confidential

Here’s a procedure for people working in a very small business that don’t want to call me for every routine task.

Very small businesses frequently have a single folder for all company or firm files. It’s almost always mapped to a drive letter, so everyone stores all work files in the “N:” drive or the “P:” drive. Everyone has full permission to add, edit, and delete files and folders in the COMPANY or FIRMDOCS folder. There are subfolders for each client or project, so things get a little cluttered and messy after a while, but it works well enough that there is seldom any pressure to move to expensive document management programs or Sharepoint services or the like.

When the company or law firm grows bigger – 15 or 20 employees, say – things get more complicated. There are more servers, more places to store files, less tolerance for mistakes (“Oops! I accidentally deleted the folder with all the files for the Gotham City project”). Employees in bigger companies come to understand the language of network shares and are able to find their way to \\appserver\hr\employees\discipline and \\sbsserver\engineering\electrolytes instead of always looking for the N: drive.

Folders don’t have to be open to everyone. Bigger companies lock folders down routinely and grant access only to members of security groups defined on the servers: the Engineering group can access the engineering folders but not the HR folders. When new employees are hired, they are added to the appropriate groups and get access to folders based on their group membership.

Very small businesses don’t have groups. They have Jane. Jane has always been there. Changes happen infrequently and usually involve a single employee at a time. The businesses don’t want to pay me to create a bunch of security groups when we can accomplish things really fast by acting as if Jane will always be there.

Eventually someone wants a confidential folder. (Typically the business owners want a place for files about personnel matters.) The most convenient place to put it is in the Company folder.

Let’s do these steps while we’re logged onto the server with the Administrator account. That’s not strictly necessary but it’s the easiest to understand. (These screen shots are done on a server running Windows Server 2008 but the process is similar on Windows Server 2003 and can even turn up on Windows 7/Vista/XP desktops with shared folders.)

So let’s see how we restrict access to a new Confidential Files folder next to the shared Client Files folders.

permissions1

Permissions are set by right-clicking the Confidential Files folder and clicking on Properties. On the Security tab, you can see that “Domain Users” and “Users” each have full control.

permissions2 

Brimming with confidence, you click on the tempting button that says “To change permissions, click Edit.” On the next screen, you highlight “Domain Users” and click on “Remove.”

Ha! You can’t do that. You’ll get this message explaining that you can’t make changes to permissions because the subfolder is being governed by the permissions on the parent, the overall settings for the shared Company folder.

permissions3

Try this. Back in the Properties window, click on the Advanced button.

permissions4

You’ll be in a window for “Advanced Security Settings,” with a tab for Permissions. Click on the Edit button.

The next window is also called “Advanced Security Settings,” and it has the checkbox we need. Uncheck the box to “include inheritable permissions from this object’s parent.”

permissions5

A window will come up explaining that parent permissions will no longer be automatically applied. Click “Copy”.

permissions6

Now you’re free to make changes to the permissions on the folder – you can remove “domain users” and add individuals or groups with authority over the folder.

Before you leave the “Advanced Security Settings” window, check the box to “replace all existing inheritable permissions on all descendants with inheritable permissions from this object.” If your confidential folder already includes subfolders and files, the checkbox will make sure that the new permissions attach to all of them.

Someone should keep records of these changes! I can’t insist that all my clients call me when work like this is done but it only works on a very small scale. It can quickly become very difficult to discover all the custom settings or make changes if Jane finally leaves.

Fortunately, the people who might try this in my clients’ offices are all extremely bright and do meticulous recordkeeping, as well as being extraordinarily good looking, so I’m not worried about them. It’s everyone else who should be careful. These screen shots were done on a test track by highly trained professionals. Please do not try them at home without adult supervision!

Share This