Members of the Marketing security group can open the files in the company's Windows Server 2022 file share (\FS1\Projects) but receive an "Access denied" error when they try to save changes.
The administrator verifies:
Share permission for the Marketing group: Change
NTFS permission for the Marketing group on the folder root: Read & Execute (inherited)
Other groups that have Modify NTFS permission on the same folder can read and update the files without issue.
Which change will correct the problem for Marketing while still following the principle of least privilege?
Grant the Marketing group Full Control share permission on the Projects share.
Replace the existing NTFS permission with a Deny Delete permission for the Marketing group.
Grant the Marketing group Modify NTFS permission on the Projects folder.
Add the Marketing group to the local Administrators group on FS1.
When a user accesses a folder across the network, Windows evaluates both the share permission and the NTFS permission and applies the most restrictive combination. The Marketing group already has the Change share permission-which would allow file creation, modification, and deletion-but its NTFS entry is only Read & Execute. Because Read & Execute is more restrictive than Change, the effective permission for Marketing is Read & Execute, so users can read but not write.
Raising the Marketing group's NTFS entry from Read & Execute to Modify supplies the write and delete rights needed to save changes while still preventing the group from taking ownership or changing permissions (rights that come with Full Control). No other broader or unrelated privileges are required.
Granting Full Control at the share level does not help because the restrictive NTFS permission would still limit Marketing to read-only access.
Adding the group to local Administrators or setting a Deny permission would either over-privilege or further restrict access and therefore does not meet the requirement or the least-privilege principle.
Therefore, granting the Marketing group Modify NTFS permission on the folder is the correct and least-privileged fix.