Folder access question

Pierre-A · 2025-06-26T11:26:31.322Z

hello
i have a folder that some users have access to and for some reason
one user said she can get in the folder but the childs folders inside she cannot get into some
i check the rights and she seems to have access to but not sure why
should i tick the option to replace child all child… ?

Thanks
it was not well made before they didn’t use groups so it’s a mess now
Thanks

Rod-IT · 2025-06-26T11:47:19.679Z

Apply to child objects will work, but maybe this by design, perhaps the user needs to be in another group to access specific child folders.

Pierre-A · 2025-06-26T11:59:40.062Z

Hello Rod
there is no groups created and the old IT mess UP and give granular rights instead of groups
i will check with her what folders she can’t get in
if i see that she have access but cannot get in it mean maybe a shared or else ?
Thanks

Rod-IT · 2025-06-26T12:24:23.087Z

You can either give her rights at each subfolder, or if everyone needs the same access, grant rights at the top and tick, propagate to all child objects.

If you plan to do the latter though, setup a group, add users to it and add it to the folder before you do this, once done you can then remove individual users.

Pierre-A · 2025-06-26T12:28:29.132Z

ok
i will think about it
Thanks alot

Pierre-A · 2025-06-26T12:42:44.947Z

if i create a group and give access to the group should i tick the option propagate to all child objects.

and then add the user into the group ?
Thanks

Rod-IT · 2025-06-26T12:44:37.579Z

If they all have the same permissions, then yes, that makes sense.

You can add the users to the AD group before adding it to the folder.

The fact they are in a group and manual wont make any difference unless one is set to block. Block wins.

it-monkey-mike · 2025-06-26T12:46:03.626Z

Pierre A:

there is no groups created and the old IT mess UP and give granular rights instead of groups

Rod-IT:

You can either give her rights at each subfolder, or if everyone needs the same access, grant rights at the top and tick, propagate to all child objects.

If you plan to do the latter though, setup a group, add users to it and add it to the folder before you do this, once done you can then remove individual users.

@Rod-IT’s comment and suggestion is the right way to go. If you want to “fix” the folder/share permissions so that you are doing permissions by group instead of individual user, now is the time to start.

Also, make sure you check file system permissions (ie: NTFS) as well as sharing permissions. Since the permissions are granular, it could be that the user wasn’t properly given permissions to every child object in either the file system or sharing permissions.

Rod-IT · 2025-06-26T12:48:38.701Z

Good point @it-monkey-mike

Permissions on the ‘share’ can be set to authenticated users, full control. From here nothing else needs to be done.

Security is where you set granular permissions.

So many people leave the share as ‘everyone’ and misunderstand it’s purpose, it means, literally, everyone, including non-domain joined, non authenticated users and devices. Don’t do this.

Pierre-A · 2025-06-26T12:56:27.857Z

Hello
even the shared was set to granular users

Thanks

CharlesHTN · 2025-06-26T13:06:14.129Z

Rod-IT:

Permissions on the ‘share’ can be set to authenticated users, full control. From here nothing else needs to be done.

Slight disagreement here…Give users “CHANGE” permissions, NOT “Full Control”. Full control allows you to grant permissions to others (or take permissions away from others). CHANGE gives them everything they need, but does not allow them to set permissions. (Full Control on NTFS is likewise NEVER needed for general user groups for the same reason.)

I setup general access shares with “Domain Admins” having Full Control and “Domain Users” having Change rights. Then I get more granular with the NTFS permissions. If a share is specific to a certain department, then, instead of “Domain Users” getting Change rights, I assign “Department X Users” Change rights.

CharlesHTN · 2025-06-26T13:15:32.782Z

Assigning permissions to individual users quickly becomes a nightmare, and, eventually some boss is gonna tell you to “Give Julie access to everything Spencer has access to”, which will be next to impossible with granular NTFS assignments, as you’ll have to hunt for Spencer EVERYWHERE.

Even if just ONE person needs something, setup a group. Assign permissions to that group, put that user in that group. Then, all you need to do is put Julie in the group Spencer is in, and she’ll automagically have access to everything he has access to.

It’ll only get worse with time. Document what you have and begin making logical transitions. You can NEST groups, which is SUPER helpful. For instance, I support a police department. They have regular officers, supervisors, detectives, captains, a chief, and office staff. Each of those categories has a group, and there is also a group encompassing EVERYONE in the department. That group, however, is made up only of the other groups, not individuals (otherwise, they have to be added/removed from multiple groups). This makes management MUCH easier, and those groups can be made Mail Enabled if you use Exchange or Office 365, so this also gives us granular distribution groups.

Rod-IT · 2025-06-26T13:19:06.718Z

CharlesHTN:

Slight disagreement here…Give users “CHANGE” permissions, NOT “Full Control”. Full control allows you to grant permissions to others (or take permissions away from others).

Under security it does, but not on the share itself. To grant rights for other users, someone would need full control under the security tab.

Giving full control under the share doesn’t give rights to grant others access.

Pierre-A · 2025-06-26T13:25:55.006Z

i check one folder and i was unable to see who have rights to it
it tell me this : Unable to display current owner. if i set my self as the owner i can only see me after nothing else

i use my domain admin account on the server to do so

Thanks

it-monkey-mike · 2025-06-26T13:27:27.976Z

CharlesHTN:

You can NEST groups, which is SUPER helpful. … Each [department] has a group, and there is also a group encompassing EVERYONE in the [organization]. That group, however, is made up only of the other groups, not individuals (otherwise, they have to be added/removed from multiple groups). This makes management MUCH easier, and those groups can be made Mail Enabled if you use Exchange or Office 365, so this also gives us granular distribution groups.

This is what we do. it makes managing user turnover a lot easier. “Oh, new hire Julie is replacing Spencer?” No big deal. We go into AD, copy Spencer’s AD user object, set anything in the new object that is unique to Julie, and then move on to the next task of onboarding a new hire. No need to worry about any network permissions or email groups; everything is pre-set because of security & distribution AD group settings.

Pierre-A · 2025-06-26T13:33:32.794Z

i create a group give the group acces to a folder and when it apply the rights i get this

image362×167 5.3 KB

how can i bypass this ?
Thanks

CharlesHTN · 2025-06-26T13:38:59.204Z

Pierre A:

i create a group give the group acces to a folder and when it apply the rights i get this

That tells me that YOUR user account does not have permissions to some objects in that folder. Taking ownership of the folder and it’s subfolders is probably your easiest fix.

I would recommend being sure you’ve got a good backup before you start making bulk changes, just in case.

Pierre-A · 2025-06-26T13:41:13.076Z

and i use my domain admin account
maybe the other IT block me on some folder in particular HR Folder

Thanks

Pierre-A · 2025-06-26T13:56:11.684Z

on one other folder i see the owner is Administrators
should i tick the box

image763×145 3.07 KB

also only me and the new hr need access to the folder and all sub folder and files the other persons that was having access they are gone

Thanks

Rod-IT · 2025-06-26T14:55:29.721Z

Set the owner to ‘administrators’ the local device group, this includes all local and domain admins.

You then need to replace all child object permissions (this changes the owner on all files and sub-folders).