How to lock down folder and file creation on a root folder

How to lock down folder and file creation on a root folder

Want to know how to lock down folder and file creation on a root folder?

No?  Well then why the hell are you here?

Oh…. You said no doubt…

Well good, cause like you, I have a large collection of clients that like to dump their crap in my carefully maintained server folder structure

I’d swear I see 10 empty “New Folders” show up every week

Never fear nerd, I know how to lock down folder and file creation on a root folder without having to go through the hassle of adjusting the security of each folder one by one.

  • We want to make security changes to ONLY the root folder so that you can maintain the security settings of all your sub-folder’s (otherwise all your carefully setup subfolder rights will get wiped out)
  • If we change the security settings of the root folder to “can’t create folders” and “can’t create files” then all of the sub-folders that have inheritance turned on are going to absorb that setting and create a completely locked down
  • So, to start, we need to disable inheritance on the subfolders of your root folder so they don’t get completely locked down
  • On the Windows server open up the command prompt and enter this comman

icacls F:\parent\*.* /inheritance:d

  • Where I have “f:\parent” put in your root folder
    • In the inheritance parameter you have 3 choices

E – enables inheritances

d – disables inheritance but keeps the existing security settings

r – disables inheritance and removes existing security settings

Now we can lock down the Root Folder without affecting the settings of the subfolders

  • Choose your command wisely nerd, as this can do a lot of damage if not properly thought out.  I choose D because it lets me maintain my existing security settings on all the folders, it simply disables inheritance so that the security settings of the root folder I am about to limit with not propagate to all my subfolders
  • Now that we have disabled inheritance, right click on the root folder, go to ‘properties’ and then choose the ‘security’ tab
  • Click on ‘advanced’ and ‘change permissions’ and then edit the group you want to limit (in my case its domain users)
  • Un-check the Allow  box on “create files” and the Allow box on “create folders” or check Deny (the verbiage will depend on your Windows Server OS version)
  • Make sure you still leave any admins with full control on the root
  • Hit OK and Apply and then it should quickly make the adjustment
  • Test with the admin and see if you can create files and folders and then login as a domain user and test there as well

This is How to lock down folder and file creation on a root folder of a Windows Server share

I’m starting a Facebook Group for techs and admins like you and me with the goal of helping spread better strategies and best practices so that we can all do a better job of not being “that guy”  – Join here

 

No Comments

Post A Comment