I apologize in advance, but I am new to windows 2012 and haven't found the answers online.  After migrating shares to Windows Server 2012 we are discovering that all domain users have read/write access.  This appears to be because:

1. We grant share Full Control to everyone, intending that the NTFS security permissions will control folder/file access.
2. At the root of each drive on the servers the local users group is granted ntfs read-only + special permissions of Create files / write data and Create folders / append data, and that this is inherited by all subfolders.
3. The local users group contains the domain users group.
4. When we copied over the share data the default permissions weren't evaluated, but assumed not be this generous.

I have looked for a listing of the default permissions in a new ntfs file system, but haven't found them documented.  I have also looked for and failed to find a best practice guide covering share setup that also points out that these permissions exist.

I could fix it by breaking inheritance and then not allowing the local users permission to be inherited, but I would prefer to change it at the root level of the drive, or by possibly changing the deployment image to not grant them.  But I also don't want to break anything by doing this.

So my questions are:

1. Is this the default Windows 2012 ntfs permission for the local users group?
2. If so, would somebody explain why?
3. If not, what are the default 2012 permissions for the local users group?
4. Assuming that this is the default, where can I find the best practice process to address this?

Thanks in advance for your help,

Paul