How to set root level Share Permission to be read only and sub folder level to be read write etc

Posted on 2006-05-11
Last Modified: 2010-04-18
I think I already know the answer to this question (or at least the MS answer anyway) but, the Boss wants me to get either a confirmation or a way round this problem.

anyway, here is the scenario :-

we currently run a Win NT4 Network and on the File and Print Server, we have a shared Folder called PublicDrive, which houses all users data should they choose to save it here.

currently, the permissions are set as follows:-

PublicDrive Root Folder Everyone has Full control Share Permission.

then there are various sub folders all based on Departments (i.e. Sales, Marketing, IT, etc) which have Permissions set as appropriate (i.e. marketing Users can only access the Marketing Folder etc).

however, we are getting the odd instance where a user will create a folder within the PublicDrive Root Folder and save their data there.

We are in the process of moving over to a Win2k3 Network and when we migrate the public Folder over to the Win2k3 File and Print Server we want to stop users from having the ability to create folders, or save files at the PublicFolder root level, instead forcing them to create\save data within theire pre-defined folders.

now I told the boss that I don't think it can be done as to stop users from creating folders/files at root level, then the permission of Read Only must be set for everyone at root level, and even though you can set permission on, say, the Marketing folder for the Marketing Users to have full control on the Marketing Folder, the marketing users will not be able to create\save data in the Marketing folder as Windows combines the 2 sets of permissions, and the most restrictive permission is enforced (in this case read only).

is there anyway round this, where the users can save data in their respective folders but NOT in the root of Public Drive?


Question by:bantams
    LVL 3

    Accepted Solution

    Actually, if you have them set to read level at the root folder and write on a sub folder, they will have write access on the sub folder.  It does not go to the most restrictive permission.  We use this setup all the time.
    LVL 3

    Expert Comment

    Note, the above assumes you are not denying write pemissions (which there is no reason to do).

    Meaning if you looke at the permissions list, and you have "Read and Execute, List Folder Contents, and Read" checked as allowed in the root folder, they will only have read access.  You are not denying them write, but since you have not allowed them write they only have read.  Then in the sub folder, if you also give them other permission, they will have the combination of permissions.
    LVL 21

    Expert Comment

    When setting the security on the root folder, click advanced and change the dropdown to read "This Folder Only"
    LVL 2

    Expert Comment

    Windows permissons 101... Accessing a folder through a share gives "most advantageous"  
                                            Accessing same folder locally NTFS permissions "most restrictive".

    So rchein has the best solution.
    Also be advised that the Default behavior for W2k3 is that the "root/top level share" created has Read only share permissons for the "everyone" group.

    LVL 3

    Author Comment

    cheers, you learn something new everyday :-)

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now