We help IT Professionals succeed at work.

Windows 2003 Server Permissions

doddwell asked
Medium Priority
Last Modified: 2010-04-18
I have just set up a Win 2003 File Server and I'm trying to set the permissions.
I have this folder structure:


I want to give each user read/write access to their user folder AND to their department share folder

I have created a global security group for each department (DeptA and DeptB) and added the relevant users to the security groups.

I have applied the security as follows:
For DepartmentA:
DeptA gets full control of DepartmentA
User1 gets full control of User1 folder
User2 gets full control of User2 folder

For DepartmentB:
DeptB gets full control of DepartmentB
User4 gets full control of User3 folder
User4 gets full control of User4 folder

I can't get seem to give the users write access to their folders or the shared departmental folder.  But they do get read only access.

Can anyone help?  Thanks, Simon
Watch Question

IT Manager
You need to configure Share permissions along with NTFS permissions.  

I prefer to grant my Domain Users group Full Controll on the Share permissions and then lock it down on the NTFS permissions (on the security tab).  This way you could explicitly grant Read and Write.

A good rule is when you are assigning permissions to access resources over the network the user or group's effective permission is going to be whatever the Share and NTFS permissons have in common.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Yes, what mkbean is saying is "right".

Personally, I set the share permissions so that domain admins have Full control, and Everyone has Read/Write.  Then I lock it down at the NTFS security level.

Also, it's best to create a local group on the server called DepartmentAShare, and then put the global group you created into that local group.  Just best practice.
Oh...and personally, I NEVER EVER give Full Control to anybody outside of Domain Admins/local administrators on the server.  It's just not needed.  Modify rights give the users the abilities they need.  Giving them Full Control of a directory allows them to change the permissions on the files/folders in that directory, essentially granting/denying access as they see fit.


How do I set the Share Permissions to Read/Write for everyone?...and do I do it just at top level or do I have to do it at every folder?
You do it at the share level.  Easiest way is to right click my computer, manage, then go to Shares,  right click the share, properties, share permissions.
BrianIT Manager

I think what TheCleaner means to share is he sets those permissions on NTFS which I 100% agree with.  There are only 3 share level permission, FC, Change and Read.  If you give domain users FC on the Share they will still be restricted to what you have on the NTFS permissions.


Actually here's what I do:

Share level

  - Domain admins - Full Control

  - Everyone - Change and Read

NTFS level

  - Domain admins - Full Control

  - anyone else that needs access (domain users, groups, etc.) gets Modify rights AT THE MOST

I don't give Full Control at the share level to ordinary users because I don't want them using some utility to change the share permissions (not that I've ever seen this done...but I'm anal)

and I don't give Full Control to anyone expect administrators at the NTFS level because I don't want them changing the permissions/security in the folders/files.

BrianIT Manager

I see, You said you read/write above on the Share you meant change.  Yep nothing wrong with that philosphy.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.