Needing to set some very specific NTFS rights, I am posting this as much to remind myself how I did it, as for any other purpose. Just in case it could help someone else here’s the lowdown.
There is a file share that a group of users needs to be able to browse, so that they can see the subdirectories in the entire tree, but NOT open any of the files without being granted specific, additional access. Using the xcacls.vbs script from Microsoft, running this on the hosting server and referencing the physical mount path instead of the share, the following command will add READ and List Folder Contents to the directory, and subdirectories. It will not modify any other ACL, and it will not grant any rights to any file.
cscript xcacls.vbs "driveletter:\path" /E /P "domain\groupname":X /SPEC C
I know, it is a unique requirement, but I’ll have to do it again, so I may as well remember it here! More on how to use xcacls.vbs can be found here (KB825751.)
You might also enjoy:
