In this screenshot you can see I have created several new users. We will focus on mary and bob. To create these new users we simply right clicked on users, selected new user and gave it a user name and complex password. The reason for the complex password is in a previous lab and page I demonstrated adding Password Complexity rules to the Windows machine. 

In this first screenshot you can see I have created two new groups. These groups are Accounting and sales. To create these new groups we found groups under local users and groups in Computer Management. We right clicked on the screen, selected create new group, gave them their names and under the members section during creation we assigned one of them to each group. mary went to Accounting and bob went to sales. In the second screenshot you can see the result of my assigning these users to the group. 

In this screenshot I attempted to edit the Accounting folder. By default it already has permissions on it. What is happening is that the folder is pulling permissions from something higher which is the C: Drive it self becasue the C: Drive has its own permissions. 

In this screenshot I am disabling the inheritance of permissions from the C: Drive for the Accounting folder. Under Accounting Properties, under the security tab I clicked on Advanced to show advanced settings. After that I clicked on the button Disable inheritance then clicked on the Remove all inherited permission from this object button. This gives me a nice clean slate and I can then add myself back so I can administer it. Once clicked I selected Apply. 

This screenshot just shows that what I did previously worked. If I try to access the Accounting file it tells me I do not have permission to do this since I just got rid of the permission. Since I am the administrator on the admin account I am able to just click Continue and open the file. 

In this screenshot it is just showing that I the admin am the only person that has full access. Next I will be clicking Edit and adding accounting to the Object names box because it is the group that will need access to the Accounting folder. 

In this screenshot you can see the Accounting group has successfully been given access to this folder. Under Permissions I also gave them Modify control by clicking allow and then the Apply button. I did this so that anyone in the Accounting group can add to that folder or delete from that folder but they can not change permission on that folder. We do not want to give people too much permission and stick the the principle of least privileges. 

In this screenshot It is showing I did the exact same steps as I did for accounting but for sales. I removed the inheritance permissions, gave the sales group permission to access the Sales folder and I gave them Modify permissions for the same reasons I gave accounting Modify permissions. 

In this screenshot I also gave the Accounting group permissions for the Sales file. I only gave Accounting Read & Execute, ability to list folder contents and open any files that are in there permissions. I did this because  Accounting might need to see some Sales data in order to do their job but they should not be able to change any of the files again adhering to the principle of least privilege.