Problem:
(h/t BZ)
User complains about missing folders all the time, this is due to someone accidentally moving or deleting a folder. They request that only some users have the rights to delete folders.
Solution:
In order to protect the direct contents of the parent folder but allow changes to be made to the subfolders the following steps can be done.
Connect to the DC and open Active Directory, go into your a folder and create a two new Groups. Name the groups and set Scope to Global and Type to Security. After the groups have been made, add the Users who will be set as the folders admins, the other group will have users with limited access.
Open File Explorer and find the folder that needs to be protected. Right click on the parent folder and select Properties. In the Properties window select Security, and click on Advance.
Click on Disable Inheritance, a popup will appear, click on “Remove all inherited permissions from this object” to clear all security settings.
Once inheritance has been removed, Add the group with admin permissions to the folder, giving them Full control, click OK when completed.
Click Add once more, select the group who will receive the special permissions, under Applies to select This Folder Only, in Advance permissions click on Show advance permissions, and unselect the following:
- Traverse folder / execute file
- Read Attribute
- Read extended attributes
- Read permissions
The only thing that should be check is List folder / read data, click OK. This gives the users the ability to see the subfolders of the parent folder, but nothing else (no create, edit, copy, delete, move).
Click Add again, select the same group, under Applies to select Subfolders and files only, in Advance permissions click on Show advance permissions, and select Full control and unselect Delete, click Ok.
This gives the users to permissions to create, copy, edit, delete, and move the contents of the subfolder, but not the folder itself.
What follows should look as such:
Click OK to apply changes, and OK to close the Properties window.
Now the permissions have been applied.