Assign Permissions to Files and Folders through Group Policy

Audit changes made to Files and Folders with Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
7 min read | Updated On - May 15, 2023
In This Article

In today’s interconnected world, where data is the lifeblood of organizations, safeguarding sensitive information is of paramount importance. Ensuring that the right individuals have access to the right resources, while protecting them from unauthorized access, is a critical aspect of data security. This is where Group Policy comes into play, offering a powerful and efficient solution to manage permissions for files and folders within a networked environment.

Group Policy is a feature in Microsoft Windows that allows administrators to define and enforce security settings, configurations, and restrictions across a network. With Group Policy, administrators can centralize and streamline the process of assigning permissions to files and folders, ensuring consistency and minimizing security vulnerabilities.

Assigning permissions through Group Policy offers several advantages. Firstly, it enables administrators to set permissions based on user roles or groups, rather than individually assigning permissions to each user. This simplifies the management process and reduces the chances of errors or omissions. Secondly, Group Policy allows for the efficient propagation of permission changes across multiple systems, ensuring uniform access control throughout the network. This not only saves time but also enhances security by minimizing the risk of misconfigurations.

In this article, we will explore the step-by-step process of assigning permissions to files and folders through Group Policy. Additionally, we will also go through how you might use Lepide Auditor to audit permission changes and to analyze NTFS permissions so that you can maintain appropriate access control.

Steps to Set Files and Folders Permissions using GPO

  1. Go to “Start Menu” -> “Administrative Tools”, and click “Group Policy Management” to access its console.
  2. In left panel of “Group Policy Management Console”, you have to create a new Group Policy Object or edit an existing Group Policy Object.
  3. To create a new GPO, right click “Group Policy Objects”, and select “New” from the context menu. It shows “New GPO” window.
    Figure 1: Creating a new GPO
  4. Enter a name for the Group Policy Object (GPO) (in this case it is Assigning Folder Permissions), leave “Source Starter GPO” as “(none)”.
  5. Right-click on the newly created “User Folder Permissions” GPO, and select “Edit GPO”. Group Policy Management Editor window appears on the screen
  6. Navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “File System”
    Figure 2: Navigate to File System
  7. Right-click on “File System” in the left pane and select “Add File…” It shows the following dialog box.
    Figure 3: Select file or folder which you want to assign permissions on
  8. Browse the folder or file that you wish to assign permissions on, and left click to select it. Click “OK”.
  9. “Database Security” window appears on the screen
    Figure 4: Database security window
  10. Click “Advanced” button to access “Advanced Security Settings” window. Stay on the “Permissions” tab that appears by default.
    Figure 5: Advanced security settings window
  11. On this tab, either select an existing user and click “Edit…” or click “Add…” to add a new user to the permissions.
  12. “Permissions Entry for…” dialog box opens up. Here, you will see that there is a list of permissions available for your users, and you can also choose where you want to apply those permissions.
    Figure 6: Permissions entry folders
  13. Use the drop-down menu in the “Apply to” field to assign selected permissions to desired folders.
  14. Check the permissions as needed. These are self-explanatory.
  15. Click “OK” to apply the permissions. It takes you back to “Advanced Security” window.
  16. Now, move to the “Auditing” tab. Under this tab, you can do audit settings for the folder, so that any change done to this folder or its permission will be audited. Configure the auditing settings as per requirement.
  17. Similarly, you can do ownership settings for the folder under “Owner” tab.
  18. Once you have done “Permission”, “Auditing” and “Ownership” settings, click “OK” to close “Advanced Security…” window.
  19. Click “OK” to close “Database Security…” window. Next, you will see “Add Object” window.
    Figure 7: Add object window
  20. There are following options on the “Add Object” window:
    1. Configure this file or folder then: Select this option to apply the settings. It contains the following two options.
      1. Propagate inheritable permissions to all subfolders and files: Selecting this option means, all the subfolders and files will inherit permissions from the parent folder. In case of a mismatch or conflict, explicit permissions that were assigned to the subfolders or files will override the inherited permissions.
      2. Replace existing permissions on all subfolders and files with inheritable permissions: This option will overwrite all the settings on all subfolders and files with the ones on the parent, so ultimately they will have identical permissions to the parent folder.
    2. Do not allow permissions on this file or folder to be replaced: Use this setting for subfolders and files that you do not want to inherit permissions. For this, make an additional entry for those subfolders and files that will not inherit permissions e.g. let’s say you want the “A” folder to inherit permission but don’t want “B” folder to inherit permissions, in that case create an entry for the “B” folder.

    NOTE: In this case, option “a” has been selected. Click “OK” to close the “Add Object” window.

  21. Close “Group Policy Management Editor” window.
  22. Right-click the domain you want to apply this GPO to, and then select “Link an Existing GPO…” option from the context menu. “Select GPO” window opens up.
    Figure 8: Select the new GPO
  23. Select the new “Assigning Folder Permissions” GPO, then click OK.
  24. In the right pane, stay on the “Linked Group Policy Objects” tab that appears by default.
  25. Right-click on the “Assigning Folder Permissions”, and select “Enforced” from the context menu. A confirmation message appears on the screen.
  26. Click “OK” to close the dialog box.

How to Analyze File and Folder Permissions Using Lepide File Server Auditor

With the Lepide File Server Auditor, you can now effortlessly conduct a comprehensive analysis of your file servers’ permission structure.

Our powerful tool goes beyond a mere examination of applied NTFS and Share Permissions. It compares these permissions to determine the current effective access rights on any selected file or folder. The results are displayed in a clear and intuitive format, revealing not only the precise permissions but also the scope of their application.

Permissions by users

By identifying the precise folder level where permission inheritance is broken, Lepide enables you to trace the origin of each permission. Furthermore, it categorizes permissions as direct, indirect, or inherited, providing valuable insights into how they are granted and propagated throughout your network.

Lepide also equips you with a range of customizable reports, allowing you to filter, sort, save, and delve deeper into the 13 possible permission types. With this level of granular control, you can easily investigate any potential security gaps and take prompt corrective actions

With our advanced File Server auditing software, you can effortlessly delve into the historical permissions of your files and folders, gaining invaluable insights into their access rights over time.

Figure 9: All modifications in a file server

By simply selecting a file or folder, you can access a comprehensive list of all historical permissions associated with it. This empowers administrators to track and monitor any changes made to permissions, ensuring transparency and accountability within their network infrastructure.

Lepide also enables you to compare permissions between two specified time intervals. This allows you to pinpoint any modifications or discrepancies, facilitating effective troubleshooting and audit trails.

To ensure easy access and documentation, our software offers the flexibility to save separate reports for both “Permission History” and “Compare Permission.” Choose from popular formats such as PDF, MHT, or CSV, and securely store these reports on your preferred disk location.

In addition to providing a comprehensive overview of permission changes, our software also highlights the scope of these modifications. This allows you to understand the extent of each permission change and its potential impact on your file system.


In this article, you have seen the way to assign files and folders permissions through GPO. You have also seen the auditing of changes made to files and folders using Lepide File Server Auditor. The solution has pre-defined file and folders modification and permission modification reports that make enterprises safe and compliance-ready.

Check out our Lepide File Server Auditor
Or Deploy With Our Virtual Appliance
Learn More

Audit changes made to Files and Folders with Lepide File Server Auditor

Or Deploy With Our Virtual Appliance
Learn More