Windows 2012R2 file share permissions issue


I have the following file structure:


share path is \\server\staff  - D:\shares\staff

I want a group of users to be able to mount the share, and create folders under "departments" folder, but not be able to delete or rename the "departments" folder itself. I have given share permissions everyone full control, and NTFS permissions on the D:\departments\staff folder read and execute folder subfolder and files.

What is the correct way to do this? I have tried modify sub-folders and files only, but then they cannot access the folder at all. I f I add "read and execute this folder only" + "modify sub-folders and files only", they cannot create folders/files.

The odd part is that if I give them modify this folder subfolders and files, they cannot rename the departments folder, but they can delete it.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

Usually this should work if you give the share access for everyone full and set the security level for the specific group.

I.e - Open the Shares folder>>Properties>>Sharing>>Advanced Sharing>>Permission>>Everyone = full control (make sure the "Share this folder" has a tick mark>>Click OK.

Now, go to Security tab>>Edit>>Add>>search the desired group and make them "Read & Execute, List folder contents, Read".

Hope this set the permission correctly.
First, never give everyone "full" access to a share.  That means they can change the share permissions on the share.  Give them read/write only.  Domain admins/admins should have full.

On the NTFS permissions, you're going to need to do advanced permissions.  Right click on the departments folder, go to the security tab and hit edit.  Add in the group of users you want to have rights to do everything except delete.  Again, do NOT give them full control - just tick the check next to modify.  This gives them full read and write.  Make sure the admins have full control.  Hit OK.

While still on the security tab of the departments folder, hit advanced.  Then click change permissions.

Click ADD and add the group in question.  On the apply to dropdown, select this folder only.  Tick the box for delete/deny.  OK.  (Screen shot SS2.JPG)

Done correctly, you should see the group in question twice in the advanced list of permissions/groups.  See attached screen shot (SS.JPG).

Test.  I used the everyone group in my example, but I never recommend using everyone or domain users.  Always make a specific group for security and populate it, even if you populate it with everyone/domain users.  Trust me, it will save you later when they bring on an intern and don't want them to have access to the folder everyone has access to, since we (normally) hate denies!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITEnd-user supportCommented:
1+ to dipersp's comment on "On the NTFS permissions".

Keep in mind, an existing group, OU, or user on the folder (before you make changes) affect the outcome. If these groups show, or any other group the user(s) should not be in, you may have to remove the group, OU, or user from the Advanced dialog:
- Authenticated Users
- Users

- All users are by default, in the Authenticated Users domain group.
- You create a group named Allowed Group
- Danny is not in Allowed Group
- You add the Allowed Group to the list, thinking that Danny will not have the right. In reality, Danny will be allowed.
- To disallow Danny, you have to remove Authenticated Users and or Users.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.