Easy Windows NTFS permissions

windows Powershell

First create share and give "Everyone" full access. You will be able to limit the access using NTFS permisions more granually.

Using Admin Powershell we can set permissions easily:

################################### Access backup and restore ########################
icacls c:\share\* /save AclFile /T
 - Will save the ACLs for all files under c:\share and its subdirectories to AclFile.

icacls c:\share\ /restore AclFile
 - Will restore the Acls for every file within AclFile that exists in c:\share and its subdirectories.

######################### Permissions for folders: ###################################
# Set the root folder path where you need the permissions to be applied for group
$rootFolder = "C:\share\folder1\folder2"

# Folders in share before the folder you need access, so we can traverse them.
$folderPath1 = "C:\share"
$folderPath2 = "C:\share\folder1"

# Define domain groups "domain\group"
$modifyGroup = "Haku.local\C_Folder1_Folder2"
# If you do not need Read only access ignore the readonly commands
$readOnlyGroup = "Haku.local\C_Folder1_Folder2_RO"

###################### Applying the permissions #######################################
# Set Modify (Write) permissions for the Modify group on folder2
icacls $rootFolder /grant "${modifyGroup}:(OI)(CI)M" /T /C

# Set Read-only permissions for the Read-only group on folder2
icacls $rootFolder /grant "${readOnlyGroup}:(OI)(CI)RX" /T /C

# M: Modify (Write) permission
# R: Read permission
# RX: Read and execute ( needed for traversing folders if applied only to folder)
# (OI)(CI): Object Inherit and Container Inherit, respectively
# /T: Apply to all files and subdirectories
# /C: Continue on errors

# Use icacls to grant traverse permission to the specified domain group
# This applies the access only to the folder itself
icacls $folderPath2 /grant "${modifyGroup}:(RX)"
icacls $folderPath2 /grant "${readOnlyGroup}:(RX)"

# Repeat this for any folder closer to root drive so users can access the final folder
icacls $folderPath1 /grant "${modifyGroup}:(RX)"
icacls $folderPath1 /grant "${readOnlyGroup}:(RX)"

# Enable Access-Based Enumeration on the share, users will not see folders what they do not have access to
Set-SmbShare -Name ShareName -FolderEnumerationMode AccessBased -Force

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

If you want to see correct comand for specific permisions, you can set them up using the security tab in folder/file properties and on Advanced tab.
Than when you apply it, you can use command "icacls C:\Share\folder1" where you put the path to folder/fileĀ  and it will give you the correct flags you need to set up: