I have a folder to which several departments contribute files. I'd like to set up the permissions so that when a user creates a file in the folder, the other members of his or her department will be able to modify the file and everyone else will have read access. I already have a group set up for each department with the appropriate members. How do I set up the permissions?
You can use the Creator Group well-known security principal and the ability to specify a primary group for each user to accomplish your goal. First, for each user, you need to make sure that the departmental group is configured as the primary group. To do this, open a user account in Active Directory Users and Computers, select the Member Of tab, select the user's departmental group, and click Primary.
Next, edit the permissions for the folder. Give the departmental groups File Create and Read permissions. Finally, add an entry to the folder permissions that grants the Creator Group Modify permission. Now when a user creates a file in the folder and Windows propagates permissions from the folder to the new file, Windows will replace Creator Group with the primary group of that user, giving the departmental group Modify permission.