Windows 2008 File permissions

Having an issue with windows 2008 file permissions.

 I need to lockdown a certain folder structure so that all can view/read/execute but not write, except for key people. (Right now I'm just working at the root folder, I'm not even dealing with the inheritable permissions yet)

So I believe the solution is to create a security group and add all the people to be denied write into that group. I applied that group to the folder w/ only 1 test user.

That test user can still create a folder... now if I add that specific user the deny write access that user can't create a folder.

So it appears that windows so choosing to ignore the security group I created with the deny write permission. I'm missing something here...?

I'm going to be doing more windows file sharing.. is there a 3rd party file sharing software I should use?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Santosh GuptaCommented:
Please specify the permission details on the folder. and list the group name as well.
PapaSmurffAuthor Commented:
Everyone has read&execute
All_students are denied for everything
Appssg are denied write
administrators have full access

Security group is appssg w/ one test user assigned.
PapaSmurffAuthor Commented:
Sorry everyone has three checked read/execute, list, & read.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Smith and AndersenCommented:
I would do it the other way around
Create a group with the users that you want to write to this folder

create share<SHARE permissions=everyone full control
NTFS security from advanced tab>new group=modify, this folder,sub folders and files
domain users or security group=list+read att+read ext att+read permissions

also if you enable ABE on the sharing users without NTFS permission wont even see the folder

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PapaSmurffAuthor Commented:
Thanks I think I understand. I haven't had to deal with windows permissions in a while.
PapaSmurffAuthor Commented:
Ok, I don't understand. So where is the deny write for all users except the users I want to be able too.
Thanks again.
Smith and AndersenCommented:
you don't deny write...just don't give the permissions

make sure you are clicking the advanced button
Santosh GuptaCommented:
Hi, instead of using Deny, donot give them Any rights. As Deny has highest precedence.

also check the effective permission of that user. from blow.

PapaSmurffAuthor Commented:
smithandandersen: I'm not assigning write rights in the first place. From that I assumed everyone has full rights to modify rights from the start..

 sgupta1181: When I look at effective permissions for anyone it lists full control. Even a student who is in the all_students group that is denied everything.

Clearly something is majorly wrong...
Santosh GuptaCommented:
Pls share the screenshot of advanced permission
Smith and AndersenCommented:
on the folder in question:

right click>properties>security>advanced button>change permissions

uncheck include inheritable perms>click add in the windows security message
remove any unneeded users or groups
highlight your group to write and click edit
check full control to select all then uncheck full control, change perms and take ownership. Set it for folders, sub folders and files>click ok
for the rest of users for read only do the same except check only list+read att+read ext att+read permissions
PapaSmurffAuthor Commented:
Sorry guys. The issue was a security group within a security group. Thanks for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.