2 Questions... Question 1: I have a share whereby I am trying to tighten directory ACL permissions. Our parent folder, lets say A:\data has the current permissions I want to apply to 99% of all sub directories (child objects) and files, i.e. its being currently being shared to groupA and groupB. However, other subdirectories have weaker permissions, i.e. they haven’t inherited the parent objects permissions, and are being shared to groupA, groupB and groupC. AS I have learnt today, “bypass traverse checking” means if users of groupC knew file paths they’d get access to these folders/files. My problem lies in the fact I have some sub directories that need even tighter ACL’s than the parent folder. So if I tick “Replace permission entries on all child objects with entries shown here that apply to child objects” on the parent, it is going to make some sub directories more open than they are currently? Is there any work around so I still apply permissions from parent to all child objects, with exception of those folders who need tighter controls? Question 2: Given same parameters above. A user (with full access) sets up a sub folder called A:\data\folder1\restrictedto2users\file.xls. He just grants access to this subfolder to himself and 1 other user. And nobody else can access the folder and files within. All other users also have full control at folder1 level but cannot seemingly access A:\data\folder1\restrictedto2users\file.xls . Is the subfolder and files held within A:\data\folder1\restrictedto2users\file.xls secure, i.e. can only be accessed by user A and user B, or is there away anyone in GroupA or GroupB could access this folder also? The folder in question (restrictedto2users) won’t let me right click the folder and see permissions. Yet in the folder above (folder1) I have full control. Thanks

Anyone?

Response for question 1: If you tick "Replace permission entries on all child objects with entries shown here that apply to child objects" on the parent folder may make some subfolder more open than they are currently. I recommand to you to change NTFS permissions for each subfolder separately without ticking "Replace permission entries on all child objects with entries shown here that apply to child objects" on the parent folder. Response for question 2: A:\data\folder1\restricted\restrictedto2users\file.xls is a file and not a folder. I recommand to you to give access only to your two users for the folder A:\data\folder1\restricted\restrictedto2users to avoid security problems caused by temporary files creation. This will be a secure solution and the NTFS permissions for this folder will deny the access of the other users. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.

Sorry I did mean the permissions are set to only allow access to 2 users on the folder: A:\data\folder1\restricted\restrictedto2users I just wondered if other users could add themselves to the ACL if they had full permissions on the parent folder: A:\data\folder1\restricted\ Also, you mention "to avoid security problems caused by temporary files creation"... Could you go into more detail? That sounds interesting...

Temporary files can be created if you are running a file. As an example, let's suppose that you are running a file named test.docx (A Microsoft Office Word file). An other file containing informations about the running file will be created in the same folder and can be reacheable by hackers if you are not sure that users will take the same permissions on the newly created file. If you give permissions to users on the folder contaning this file, even the temporary file will be only reachable by these users. It is for that it is recommended to apply NTFS permissions on folders and not only on the files. The same thing is recommended when you are using EFS encryption because the temporary file, if you encryt only the file, will not be encrypted and hackers will be able to extract informations about the encrypted file throughout it. If you encrypt the folder containing your file to encrypt, even the temporary file will be encrypted. So, as a conculsion, if you would like to applicate NTFS permissions of EFS encryption do it on the folder hosting your targeted file. Best regards.