Skip to main content

Document describes how to set folder privileges on

Group naming convention SOP_M-folder.subfolder-permission

Permission is either LF, R or F

List Folder (LF)

This allows for folder traversal, should be used sparingly to avoid deeply nested / confusing inheritance structures.  All subfolder ACL groups should be a member (e.g., sop_m-folder.subfolder-f is a member of sop_m-folder-lf)

icacls M:\folder /grant ad\group:RX

Read (R)

Allows group to read files, user can copy to another destination where they have full access to modify a copy.

icacls M:\folder /grant "ad\group:(OI)(CI)RX"

Full (F)

Consists of two rules:

  1. Read, write and execute on the folder where the ACE is defined
    icacls M:\folder /grant ad\group:RXW
  2. Full on files and subfolders to allow moving files between destinations if not owner and inheriting (i.e., changing) permissions to match.
    icacls M:\folder /grant "ad\group:(OI)(CI)(IO)F"

Do NOT create a rule allowing Full privilege on a directory that inherits a rule allowing Full privilege as this will lead to the directory potentially be renamed / deleted and the rule / group name becoming inaccurate / obsolete.  The best practice is to move the child directory where the conflicting full rule would be applied to the root of the hierarchy so that inheritance is applied consistently from the top down.  Users should submit a request if/when the folder needs to be deleted so that IT can also delete the ACL group(s).

Interesting Caveats

  • using the ‘move’ command in cmd carries the source folder permissions regardless if inheritance is set on the destination’s parent
    • Use `robocopy %SOURCE% %DESTINATION% /dcopy:t /COPY:DATO /MOVE /TEE` to move a folder from the command line, copy timestamps, owner but have security permissions replaced by destination’s parent
  • drag/drop respects inheritance as predicted
Comments are closed.