. Let me clarify the goal:

    Set ICACLS permissions on the DM (the parent) folder so that all domain users have list folder and read permissions. That will allow regular users to locate the documents and view them. These users will not have any ability to delete, modify or even add new files anywhere in the DM structure (the parent folder and all sub-folders). I expect to use the built-in "Everyone " group to represent these users.

    One specific user will get one additional permission: "Scanner_Operator" will have the ability to add new files in addition to the permissions granted Everyone above.

    Finally, the domain administrator will have full control to add, delete, modify and write anywhere in the structure.

    There are current year folders ("2021", for example) where Scanner_Operator is adding documents throughout the year. There are prior year folders (like "2019", for example) that are historical and should never change again. Scanner_Operator will only have permission to add to the current year folders and that permission will be revoked following end of year.

    First question: Please clarify which ICACLS permissions are appropriate to make this work as described and how that will apply to users and groups. For example, I think that domain admin is a member of the built-in "Everyone" group. So if I assign a deny permission to group Everyone, will that also block domain administrator? Do permit permissions override deny permissions?

    Second question: Please provide an example command that will recurse the DM structure and only change permissions on folders named exactly "2021". At the end of the calendar year, I will be modifying the permissions on thousands of current year folders named "2021". So I need a command that will recurse the DM structure and only change the permissions on the thousands of sub-folders named "2021".

    Thanks very much - I appreciate your assistance!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.