Clarification of Folder Permissions

I am still having problems with the folder permissions.  My folder setup again is as follows....
Parent Folder
Sharing - Admin = Full Permission, Domain Admin = Full Permission, Domain Users = Read Permissions
Security - Admin = Full Permission, Domain Admin = Full Permission, Domain Users = Read & Execute, List Folder, Read Permissions

Sub Folder
Sharing - Admin = Full Permission, Domain Admin = Full Permission, Group A = Read Permissions
Security - Admin = Full Permission, Domain Admin = Full Permission, Group A = Modify, Read & Execute, List Folder, Read, Write Permissions

When I login as a user in Group A, I can see the subfolder and access the subfolder, however I cannot create a folder, or file - Access Denied.  I had even given Group A full permission for both sharing and security, and still received the Access Denied when I tried to create a folder or file as a user in Group A.

Also, at no level has the deny right been selected.

If anyone can assist me with this, it would be greatly appreciated.
smastrorAsked:
Who is Participating?
 
AmericomConnect With a Mentor Commented:
If you adjust the permissions for GroupA on the shared folder, no need to logoff and back in. It should be applied immediately.

If you access the share by \\ServerName\MainFolderShareName\SubFolderShareName\, you would have no permission to create folder or file due to the most restrictive of share&NTFS on the shared MainFolder which is READ.

If you access the share by \\ServerName\SubFolderDShareName\, you would still have NO permission to create folder or file due to the most restrictive of share&NTFS on the shared SubFolder which is READ.

So, if you had previously given Group A full access for both the Share and Security for the subfolder, you should be able to create file or folder if you access via \\ServerName\SubFolderDShareName\ but NOT via \\ServerName\MainFolderShareName\SubFolderShareName\.

This means normally you would stay away from Share within a Share unless your main folder already created and has became quite large and the subfolder you only want to share with a different group of user and would not want to pull it out of the main foler. Otherwise, you should create share only on the MainFolder as:
MainFolder
Share--Everyone or Authenticated Users, sometime Domain Users(Full)
Security--Group(s) that manage the filesystem (Full), Domain Users (RX)

SubFolder
Security--Group(s) that manage the filesystem (Full) & Domain Users (RX)[ should be inherited], GroupA (M)

Should never grant permission with individual account. Always use Group, yes even only one account.

0
 
Tsun4mi7Commented:
I'd recommend granting full access on the share permissions to the "Group A", then control all of the access through the NTFS security
0
 
Brian PiercePhotographerCommented:
If you are accessing the sub-folder directly then the SHARE permissions of the parent have no effect - you are not accessing via the parent.

If you go directly to the sub-folder share then Group A has only read permissions on the share, and therefore Access is denyed when you attempt to create a new folder.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
smastrorAuthor Commented:
KCTS, I had previously given Group A full access for both the Share and Security for the subfolder, and still could not create folders or files - Access Denied.  I just tried this again, with Group A having Full Access for Share and Security, still access denied.

0
 
Tsun4mi7Commented:
log off then back on as a user in group A, still the same?

Try applying the permissions to a specific user / test account that's not in Group A. Still the same?
0
 
jjmartineziiiCommented:
When changing group membership permissions, you need to log off and log in for changes to take effect. Microsoft best practice is to give authenticated users full share control and use NTFS permissions to lock it down.

NTFS uses the most restrictive set of permissions.
0
 
smastrorAuthor Commented:
Thank  you for all your help.  The shares are setup properly now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.