Users cannot write to a shared folder after migration to Windows Server 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This problem typically occurs after a migration of computers from Windows NT 4.0 or Windows 2000 to Windows Server 2003. Certain default settings have changed in Windows Server 2003, and these changes might affect the expected behavior of your server.
Cause
The Everyone group has the Full Control share permission by default in Windows NT and Windows 2000. However, the Everyone group has the Read share permission by default in Windows Server 2003 and Windows XP. If the default permissions are applied to a Windows NT–based or Windows 2000–based computer before migration to Windows Server 2003, user accounts may no longer be able to write to the shared folders.
Solutions
To solve this problem, consider either creating new groups with the required permissions or adding the Full Control share permission for the Everyone group.
Solution One: Create new groups and assign share permissions
Create the groups that you need and assign the appropriate permissions on shared folders to these groups. As a best practice, assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception. The Everyone group is automatically assigned the Read permission, which is the most restrictive, to assist you in the administration of resources.
The following are also best practices for managing permissions and user rights:
Assign permissions to an object as high on the tree as possible and then apply inheritance to propagate the security settings throughout the tree.
You can quickly and effectively apply access control settings to all children or a subtree of a parent object. By doing this, you gain the greatest breadth of effect with the least effort. The permission settings you establish should be adequate for the majority of users, groups, and computers.
Deny permissions should be used for certain special cases
Use Deny permissions to exclude a subset of a group which has Allowed permissions.
Use Deny to exclude one special permission when you have already granted Full Control to a user or group.
If possible, avoid changing the default permission entries on file system objects, particularly on system folders and root folders. Changing default permissions can cause unexpected access problems or reduce security.
Solution Two: Change share permissions for the Everyone group
You can assign the following types of access permissions to shared folders or drives:
Read
Read is the default permission that is assigned to the Everyone group. Read allows:
Viewing file names and subfolder names
Viewing data in files
Running program files
Change
Change is not a default permission for any group. The Change permission allows all Read permissions, plus:
Adding files and subfolders
Changing data in files
Deleting subfolders and files
Full Control
Full Control is the default permission that is assigned to the Administrators group on the local computer. Full Control allows all Read and Change permissions, plus:
- Changing permissions (NTFS files and folders only).
Perform the following procedure to assign the Full Control share permission to the Everyone group.
To assign the Full Control share permission to the Everyone group
Open Windows Explorer.
Right-click the folder for which you want to administer share permissions, click Properties, and then click the Sharing tab.
Click Permissions.
Click Everyone, and then click Full Control.