About Permissions in Active Directory

In cases where a staff or faculty member or student worker inside a department needs to have access to files and folders located on the I: Drive, or other network share, there are several options available for setting or limiting permissions and actions. Shared folder permissions are used to restrict access to a folder or file that is shared over the network. Folder sharing is normally used to grant remote users access to file and folders over the network. The nature of the work performed by your staff or faculty member, or student worker will determine what kind of security permissions you should set them inside Active Directory.

DO NOT REMOVE ANY PERMISSIONS FROM DOMAIN ADMINS OR ADMINISTRATORS. DOING THIS IS AGAINST NETWORK POLICY AND MAY MAKE IT DIFFICULT TO RECOVER YOUR FILES IN THE EVENT OF A DATA LOSS EVENT.


Permission Settings
There are different security options available in Active Directory, and can restrict or allow enabled users to change, modify or otherwise manipulate data stored inside Active Directory (AD) folders. Here is a list of the following options:

  • Full Control allows users complete freedom inside this folder in AD. It permits them to read, write and execute files, move, copy and delete files and sub-folders. Very few users should have full control enabled as their security option. This option is the only option that allows modification of permissions for the folder you are accessing.
  • Modify permits users to read, write, execute (run nestled programs or files with macros) and delete files and subfolders.
  • Read & Execute enabled users can see files and folders, and run nestled programs or macros (within an Excel document or Access Database, for example) but can not modify them.
  • List Folder Contents allows the viewing and listing of files and subfolders as well as executing files. Users can also see the permissions and attributes set to each folder.
  • Read simply allows users to see and access files and folders. It does not allow any modification, movement or deletion of said files or folders.


How Inheritance Works

Inheritances are how security is structured in Active Directory folders: subfolders 'inherit' the permission sets of their 'parents'. Thus if the I:Drive root folder 'ctas' (for example) allows members of the group 'Everyone' to see (but not write to) the folders therein, all folders within the ctas folder would also restrict members of 'Everyone' to read-only access.

An important aspect of permission inheritance is that permissions are cumulative. If a person is a member of two user groups in a single folder (eg,"everyone and "Faculty), if 'Everyone' only has Read and List Folder Contents but 'Faculty' has Modify and Read & Execute, that user will be capable of all four. If as an individual user has Full Control, they will have all rights to the folder regardless of what groups they may also be in.

For most departmental folders, the inherited permissions are usually already tailored for members of that department. However, if you want to work within the J:Drive, or simply want a department folder to have more specific restrictions, you can 'break the inheritance' and set up the folder as an individual entity.


How to Adjust Permissions

For steps on how to adjust the permissions, click here.