🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Users mount a Windows Server 2016 SMB share and find it read-only even though NTFS grants Modify, because share-level permissions cap them to Read.

Environment & Reproduction

Reproducible whenever ‘Everyone Read’ is the share-level setting while NTFS allows Modify.

Get-SmbShareAccess -Name 'Data'
Get-SmbShare -Name 'Data'

Root Cause Analysis

Effective permission is the most restrictive of share and NTFS.

Quick Triage

Inspect both layers.

Get-SmbShareAccess -Name 'Data'
icacls '\fs01Data'
Get-WinEvent -LogName 'Microsoft-Windows-SMBServer/Operational' -MaxEvents 20

Step-by-Step Diagnosis

Identify which group is restricted.

Get-LocalGroupMember 'Users'
Get-ADGroupMember 'Dept-Users'
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
Get-SmbShareAccess output β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Adjust share permissions to Change/Full while keeping NTFS tight.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Grant-SmbShareAccess -Name 'Data' -AccountName 'CORPDept-Users' -AccessRight Change -Force
Revoke-SmbShareAccess -Name 'Data' -AccountName 'Everyone' -Force
Close-SmbOpenFile -Force
Illustrative mockup for windows-server-2016 β€” error_dialog
Read-only error dialog β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Recreate the share with NTFS-only model.

Remove-SmbShare -Name 'Data' -Force
New-SmbShare -Name 'Data' -Path 'D:Data' -FullAccess 'CORPDept-Users'

Verification & Acceptance Criteria

Users can write to the share and Get-SmbShareAccess shows Change/Full.

Get-SmbShareAccess -Name 'Data'
New-Item '\fs01Datatest.txt' -ItemType File

Rollback Plan

Restore prior share permissions if data exposure risk arises.

Revoke-SmbShareAccess -Name 'Data' -AccountName 'CORPDept-Users' -Force
Grant-SmbShareAccess -Name 'Data' -AccountName 'Everyone' -AccessRight Read -Force

Prevention & Hardening

Document share design, prefer NTFS-only ACLs, and audit Get-SmbShareAccess across the fleet.

Get-SmbShare | ForEach-Object { Get-SmbShareAccess -Name $_.Name } | Export-Csv C:Tempsmb-shares.csv -NoTypeInformation

Linked with NTFS inheritance issues and DFS namespace ACL behavior.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: SMB share permissions and effective access.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.