NTFS ca be a bit finicky when choosing how to come about such a request, because there are several ways to do it
In addition some naming conventions are a bit misleading.
Anyway, here’s how I think it works best:
1. Create your folder structure and share the root folder
2. Create a AD security group for the users to restrict
3. Give this group full control on “files only” at the root level
4. Add this group a second time and configure “This folder, subfolders and files” the following special permissions:
-Traverse folder / excecute file
-List folder /read data
-Read attributes
-Read extended attributes
-Create files / write data
-Create folders / append data
-Read permissions
5. Add this group a third time and Set type “Deny” apply to “this folder subfolders and files”, and select the advanced permission “Delete subfolders and files”
This last step is a little counter-intuitive, because the wording is “subfolders and FILES” but this does the trick keeping the folder structure intact while allowing users to modify the file contents.
Keep in mind that we are here using a deny rule, which in the NTFS world allways takes precedence. As a main rule we dont use deny but rather ‘don’t allow’ to prevent corruption and chaos but in this example we are denying for folders only.
