I have a logon script that creates a folder for a user on a remote server if the folder doesn't already exist. The script works fine, but I'm having trouble with the actual permissions.My folder structure looks like this:\\Server Share\Users\User Folder1 \User Folder2 \User Folder3, etc.User1 is the Creator Owner of User Folder1, etc, etc. ala the script. I want the user who created the folder to have modify and write permissions, but they should only have read permissions for the other users' folders. For example: User1 can create folders and modify files and folders on User Folder1, but User1 can only read the contents of User Folder2. Users should also not be able to create other folders in the Users folder. The only folders that should be in there are the ones for each user that was created by the script.Sorry, I know that's probably really confusing. Does anyone have any ideas on how I can adjust permissions on the Users folder to give me what I want on the subfolders that will be created? Thanks!

Hello, From the description: Under \\Server Share\Users\ Only "user folder" can be created. Users should not access this folder nor create any custom folders out of the script. Under \\Server Share\Users\User Folder1 \User Folder2 \User Folder3 Creator owner can have the full control to their own folder. All users have general read permission to all user folders. Please correct me if there is any misunderstanding. --------------------------------------------------------------- \\ServerShare\Users\ You should grant all users the "List folder/Read Data" deny permission apply onto "This folder only". This will disable users to list or create folders in the Explorer. Then create a ACE to grant all users "full control" allow permission.(This will enable users to create their own user folder via script). Note: For experienced user, they still can create folders under file://server Share\Users\ via command line. So to provide the most secure on Users folder, you should pre-create all User Folder. \\ServerShare\Users\UserFolder1 \User Folder2 \User Folder3 By default, the CREATOR OWNER group that inherit from the parent folder is granted the FULL CONTROL allow permission on the folder. Because the script is run under the user's security context, the creator owner of that specific folder is that user self. In the other word, the use that create the user folder have FULL CONTROL allow permission to his user folder by default. The last thing that should done in the script is to grant all users READ allow permission on all user folders. I know it is really puzzling. Hope it will help.

I guess I'm a little unclear about this part:\\ServerShare\Users\ You should grant all users the "List folder/Read Data" deny permission apply onto "This folder only". This will disable users to list or create folders in the Explorer. Then create a ACE to grant all users "full control" allow permission.(This will enable users to create their own user folder via script). Note: For experienced user, they still can create folders under file://server Share\Users\ via command line. So to provide the most secure on Users folder, you should pre-create all User Folder.My script is actually a logon script that creates the user folder when the user logs on, if that folder isn't already created. So, the folder will already be pre-created. If I deny users the List Folder/Read Data permission, won't that make it so they can't see other folders? Also, if I give them Full Control on their own folder, then they would be able to change permissions, correct? Also, since they don't have write permissions to the \\server share\users folder, wouldn't that prevent them from initially creating the folder to begin with? Thanks for your help!

Hello, One thing I forget to explain is that all these permissions are just leave on file://server/ Share\Users\folder. Sub folder should not inherit permissions from it. If I deny users the List Folder/Read Data permission, won't that make it so they can't see other folders Yes, explorer will not be able to list this folder and create subfolders or files in it if you deny users the List Folder/Read Data permission. Also, if I give them Full Control on their own folder, then they would be able to change permissions, correct?Also, since they don't have write permissions to the \\server share\users folder, wouldn't that prevent them from initially creating the folder to begin with? Thanks for your help! Yes, so to narrow down the users' permission on file://server/ Share\Users\ folder, you can only allow users Create Folders/Append Data permission apply onto This folder only. This will grant users the least permission only to create subfolders in it.

I understand what you're saying, but I only want users to be able to create one folder, which is the folder that gets created when the script runs. After that, they shouldn't be able to create any folders, unless they are subfolders to that original folder that the script created.

I'm sorry, but you totally didn't answer my question at all. You gave me a brief tutorial on NTFS permissions, but you absolutely danced around my question. Don't mark it as the answer.

Hi Lauren, According to the description, you have the following requirements: 1. Users can create a subfolder via logon script; however, they should not be able to create other folders in the Users folder. 2. User can only have modify and write permission on the folder created and only has read permission on other users folder. From the NTFS permission point of view, the requirements in the first line is mutual conflicts. To enable a user to use his own credential to create a subfolder, the user will have the permission to create other folders in the Users folder. Considering the current situation, you may consider the following option: 1. Grant Full Control permission on the \\Server Share\Users folder to a specific user account and only grant Users group the Read permission. 2. To create users folder properly, you will need to run the logon script as the specific user who has create folder permission on the server share. 3. After you create the folder you will need to set the subfolder permission in script to grant the logon user with Modify and Write permission. The drawback of this option is that the script needs to run as another user. Laura Zhang - MSFT