We have a document management system on a Windows Server 2019 system (NTFS filesystem) that holds many PDF documents. The DM is organized by subject (customer name, vendor name, etc.) with sub-folders for each individual year as in the following example:
\\SRV-DOCUMENTS\DM\Vendors\Contoso:
2019
2020
2021
New documents are added to the current year sub-folders. Previous year sub-folders are historical and should never change again. All folders and files are currently owned by the domain administrator.
All folders must allow read for all users. Other than that, we want to lock down the permissions such that only one specific domain account can add new files to only current year sub-folders and no one other than domain administrator (the owner) can modify previous year sub-folders in any way. We want the previous year sub-folders to be unchangeable except by domain administrator.
It would be nice if we could develop permissions to apply at the parent folder level (DM in this example) that would be inherited by all sub-folders. That would provide everyone read access, the one specific domain account permission to add new files and make the domain administrator the only account capable of modifying anything. Then, I would go back and add the more restrictive permission (denying that one specific user the ability to add new files) to each of the previous years folders.
Going forward, at the beginning of each new year I would build the new year sub-folders and then add the more restrictive permission to the previous year sub-folders.
I think this can be done using ICACLS, but I am not clear as to which permissions to grant and which to deny for which users. Also, I would appreciate a recursive command example that targets all sub-folders named with a given year. For example, a recursive command that targets all sub-folders named exactly "2019". Does anyone have any suggestions?
Thanks in advance!