Windows 2003 Server Permissions

I have just set up a Win 2003 File Server and I'm trying to set the permissions.
I have this folder structure:


I want to give each user read/write access to their user folder AND to their department share folder

I have created a global security group for each department (DeptA and DeptB) and added the relevant users to the security groups.

I have applied the security as follows:
For DepartmentA:
DeptA gets full control of DepartmentA
User1 gets full control of User1 folder
User2 gets full control of User2 folder

For DepartmentB:
DeptB gets full control of DepartmentB
User4 gets full control of User3 folder
User4 gets full control of User4 folder

I can't get seem to give the users write access to their folders or the shared departmental folder.  But they do get read only access.

Can anyone help?  Thanks, Simon
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrianIT ManagerCommented:
You need to configure Share permissions along with NTFS permissions.  

I prefer to grant my Domain Users group Full Controll on the Share permissions and then lock it down on the NTFS permissions (on the security tab).  This way you could explicitly grant Read and Write.

A good rule is when you are assigning permissions to access resources over the network the user or group's effective permission is going to be whatever the Share and NTFS permissons have in common.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Yes, what mkbean is saying is "right".

Personally, I set the share permissions so that domain admins have Full control, and Everyone has Read/Write.  Then I lock it down at the NTFS security level.

Also, it's best to create a local group on the server called DepartmentAShare, and then put the global group you created into that local group.  Just best practice.
Oh...and personally, I NEVER EVER give Full Control to anybody outside of Domain Admins/local administrators on the server.  It's just not needed.  Modify rights give the users the abilities they need.  Giving them Full Control of a directory allows them to change the permissions on the files/folders in that directory, essentially granting/denying access as they see fit.
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

doddwellAuthor Commented:
How do I set the Share Permissions to Read/Write for everyone?...and do I do it just at top level or do I have to do it at every folder?
You do it at the share level.  Easiest way is to right click my computer, manage, then go to Shares,  right click the share, properties, share permissions.
BrianIT ManagerCommented:
I think what TheCleaner means to share is he sets those permissions on NTFS which I 100% agree with.  There are only 3 share level permission, FC, Change and Read.  If you give domain users FC on the Share they will still be restricted to what you have on the NTFS permissions.


Actually here's what I do:

Share level

  - Domain admins - Full Control

  - Everyone - Change and Read

NTFS level

  - Domain admins - Full Control

  - anyone else that needs access (domain users, groups, etc.) gets Modify rights AT THE MOST

I don't give Full Control at the share level to ordinary users because I don't want them using some utility to change the share permissions (not that I've ever seen this done...but I'm anal)

and I don't give Full Control to anyone expect administrators at the NTFS level because I don't want them changing the permissions/security in the folders/files.

BrianIT ManagerCommented:
I see, You said you read/write above on the Share you meant change.  Yep nothing wrong with that philosphy.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.