Is it possible to set Advanced Permissions using FD?
We want to do the following:
Share = groups$
Folder = \\server\groups$\group
Rights (as we do it with icacls) = (OI) (CI) (RD,WD,AD,REA,X,DC,RA,WA,RC,WDAC)
moldin - apologies for the late response.
This is an interesting request, and the answer isn't actually straightforward. Currently this is not possible for user home folders. However, this can be done using Collaborative Storage and its dynamic templating system. That applies only to group storage—but your question sort of suggests that is what you're asking about. Could you please clarify whether this is for user home folders, or for some sort of shared storage scenario?
Essentially, any NTFS ACEs for the -group-, -member-, or -owner- security principals used in dynamic storage templates are translated to that group. So in your case, you'd want to make sure your template includes a -group- entry in the NTFS permissions at the root of the template (since that will be applied to the root of each collaborative storage group's home folder.) That ACE should set all of those advanced NTFS permissions for each provisioned collaborative storage group on the group's collaborative storage folder.
Note that you can use the "Apply Template" and "Apply Members" collaborative storage management actions to copy the template to existing collaborative storage groups' folders and process the template, respectively.
As for advanced NTFS permissions for user home folders: Would you mind if I asked for more details on your specific use case? Typically, permissions on home folders are fairly broadly defined (even in cases where actual ownership of the home folder itself is restricted.) Every user story is always of interest—and especially if there's a 'live' user story about real unmet needs in an existing environment.
Thank you, for the answer. I'll try it out.
As for your question about home folders:
We need to set object inherit (OI) and container inherit (CI) on home folders because inheritance is blocked on parent folder to prevent users from looking at each others folders.