Windows 2008 file and folder permission issue.

nav2567 used Ask the Experts™
Sorry, but I need to circle back to this case:

A regular user just be able to create and remove a folder from the root of Departments.  I think this is because we are assigning Full right to authenticated users in the advanced share permission.

Please advise again.  This is urgent.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kent DyerIT Security Analyst Senior
Need to remove everyone/guest (I think read should be fine) from root (E:\)..

Assign individial to subfolders.. (E:\users\JDoe)..  Assign Read/Write access to Domain\JDoe and you can certainly assign DOMAIN\Administrators (group) to E:\users..


When sharing a folder the most restrictive permissions apply, so it is not enough to give full access in the shared folder tab, but also in the NTFS permissions. I think you have change the NTFS permission in the root folder for the users (find domain users, guest, everyone or  users) removing full access and modify tags.
I'm assuming you do want the users to have the ability to have read and write permissions to documentations so here's a breakdown of shares and NTFS permissions:

Advanced Share Permissions:
* I'm not a fan of the Everyone group (so Remove)
* Add your security group or users and grant Change (Full Control gives the ability to modify permissions which is not what you want your regular users doing)

Security tab (NTFS permissions)
Click Advanced -> Change Permissions -> Add your security group or users (Check names) -> Grant the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create files  / write data
Write attributes
Write extended attributes
Read permissions

So if you look back in your Security tab for the security group / user you will now see

Read & execute
List folder contents
Special permissions

I hope this helps.


Under our e:\departments folder, there are already a lot of subfolders for the cooperate departments (IT, Finance, Adsales, .......).  The NTFS permission is already being set correctly and noone from one department can access the other department data.  

The problem here is this, if someone open up Windows Explorer and map to \\server1\departments, they can easily create additional folders under the root of e:\departments.  

I have run a test to try to modify something under the root of e:\departments security tag.  But the modification will flow into the departmental subfolders and touch the existing permissions.  

What steps do I take to avoid changing the existing permissions of the subfolder when I modify security in the root level?


I have just tested the following on another WIN2K8 server.  This is the observations:

. I create a folder in the root of C:
. Rightclick on the folder, go to advance sharing, grant domain users R/W, Domain Admin Full
. Go to Security tag, grant domain users Read only, grant domain admin Full.
. From a Workstation, I map to \\server1\shared as a regular user.  I am able to "create a folder".

Am I suppose to have only READ ONLY?

Please advise.  

In a domain enviroment it is hardly ever a good idea to give everyone rights anywhere. If you want all of your usres to have access you better use the "authenticated users"  group for the share. You even good give that group full access to the share, but you'll have to set the NTFS rights according to what's written below.

If you don't want any user to be able to create a subfolder within the "department" folder you wil have to change the NTFS rights for that folder and set the rights for the appropriate groups (or perhaps users) to "This folder only".

Go to the security tab of the folder "Department"

Click "Advanced"

Select "Change permissions"

Remove the checkmark at "Include inheritable permissions from this object's parent" and select "Add".

This way the current permissions wil be preserved. You want to remove the groups / users which rights need to be changed. So most likely you will remove the "Users" and add the groups needing to access the folder (only for traversing / reading) or you can add "users" again, except with the desired rights.

Which are

Apply to: "This folder only"
Traverse folder / execute file
List Folder / read data
Read attributes
Read extendet attributes
Read permissions

Be sure you don't check the box "Replace all child object permissions with inheritable permissions from this object" so the permissions already set on the child objects (f.i. the Finance folder) won't be changed. See screenshot below.

Uncheced - Replaced all child object permissions....PNG
If you're not quite sure, test these settings on a new set of folders first, like you did already with the previous suggestions from the other experts!



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial