Windows 2008 File permissions

Having an issue with windows 2008 file permissions.

 I need to lockdown a certain folder structure so that all can view/read/execute but not write, except for key people. (Right now I'm just working at the root folder, I'm not even dealing with the inheritable permissions yet)

So I believe the solution is to create a security group and add all the people to be denied write into that group. I applied that group to the folder w/ only 1 test user.

That test user can still create a folder... now if I add that specific user the deny write access that user can't create a folder.

So it appears that windows so choosing to ignore the security group I created with the deny write permission. I'm missing something here...?

I'm going to be doing more windows file sharing.. is there a 3rd party file sharing software I should use?
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Sylvie BConnect With a Mentor DirectorCommented:
I would do it the other way around
Create a group with the users that you want to write to this folder

create share<SHARE permissions=everyone full control
NTFS security from advanced tab>new group=modify, this folder,sub folders and files
domain users or security group=list+read att+read ext att+read permissions

also if you enable ABE on the sharing users without NTFS permission wont even see the folder
Santosh GuptaCommented:
Please specify the permission details on the folder. and list the group name as well.
PapaSmurffAuthor Commented:
Everyone has read&execute
All_students are denied for everything
Appssg are denied write
administrators have full access

Security group is appssg w/ one test user assigned.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

PapaSmurffAuthor Commented:
Sorry everyone has three checked read/execute, list, & read.
PapaSmurffAuthor Commented:
Thanks I think I understand. I haven't had to deal with windows permissions in a while.
PapaSmurffAuthor Commented:
Ok, I don't understand. So where is the deny write for all users except the users I want to be able too.
Thanks again.
Sylvie BDirectorCommented:
you don't deny write...just don't give the permissions

make sure you are clicking the advanced button
Santosh GuptaConnect With a Mentor Commented:
Hi, instead of using Deny, donot give them Any rights. As Deny has highest precedence.

also check the effective permission of that user. from blow.

PapaSmurffAuthor Commented:
smithandandersen: I'm not assigning write rights in the first place. From that I assumed everyone has full rights to modify rights from the start..

 sgupta1181: When I look at effective permissions for anyone it lists full control. Even a student who is in the all_students group that is denied everything.

Clearly something is majorly wrong...
Santosh GuptaCommented:
Pls share the screenshot of advanced permission
Sylvie BDirectorCommented:
on the folder in question:

right click>properties>security>advanced button>change permissions

uncheck include inheritable perms>click add in the windows security message
remove any unneeded users or groups
highlight your group to write and click edit
check full control to select all then uncheck full control, change perms and take ownership. Set it for folders, sub folders and files>click ok
for the rest of users for read only do the same except check only list+read att+read ext att+read permissions
PapaSmurffAuthor Commented:
Sorry guys. The issue was a security group within a security group. Thanks for the help.
All Courses

From novice to tech pro — start learning today.