simple restriction... whats wrong?

Posted on 2005-05-11
Last Modified: 2010-04-19

I had in nt4 200 users folders with simple restrictions working fine.

so now in w2003server I have a folders like this


I want only 3 people to access the "reports" folder

so I right clicked reports / properties / security
I added this 3 guys, and the administrators as full control
clic on accept and its ok,. still access everyone

so again I right clicked reports / properties / security  
i went to USERS, and clicked deny into "modify".
clicked ok and then noone of these 3 guys can access...

these 3 guys are part of the users group

but they have FULL ACCESS in the permissions sheet.

why is that?

thanks in advance.

Jezz how I miss nt4.

Question by:HTorres
    LVL 95

    Expert Comment

    by:Lee W, MVP
    First, you should NEVER assign permissions to individual users.  If you (or someone else) accidentally deletes them, or you have to add another user, it just gets messy.  Create a group for these users and put them in that group, then assign the group permissions to the folder.  

    When you assign "deny", deny takes priority over allow, so if a person is a member of a group being "denied" then it doesn't matter if they are also in a group with allow, they are denied because deny is more important to windows.

    When you set security, did you set it so that things were applied to previously existing documents and folders?
    LVL 4

    Author Comment

    thanks leew

    the folder was created from barebones with this rights:
    administrators full control
    users full control

    thats it.


    so if mark is part of users and also part of marketing, and users has restrictions to modify, ... he can not modify ... even he has full control in the other group?


    so i need to take mark out of users and thats it?

    that wont create me other issues when login or something?


    LVL 4

    Author Comment

    or should i put restrictions individually to everyother user and not in the users group?

    wich one will be messier/easier?

    LVL 4

    Author Comment

    I removed the guys from users, and tried again with a brand new folder reports.  and when I set the restriction to the users group. it blocks the 3 users again.

    what am I doing wrong?
    LVL 95

    Accepted Solution

    Don't Deny.  I rarely, if ever use Deny.  If the user/group is not specifically granted permission, they won't have access.

    I assume the 3 users you want to have access are in fact the "marketing" group?  If so, create a global group in Active Directory called "Marketing" and put these users in that group.  

    Then, set the permissions on the folder so that:

    Domain Admins: Full Control
    Marketing: Full Control
    System: Full Control

    And that's it.  Make sure to apply the changes to all child objects.

    The Users/Domain Users group should not appear anywhere (for deny or allow) in the security box.
    LVL 4

    Author Comment

    that made it!

    thank you leew!

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Learn about cloud computing and its benefits for small business owners.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now