Did you find this useful?
Socialize it today.


Share vs NTFS Permissions

Friday, October 28, 2011

The concept of SHARE vs NTFS permissions has confused many IT professionals over the years. SHARE permissions are the permissions you set for a folder when you share that folder. SHARE permissions are not applied to files. The SHARE permissions determine the type of access users have to the shared folder when the resource is being accessed over the network. SHARE permissions are not evaluated when users are logged into the resource locally. There are three types of share permissions: Full Control, Change, and Read.

NTFS permissions determine the action users can take for a file or folder when accessed locally. When both permissions are in place, the most restrictive permission will be applied to the user accessing the resource.

If you are logged on a computer locally, the SHARE permissions applied to a folder have NO impact on the user. In a scenario where the user is logged on locally, only the NTFS permissions are evaluated. If you are accessing a resource (file, folder, etc...) over the network, then you combine the SHARE and NTFS permissions. The most RESTRICTIVE permission is the effective permission.

As a general rule, it is an acceptable practice to set the SHARE permissions to "Authenticated Users/Full Control" and manage the permissions via the NTFS Security tab. Whatever permissions you set in the Access Control List (ACL) will take effect since the NTFS permission will be equal to or more restrictive than the permissions defined in the SHARE tab.

Here is a simple example to help you better understand how SHARE and NTFS permissions impact the user accessing the resource. In this example, John Smith is the Authenticated Users group. Permissions are applied to the Authenticated Users group at the SHARE level and NTFS permissions are applied to John Smith directly.



ntfs share security permissions


Of course in realistic environments, permissions can become more complex. You will most likely find that different permissions are applied to more than group. Users can be and are generally members of multiple groups. In scenarios such as those, permissions are first COMBINED at each level (SHARE and NTFS) when users are members of multiple groups. Then, secondly, the most RESTRICTIVE permission is applied. In this example, John Smith is a member of both the Sales group and Managers group.



ntfs share security permissions


If you have grasped this basic concept, you'll find that it will be easy to determine a user's effective permission applied to a resource. Hopefully this summary has clarified it for you.

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed