Learn how to a build a cloud-first strategyRegister Now


Windows 2003 Server Permissions

Posted on 2006-03-22
Medium Priority
Last Modified: 2010-04-18
I have just set up a Win 2003 File Server and I'm trying to set the permissions.
I have this folder structure:


I want to give each user read/write access to their user folder AND to their department share folder

I have created a global security group for each department (DeptA and DeptB) and added the relevant users to the security groups.

I have applied the security as follows:
For DepartmentA:
DeptA gets full control of DepartmentA
User1 gets full control of User1 folder
User2 gets full control of User2 folder

For DepartmentB:
DeptB gets full control of DepartmentB
User4 gets full control of User3 folder
User4 gets full control of User4 folder

I can't get seem to give the users write access to their folders or the shared departmental folder.  But they do get read only access.

Can anyone help?  Thanks, Simon
Question by:doddwell
  • 4
  • 3
LVL 20

Accepted Solution

mkbean earned 400 total points
ID: 16260229
You need to configure Share permissions along with NTFS permissions.  

I prefer to grant my Domain Users group Full Controll on the Share permissions and then lock it down on the NTFS permissions (on the security tab).  This way you could explicitly grant Read and Write.

A good rule is when you are assigning permissions to access resources over the network the user or group's effective permission is going to be whatever the Share and NTFS permissons have in common.

LVL 23

Assisted Solution

TheCleaner earned 400 total points
ID: 16260270
Yes, what mkbean is saying is "right".

Personally, I set the share permissions so that domain admins have Full control, and Everyone has Read/Write.  Then I lock it down at the NTFS security level.

Also, it's best to create a local group on the server called DepartmentAShare, and then put the global group you created into that local group.  Just best practice.
LVL 23

Expert Comment

ID: 16260293
Oh...and personally, I NEVER EVER give Full Control to anybody outside of Domain Admins/local administrators on the server.  It's just not needed.  Modify rights give the users the abilities they need.  Giving them Full Control of a directory allows them to change the permissions on the files/folders in that directory, essentially granting/denying access as they see fit.
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.


Author Comment

ID: 16260342
How do I set the Share Permissions to Read/Write for everyone?...and do I do it just at top level or do I have to do it at every folder?
LVL 23

Expert Comment

ID: 16260409
You do it at the share level.  Easiest way is to right click my computer, manage, then go to Shares,  right click the share, properties, share permissions.
LVL 20

Expert Comment

ID: 16261253
I think what TheCleaner means to share is he sets those permissions on NTFS which I 100% agree with.  There are only 3 share level permission, FC, Change and Read.  If you give domain users FC on the Share they will still be restricted to what you have on the NTFS permissions.

LVL 23

Expert Comment

ID: 16261694

Actually here's what I do:

Share level

  - Domain admins - Full Control

  - Everyone - Change and Read

NTFS level

  - Domain admins - Full Control

  - anyone else that needs access (domain users, groups, etc.) gets Modify rights AT THE MOST

I don't give Full Control at the share level to ordinary users because I don't want them using some utility to change the share permissions (not that I've ever seen this done...but I'm anal)

and I don't give Full Control to anyone expect administrators at the NTFS level because I don't want them changing the permissions/security in the folders/files.

LVL 20

Expert Comment

ID: 16262482
I see, You said you read/write above on the Share you meant change.  Yep nothing wrong with that philosphy.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question