0

I want to disallow a user to access to disk D: except his personal D:\Documents folder. The user belongs to Users group. I don't want to restrict the whole Users group so I should somehow create a new group with all the same permissions but without access to D:

How can I do that?

Improve this question

1 Answer 1

Reset to default
0

You should only create a group if more than one user (or user-like) account will be placed in that group. I recommend you do not create a new group, and instead deny the specific user access to everything except the d:\documents folder itself, because it is more directly persuant to your end goal. Alternatively however you could create a group of Everyone else, but that will require additional management and maintenance every time a new user is added.

In reference to your title, it is not possible to copy a groups permissions. permissions are stored in the filesystem on the fileobjects themselves (or their metadata) so the entire disk would have to be searched if someone choose to write a feature to copy permissions (which they haven't).

My recommendation is, on the D:\ drive object, add the user to the permissions list, and edit the users permisisons to Deny the user everything except "List Foilder Contents". on the d:\documents directory, grant the user full control.

Finally, on the d:\documents directory, enter the Security tab's advanced view, (clicking "Change Permissions" along the way), uncheck "Include inheritable permissions from this object's parent". you will be prompted to copy or remove permissions inherited from the parent, so select "copy", then remove the deny rule. Last, check the box "Replace all child object's permissions with inheritable permissions from this object", and click Apply. Windows will set the child permissions and uncheck the box automatically.

That way the user can get to the d:\documents, but cannot read/write anything except within that directory.

Another less manageable approach would be to create a group for all users except the one in question, grant that group full control to the d:\ root, and remove the users group from the permissions list entirely. Then on the d:\documents, add the user with full control.

Neither of these approaches is entirely optimal, but either will work.

Improve this answer
4
  • The first approach won't work because when something is denied on upper level (D:) it takes advantage over nested allowance (D:\Documents). For the second one - I need the user to have the same limitations as normal users from Users group. Unfortunately, I don't know which permissions are set for which system directories and what other permission (not file system) should be set...
    – Vlad
    Commented Jul 22, 2015 at 19:21
  • not if you sever inheritance
    – Frank Thomas
    Commented Jul 22, 2015 at 20:23
  • that's interesting! how can I do it?
    – Vlad
    Commented Jul 22, 2015 at 20:35
  • I found it, thanks. could you add " sever inheritance"-part to your answer please?
    – Vlad
    Commented Jul 22, 2015 at 20:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .