Access Denied: Setting Permissions on Windows Server 2003 Shared Folders

I'm trying to set file permissions on a shared folder so that users can read and modify documents. On Windows 2000, I simply created the folder, opened its Properties window, set the file permissions on the Security tab, then shared the folder from the Sharing tab. However, when I follow these steps on Windows Server 2003, users at other computers on the network can only read the files in the shared folder—they can't modify the files, even though the folder's permissions give them Modify access. Why is that?

When you share a folder, an ACL other than the ACL that you manage from the folder's Security tab comes into play. On a folder's Sharing tab, you'll notice a Permissions button, as Web Figure 4 (http://www.winnetmag.com, InstantDoc ID 41280) shows. When a user accesses a file through a shared folder, Windows enforces both the usual ACL and the share's ACL, and the user gets only the permissions that both ACLs grant. You didn't have a problem in Win2K because the default permissions granted Everyone Full Control.

But Windows 2003's default share-level permissions are different: A new share's default permission grants Everyone only Read access. When your users try to access files in the shared folder, the folder's usual ACL grants them Modify and Read access, but the share's ACL grants them only Read access. Thus, the users end up with just Read access, which is the only permission that both ACLs grant. To solve the problem, simply edit the share's ACL either to match the folder's usual ACL or to grant Everyone Full Control; the results will be the same.