I'm in the middle of a data migration and we're facing a tight deadline to secure the source folders before handing them over to the team handling the actual data copy. To do this, we need to apply Deny/Full Control permissions to an Active Directory group at the source folder level. Our current plan is to apply this Deny permission to the top-level folder, which does help block access to the folders beneath it. However, users might still access subfolders or files directly, which is a risk we want to avoid. The best solution we've come up with is to block the top level and notify the migration team, then start a second, recursive job to cover all subfolders and files, but it's not ideal. I'm looking for expert advice on using icacls to handle this more efficiently!
1 Answer
If you have to deal with a single share and the permissions need to apply across the board, I'd recommend adding the group to the share permissions (not just NTFS) with a DENY setting. This could simplify restricting access without needing to tweak every individual folder.
Right, we're using your method for the shared folders, but most of our issues are with subfolders that aren't explicitly shared.