We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Root shared and subfolder resrictions

onlinerack asked
Medium Priority
Last Modified: 2010-08-05
Hello all,
I have a weird issue. I have set it up before and was doing it again but failed to work.

I have four groups and they are members of mgmt
I have a share called data   and mgmt has full share rights.
then I have four sub folders that are have NTFS set for each group repectively with no inheritance.
so group A should not be able to access any of the other shares except A.

What is happening is that all the groups can access each other but cannot delete or rename, they can however create stuff. very weird.

I have set it up before and it is set like that with no issues on, but I am having problems here and not sure why.
please help
Watch Question

Top Expert 2006
you need to assign the permissions on both the share and security permissions of the folders

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

When you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive.  Share permissions do not apply to users logging g on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.

If you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter.

The DACL lists permissions by the object first, followed by the object's parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.


the everyone was removed.
They are not locally, they are coming through drive mappings.
I have their group set as full control in the root share.
then every group has access to each subfolder below it and inherited is disabled.
somehow all the groups seem to be able to access each others folders and create stuff. but cannot rename or delete the original data.
they are not coming through terminal
Set it up like this:

"DATA" share - share permissions should be Domain Admins - Full control --- Everyone, Change and Read  (everyone in 2003 doesn't include anonymous so no worries)

Create FolderA, you'll need to make sure then to uninherit permissions...copy them over, then remove anyone but domain admins then....

FolderA - folder in the Data share -- NTFS permissions should be Domain Admins - Full Control --- local FolderA group has Modify rights

You will need to create the local group on the server called FolderA.  Then add to that local group any global groups for this Folder that you create in Active Directory.  For instance, if you want Bob and Tom to have access to FolderA, create a global group in AD called SERVER_FOLDERA, then add them to that group.  Then add that global group to the local group on the server.

It's just best practice to create local groups and then assign global groups to them, then assign the local groups to have the permissions, just FYI.

Repeat for all 4 subfolders.

NOTE:  Obviously if someone is in more than one of the global groups, they'll have access to more than one sub-folder...


Thank you for your answer.
followed it.
It turns out the the server\users were granted readonly access to all shares and this is why they could see all the shares so I removed it and it was working well. I have however redid the local groups and added the global into them and it worked well.
Top Expert 2006

well done :)
Thanks for the points!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.