Complete Guide to Managing Folder Permissions, Shared Access, and User Rights on Windows Server 2019 Standard

Managing file and folder permissions is one of the most important administrative tasks in Windows Server 2019 Standard. In multi-user office environments, administrators often need to provide different levels of access to shared drives such as D:\DATA, D:\MAGCLOUD, or software folders while ensuring security and proper access control.

This detailed technical guide explains how to:

• Check existing permissions
• Grant Full Control access
• Assign folder-level permissions
• Use Local Users and Groups
• Manage permissions using GUI, CMD, and PowerShell
• Apply inheritance properly
• Use groups for easier administration
• Troubleshoot access issues

---

Understanding Windows File Permissions

Windows Server uses the NTFS permission system to control:

• Which users can access files/folders
• What actions users can perform
• Whether permissions inherit to subfolders/files

Common permissions include:

Permission	Description
Full Control	Complete access including delete/change permissions
Modify	Read, write, modify, delete
Read & Execute	Open and run files
Read	View files/folders
Write	Create or edit files

---

Scenario Example

Suppose your server contains:

D:\
 ├── DATA
 ├── MAGCLOUD
 ├── mysql
 ├── mysql123
 └── SAG Infotech

And users/groups like:

• mag1
• mag2
• trainee1
• trainee2
• mag (group)
• trainee (group)

You may want:

• mag group → access to MAGCLOUD
• trainee group → access to SAG Infotech
• Only Administrators → access to MySQL folders

---

Method 1 — Check Permissions Using Windows GUI

Step 1: Open Folder Properties

1. Right-click folder
2. Select Properties
3. Open Security tab

You will see:

• Users/groups
• Assigned permissions
• Inherited permissions

---

Method 2 — Grant Full Access Using GUI

Example:

Give Full Control to user mag1

Steps:

1. Right-click folder
2. Properties → Security
3. Click Edit
4. Click Add
5. Enter:

mag1

6. Click Check Names
7. Click OK
8. Select:

✅ Full Control

9. Apply → OK

---

Best Practice — Use Groups Instead of Users

Instead of assigning permissions individually:

• Create groups
• Add users into groups
• Assign permissions to groups

Example:

• Group: mag
• Members: mag1, mag2, mag3

Assign permissions once to mag.

Benefits:

• Easier management
• Faster administration
• Better security
• Simplified troubleshooting

---

Managing Local Users and Groups

Open Local Users and Groups

Run:

lusrmgr.msc

You can:

• Create users
• Create groups
• Add/remove members
• Manage access structure

---

Method 3 — Using CMD (icacls)

Windows provides icacls for advanced permission management.

---

Check Existing Permissions

icacls "D:\DATA"

Example output:

D:\DATA BUILTIN\Administrators:(F)
         mag:(M)
         trainee:(RX)

---

Grant Full Control

Give Full Access to User

icacls "D:\DATA" /grant mag1:(OI)(CI)F

Give Full Access to Group

icacls "D:\MAGCLOUD" /grant mag:(OI)(CI)F

---

Permission Flags Explained

---

Inheritance Flags

These ensure:

• Files inherit permissions
• Subfolders inherit permissions

---

Apply Permissions Recursively

icacls "D:\DATA" /grant mag:(OI)(CI)F /T

/T applies permissions to:

• All subfolders
• All files

---

Remove Permissions

icacls "D:\DATA" /remove mag1

---

Reset Permissions

icacls "D:\DATA" /reset /T

Use carefully.

---

Method 4 — Using PowerShell

PowerShell provides more administrative flexibility.

---

View Folder Permissions

Get-Acl "D:\DATA"

Readable format:

(Get-Acl "D:\DATA").Access

---

Grant Full Access Using PowerShell

icacls "D:\DATA" /grant mag:(OI)(CI)F

---

Check User Membership

Get-LocalGroupMember "mag"

---

Add User to Group

Add-LocalGroupMember -Group "mag" -Member "mag1"

---

Remove User from Group

Remove-LocalGroupMember -Group "mag" -Member "mag1"

---

Share Permissions vs NTFS Permissions

Windows Server uses:

1. Share Permissions
2. NTFS Permissions

Final access is the most restrictive combination.

Example:

• Share = Full
• NTFS = Read

Result:

• User gets Read only

---

Configure Shared Folder Access

Share a Folder

1. Right-click folder
2. Properties
3. Sharing tab
4. Advanced Sharing
5. Share this folder
6. Permissions

---

Recommended Enterprise Structure

---

Security Best Practices

Avoid:

Everyone = Full Control

Unless absolutely necessary.

---

Recommended:

• Use groups
• Grant minimum required permissions
• Use inheritance carefully
• Audit permissions regularly
• Separate software and user data

---

Troubleshooting Permission Issues

Access Denied

Possible causes:

• User not in correct group
• Inheritance disabled
• NTFS conflict
• Share permissions conflict

---

Check Effective Permissions

1. Folder Properties
2. Security
3. Advanced
4. Effective Access

---

Restart Explorer After Changes

taskkill /f /im explorer.exe && start explorer.exe

---

Conclusion

Proper folder permission management in Windows Server 2019 is essential for maintaining security, stability, and controlled access in multi-user environments. By using groups, inheritance, PowerShell, and icacls, administrators can efficiently manage large numbers of users and folders while maintaining centralized control.

Using best practices such as group-based permissions and avoiding unrestricted Full Control access helps ensure better server security and easier long-term maintenance.

---

Windows Server 2019 NTFS permissions folder permissions Windows file security icacls command PowerShell permissions shared folder access Windows Server security user access control local users and groups folder sharing Full Control permission