Want to know how to lock down folder and file creation on a root folder?
No? Well then why the hell are you here?
Oh…. You said no doubt…
Well good, cause like you, I have a large collection of clients that like to dump their crap in my carefully maintained server folder structure
I’d swear I see 10 empty “New Folders” show up every week
Never fear nerd, I know how to lock down folder and file creation on a root folder without having to go through the hassle of adjusting the security of each folder one by one.
- We want to make security changes to ONLY the root folder so that you can maintain the security settings of all your sub-folder’s (otherwise all your carefully setup subfolder rights will get wiped out)
- If we change the security settings of the root folder to “can’t create folders” and “can’t create files” then all of the sub-folders that have inheritance turned on are going to absorb that setting and create a completely locked down
- So, to start, we need to disable inheritance on the subfolders of your root folder so they don’t get completely locked down
- On the Windows server open up the command prompt and enter this comman
icacls F:\parent\*.* /inheritance:d
- Where I have “f:\parent” put in your root folder
- In the inheritance parameter you have 3 choices
E – enables inheritances
d – disables inheritance but keeps the existing security settings
r – disables inheritance and removes existing security settings
Now we can lock down the Root Folder without affecting the settings of the subfolders
- Choose your command wisely nerd, as this can do a lot of damage if not properly thought out. I choose D because it lets me maintain my existing security settings on all the folders, it simply disables inheritance so that the security settings of the root folder I am about to limit with not propagate to all my subfolders
- Now that we have disabled inheritance, right click on the root folder, go to ‘properties’ and then choose the ‘security’ tab
- Click on ‘advanced’ and ‘change permissions’ and then edit the group you want to limit (in my case its domain users)
- Un-check the Allow box on “create files” and the Allow box on “create folders” or check Deny (the verbiage will depend on your Windows Server OS version)
- Make sure you still leave any admins with full control on the root
- Hit OK and Apply and then it should quickly make the adjustment
- Test with the admin and see if you can create files and folders and then login as a domain user and test there as well
This is How to lock down folder and file creation on a root folder of a Windows Server share
I’m starting a Facebook Group for techs and admins like you and me with the goal of helping spread better strategies and best practices so that we can all do a better job of not being “that guy” – Join here
