Changing windows permission non recursively

You can actually just grant the user the appropriate permissions directly on the images folder without giving them any permissions on the parent folder. The "Bypass traverse checking" user right will allow the user to traverse a set of folders to which they have no permissions to get to a folder to which they do have permissions. Note that the user will have to explicitly access the path to the images folder as they won't be able to browse to it.

From the "Bypass traverse checking" user right explanation:

Bypass traverse checking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:

Administrators Backup Operators Users Everyone Local Service Network Service

Default on domain controllers:

Administrators Authenticated Users Everyone Local Service Network Service Pre-Windows 2000 Compatible Access


What you did is correct. The behavior you noticed (the process takes "forever" and every directory and and file in the tree seems to be touched) is just the way the ACL APIs are implemented. The code probably does not check what was changed, so that it does not know that, in this specific case, it is not necessary to recurse down the tree.

joeqwerty's answer is correct, too. I would like to emphasize that end users may not be comfortable working with paths that can be accessed directly (specifying the full path) but not browsed (moving down the hierarchy in Explorer from the root directory down).