Access Rule Folders and Files

Alex Kovalev 6 Reputation points
2022-06-14T04:44:25.96+00:00

I have Files Server on Windows Server(2012/2016). I have other version OS.
I have a problem. I have Files Structure.

Folder A
--- Folder B
---File A

Folder A havs 4 Group Security: 2 defalut(SYSTEM and Administrators) and 2 Group Security DC - Read and Read\Write (where Add user account). *Folder A* havs Disable Inherity
File A is special and impotant. I whould like to add Access Rule - Deny for Group "Host/Users", so that Users can`t delete my impotant File.

I know that Explicit Deny hav`s more priotity then other Access Rule, but Users have Access Rule Lvl Read\Write - can delete my File A. Why?

P.s. I try other Default Groups(Everyone, Users Domain и т.д.). I dont have Result.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,595 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Newbie Jones 1,366 Reputation points
    2022-06-15T09:37:56.927+00:00

    This is more advice than a straight up answer. (I wouldn't call it best practice).

    Don't break inheritance
    Don't apply deny rights.
    Don't apply rights to individual files.

    It's a support overhead that is just not needed.

    Apply SYSTEM and the local administrators group at the root and let this filter down. Apply permissions to the folders as appropriate.

    If you want to limit access to this file, then move it to its own folder at the same level as folder 'A' and apply the appropriate permissions to the folder. Write access for yourself, and read for everyone else (if that's appropriate).

    This should be the core principle, if you want to restrict access to folders or files, move them to the an appropriate level where you can apply permissions without breaking inheritance or using deny rights.

    Last tip, restrict access by groups not individual accounts. (With a caveat for home drives).

    1 person found this answer helpful.

  2. Limitless Technology 39,791 Reputation points
    2022-06-15T07:45:15.027+00:00

    Hi AlexKovalev-8923,

    You can Check the ownership: Properties>Security>Advanced Settings>Owner

    and use the Deny permission sparingly but if you have provided read and write permission and prevent it from delete in that case user still can delete all content in file and save it blank which will be equal to deleting.

    Since it's most important file, I'll recommend you to keep it's backup too.

    To automatic schedule backup for Windows Server 2016, select the “Backup Schedule” to launch the Backup Schedule Wizard. Click Next to getting start. Then, you can choose to back up all the server data, applications and system state by Full server, or only custom volumes, files for backup by Custom.

    For more information please refer to following documentation :-

    Set up or customize server backup :- https://learn.microsoft.com/en-us/windows-server-essentials/manage/set-up-or-customize-server-backup

    File and Folder Permissions - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)

    Determine Where to Apply Permissions - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771309(v=ws.10)

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--


  3. Newbie Jones 1,366 Reputation points
    2022-06-15T12:43:52.573+00:00

    Don't break inheritance on "Folder A".

    You should be able to break the inheritance on the file itself and then provide Full Control to SYSTEM, Local administrators group, and a group that allows access (so no deny rights needed).


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.