Shared Folders Security Permissions - SBS 2011

Posted on 2012-08-30
Last Modified: 2012-09-10
Scenario….the following was set up when a new server was installed

D:\Shared Data\FolderA  and D:\Shared Data\FolderB

Group C does not have permission for the upper level folder Shared Data

Permissions for Group C on both folders A & B are identical – I’ve checked, checked and rechecked.

Read & Execute
List Folder
With Special Permissions of Delete Denied

FolderA – Group C can do the following
Save a new file to the folder
Save an edited version of a file opened from the folder
Create a new folder
Save a new file to a newly created folder

FolderB – Group C can do the following
Save only an empty (0 byte) new file to the folder (the system saves an empty file, then comes back and says the file exists already.  When you say ok to replace it then system say it cannot save because the folder is read only).
Save an edited version of a file opened from the folder
Create a new folder
Save a new file to a newly created folder

Why can’t Group C save/write a new file to the existing FolderB?
Question by:LCW1400
    LVL 77

    Expert Comment

    by:Rob Williams
    A few thoughts:
    I assume the share permissions are set to allow Everyone full control?

    Is there a check mark or gray infill in the "Special Permissions" box of the NTFS permissions?  

    It is possible to have the permissions applied to the parent folder but not the contents or child folders.

    If you run from a command line, for each folder, is the output the same?  i.e. the permissions are the same?
    cacls D:\Shared Data\FolderA

    Author Comment

    The share permissions are set to allow everyone full control.
    There are check marks for both folders for the special permissions box.

    I'll look again at the contents/child folders permissions and check the permissions from the command line.  Unfortunately, I have to wait until Wed 9/5 to get access to the server.  I'll post results then.

    Thank you for your suggestions.
    LVL 77

    Assisted Solution

    by:Rob Williams
    If "special permissions" are enabled it is possible that the permissions are applied to the folder only and not the contents.
    That is to say; under advanced permissions; most often permissions are are applied to "this folder, subfolders, and files", but the option exists to apply only to "this folder only"

    Try going into advanced permissions of a sub folder, click on the effective permissions tab, select a problematic user and see what is shows for their existing permissions.  That might shed some light on it.

    Let us know how you make out next week.

    Accepted Solution

    Here is a follow up.  With the help of our outside tech support, we narrowed it down to the ability to save excel files in any shared folder with restricted permissions.  Because we had denied the Group C the ability to delete, the excel file couldn’t be saved.   This apparently was an issue with both folders but wasn’t noticed right away as the person was saving a pdf file in Folder A and an excel file in Folder B.

    Here is the link to the Microsoft KB file that describes the issue -- look about midway down the page:

    Thanks for the help!
    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks for reporting your findings.  Glad to hear you were able to resolve.

    Author Closing Comment

    Thank you Rob Will for making suggestions that allowed us to keep troubleshooting and narrow the issue down.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
    The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now