Alright, I must be making a simple mistake here.
I have a new File Server I am configuring running Windows Server 2012.
We have some Shares that should be read only for everyone, except a few users.
I have read that best practice indicates leaving the Share security settings to Allow-Everyone-Full Control.
Under NTFS Permissions I add the user group all my users belong to and give them Read and Execute Permissions (Travers folder / execute file, List folder / read data, Read attributes, Read extended attributes, Read permissions).
This rule applies to Folder, Subfolders, and Files on the share.
I then add myself to have Full Control.
My issue is users still have the following rights I don't want them to have-
Create Files / write data and Create folders / append data.
This Share contains files/folders/subfolders all users should Not have any form of write access too.
What simple thing am I missing or mixing up folks?
I'm trying to avoid using too many Deny permissions, but is that the only easy way to get this to work? Leave the Share as Full Control for Everyone, then explicitly Deny the User's group the correct Write permissions?