How to set root level Share Permission to be read only and sub folder level to be read write etc

I think I already know the answer to this question (or at least the MS answer anyway) but, the Boss wants me to get either a confirmation or a way round this problem.

anyway, here is the scenario :-

we currently run a Win NT4 Network and on the File and Print Server, we have a shared Folder called PublicDrive, which houses all users data should they choose to save it here.

currently, the permissions are set as follows:-

PublicDrive Root Folder Everyone has Full control Share Permission.

then there are various sub folders all based on Departments (i.e. Sales, Marketing, IT, etc) which have Permissions set as appropriate (i.e. marketing Users can only access the Marketing Folder etc).

however, we are getting the odd instance where a user will create a folder within the PublicDrive Root Folder and save their data there.

We are in the process of moving over to a Win2k3 Network and when we migrate the public Folder over to the Win2k3 File and Print Server we want to stop users from having the ability to create folders, or save files at the PublicFolder root level, instead forcing them to create\save data within theire pre-defined folders.

now I told the boss that I don't think it can be done as to stop users from creating folders/files at root level, then the permission of Read Only must be set for everyone at root level, and even though you can set permission on, say, the Marketing folder for the Marketing Users to have full control on the Marketing Folder, the marketing users will not be able to create\save data in the Marketing folder as Windows combines the 2 sets of permissions, and the most restrictive permission is enforced (in this case read only).

is there anyway round this, where the users can save data in their respective folders but NOT in the root of Public Drive?


Who is Participating?
rcheinConnect With a Mentor Commented:
Actually, if you have them set to read level at the root folder and write on a sub folder, they will have write access on the sub folder.  It does not go to the most restrictive permission.  We use this setup all the time.
Note, the above assumes you are not denying write pemissions (which there is no reason to do).

Meaning if you looke at the permissions list, and you have "Read and Execute, List Folder Contents, and Read" checked as allowed in the root folder, they will only have read access.  You are not denying them write, but since you have not allowed them write they only have read.  Then in the sub folder, if you also give them other permission, they will have the combination of permissions.
mcsweenSr. Network AdministratorCommented:
When setting the security on the root folder, click advanced and change the dropdown to read "This Folder Only"
Windows permissons 101... Accessing a folder through a share gives "most advantageous"  
                                        Accessing same folder locally NTFS permissions "most restrictive".

So rchein has the best solution.
Also be advised that the Default behavior for W2k3 is that the "root/top level share" created has Read only share permissons for the "everyone" group.

bantamsAuthor Commented:
cheers, you learn something new everyday :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.