Effective access doesn't reflect the actual NTFS permissions

I came across a weird issue when practicing permissions in Windows Server 2016. I gave read permission only to a shared directory for a group called "Human", but the effective access tap shows that the user "luke.skywalker" who's a member of the Human group has the following access

Here's the actual permissions

Here's the effective access

This of course led to the ability of Human group members to create and delete directories and files inside the directory. Can anyone suggest a solution or workaround for this situation?


Solution 1:

In your screenshot of the actual permissions, the "Authenticated Users" group has modify privileges.

This will give every user that is authenticated (i.e. domain users) modify privileges to that folder.

If you want the Human group to have only read access then you must remove the Authenticated Users group.

You can read more about the Authenticated Users special identity here: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities#authenticated-users

Side note: Before removing Authentiated Users, make sure that everyone that needs access is in a group with the proper permissions on that folder.