Advertisement
I have a shared folder and a security group called ‘Staff’ containing all the staff members.
\nI want some of the users in the ‘Staff group’ to be Write and some to be Read Only but I can’t seem to seperate them.
\nI’ve tried to create ‘Staff Write’ group and put just some of the members of the ‘Staff’ group into it, but it gets overriden by the Read permission on the ‘Staff’ group.
\nHow can I get around this?<\/p>","upvoteCount":3,"answerCount":5,"datePublished":"2025-03-28T11:35:39.215Z","author":{"@type":"Person","name":"Kevinuser-50e7","url":"https://community.spiceworks.com/u/Kevinuser-50e7"},"suggestedAnswer":[{"@type":"Answer","text":"
I have a shared folder and a security group called ‘Staff’ containing all the staff members.
\nI want some of the users in the ‘Staff group’ to be Write and some to be Read Only but I can’t seem to seperate them.
\nI’ve tried to create ‘Staff Write’ group and put just some of the members of the ‘Staff’ group into it, but it gets overriden by the Read permission on the ‘Staff’ group.
\nHow can I get around this?<\/p>","upvoteCount":3,"datePublished":"2025-03-28T11:35:39.281Z","url":"https://community.spiceworks.com/t/share-permissions/1190443/1","author":{"@type":"Person","name":"Kevinuser-50e7","url":"https://community.spiceworks.com/u/Kevinuser-50e7"}},{"@type":"Answer","text":"
So have you added the group “Staff write” to the share permissions with write/full-access?
\nThen to test, logoff and logon as a user in ‘staff write’ and try to access?
\nIt should give write access - so long as the ntfs permissions allow.<\/p>\n
First all permissions of a type (ntfs/share) are cumulative and the least restrictive wins - so in this case it should be ‘write’
\nThen the share and ntfs permissions are combined and the MOST restrictive wins.<\/p>\n
So if the share allows ‘staff write’ to write - but the NTFS permissions (actual file/folder permisions) are for example read only - then read only will be the result.<\/p>","upvoteCount":0,"datePublished":"2025-03-28T12:14:33.918Z","url":"https://community.spiceworks.com/t/share-permissions/1190443/2","author":{"@type":"Person","name":"matt7863","url":"https://community.spiceworks.com/u/matt7863"}},{"@type":"Answer","text":"
Groups are not really heirichal, you should probably make 2 distinct groups, with users in either one or the other. Things get really messy and complicated if you try to overlay one groups members into another.<\/p>\n
Also when testing watch out for caching, the machines do not update group membership very fast…<\/p>","upvoteCount":0,"datePublished":"2025-03-28T14:05:34.655Z","url":"https://community.spiceworks.com/t/share-permissions/1190443/3","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
In the end i created two new groups because as you say it was really complicating things trying to over lap them.
\nAll working now
\nMany thanks<\/p>","upvoteCount":1,"datePublished":"2025-03-28T14:22:00.953Z","url":"https://community.spiceworks.com/t/share-permissions/1190443/4","author":{"@type":"Person","name":"Kevinuser-50e7","url":"https://community.spiceworks.com/u/Kevinuser-50e7"}},{"@type":"Answer","text":"
Add each group to both the share and NTFS permissions with the required access. Avoid using deny rules, because the deny will override allow.<\/p>","upvoteCount":0,"datePublished":"2025-03-28T15:42:55.842Z","url":"https://community.spiceworks.com/t/share-permissions/1190443/5","author":{"@type":"Person","name":"matthew-martin","url":"https://community.spiceworks.com/u/matthew-martin"}}]}}