We help IT Professionals succeed at work.

File Share Permissions Stumper

We have a Windows 2008 R2 File server. When we share folders we give Everyone Read, Change and Full Control share permissions and then use NTFS permissions to place restrictions.

We discovered a shared folder in which the Domain Users group has Read, List Folder Contents and Read & Execute NTFS permissions. However we discovered that our users can write to that folder. I checked Effective permissions and found that the Domain Users group only had  Read, List Folder Contents and Read & Execute  permissions, however when I check an individual user they indeed have write effective permissions. The users are not in any other groups that have any permissions on that share. So I am stumped, how does a group have read only permissions but the users in that group have write permissions?
Watch Question

Is it possible the users are indirectly members of a local group that has access to the folders?

See https://technet.microsoft.com/en-us/library/cc772184.aspx to see exactly how effective permissions are determined.

Perhaps "Users" (local group) has write access and Domain Users is a member of Users?
Lionel MMSmall Business IT Consultant

Do you have "inherited permissions" enabled on the folder--if you do remove them and apply on the permissions you want on that shared folder.


We don't have any local groups on that server that contain domain users.

 I unshared the folder, reset the NTFS permisions, then shared it again and it seems back to normal.


Okay, I apologize to Matt. Upon re-examination domain users were in a local server group with write permissions.