NTFS Permissions and sub-Folders

[Rickey Whitworth]

We want to create a folder structure similar to the following:

-Root
--Folder 1
---Folder 1-1
---Folder 1-2
--Folder 2
---Folder 2-1
---Folder 2-2

We will then have 2 security groups, Folder_Editors and Folder_Admins

We want Folder_Editors to be able to see any of the folders, but not be able
to add files or folders in the first level (under the root folder). In
addition, we want them to be able to have modify permissions under the
second level (under Folder 1 and under Folder 2).

We can get that far, but we also want to make sure that a Folder_Editor
cannot drag Folder 2 into Folder 1. All the options we have tried so far
give modify rights to Folder 1 and Folder 2, not just there contents, so
dragging is possible. What is the best way to handle this scenario?

 

[lee.rowland]

Off hand here is what I visualize for you permissions:

-Root
-Folder_Admins: Full Control
-Folder_Editors: Allow Read, Deny Write, Deny Modify
(Denying modify and write will not let them change anything in the
root folder)
(Also, make sure Inherit Permissions from Parent is disable under
advanced permissions)

--Folder (1/2)
--Folder_Admins: Full Control
--Folder_Editors: Everything but Full Control
(Now allow Inherit Permissions from Parent and the subfolders will
follow the same permission patterns as on the second layer folders)

 

[Rickey Whitworth]

Deny modify includes deny list folder contents, meaning I cannot see the
folder at all. I tried just denying write and read, then granting different
permissions to Folder 1 and Folder 2 (also set them to not inherit).

A user can still drag Folder 1 into Folder 2 (although they cannot drag it
back to the root afterwards)