Users have full control, but gets "you need permission.." errors

Question

Windows Server 2016 Standard... department/group's users were getting read permission errors within their department folder, gave them full control on folder and subs, then they got write permissions error ("You require permission from ZPICTURES\admin-zp to make changes to this file"), then gave each user in group full control of folder and subs, but still getting the same error message when trying to write or modify anywhere within ("You require permission from...").

I'm really confused now as this configuration works on another group's folder (actually, with just full control to group instead of all users). How do I fix this group's permission configuration so the group's users have write permissions?

Answer 1

• When you make a permission change the users need to logout and log back in for the changes to take effect.
• I would advise against giving full control. That allows users to change permissions and take ownership of files. Modify rights should be sufficient for the vast majority of user's needs when it comes to shares.
• Other users could have the files locked if they are accessing the same exact files.
• In Windows Deny is Deny. If a user has deny anywhere from any group or explicit permission then they are denied that right. Go to the security -> advanced -> effective permissions on a file and see what that tells you.

Answer 2

You were already introduced to the main concepts of NTFS permissions in the answer by @JBaldridge above which haven't changed much since early days on NTFS/Windows server. I would only add a few things:

• Watch out how you access folder, locally or over the network. It the latter is the case, then you have to take into account Share permissions. You have to consider both Share and NTFS permissions: having write on NTFS level won't allow you to write data over the network when Share permission is Read only. Think about Share Permissions as a funnel which comes into play only when folder is accessed over the network.
• In case keeping in mind to level of permissions is too much of a hassle for you then well tried approach is always grant Full Control to Authenticated Users on share level, and tailor your permissions on NTFS level only - this makes admin life a bit easier. If just checked default sharing permissions in Server 2016 and it gives Full Control to Everyone + Administrators by default.
• Worth reiterating: Explicit deny always win, no matter how many grants/allows you add.
• Keep in mind order of precedence to understand effective NTFS permissions permissions are evaluated in this order and evaluation stops on a first match: 1) Explicit Deny 2) Explicit Allow 3) Inherited Deny 4) Inherited Allow

And last but not least make use of Effective Access to verify what level of access specific user or group have. It's available for you in Advanced Security Settings for folder, see picture below demonstrating UI of this feature (I guess picure should give you quite good understanding of what you can do with this feature):