how to use NTFS and Share Permissions in Windows File Sharing

I promise this post is not long and exhaustive.  I’ll quickly show you what you need to know about Share and NTFS Permissions along with a step-by-step example of the most common use case.

How Permissions Work in Windows File Sharing:
The effective permission on a user is the combination of the Share permissions (Sharing Tab) and the NTFS permissions (Security Tab).  The two permissions types are combined and the user receives the most restrictive of the two permissions.
How Permissions are Applied:
Share and NTFS Permissions are applied to users directly or via groups the user may be a member of.

A bit more background: Share permissions only apply to connections to the network share servernameshare. NTFS Permissions are applied directly to the files and folders themselves. therefore NTFS Permissions take affect regardless of how the files are accessed, locally or through a network share.
Note: NTFS Permissions are commonly referred to as “File Permissions”

General Practice regarding Share Permissions:
Share permissions (Share tab) are left ‘wide open’ giving either Domain Users or Everyone Full Control, this is the default setting in Windows.

default-share-permissions-everyone
Where permissions are then restricted is using the NTFS permissions (Security Tab) to restrict the permissions down to the permissions desired by adding the individual users or groups that should have access, generally granting either ‘Read’ or ‘Modify’.
ntfs-permissions-modify

To add someone to the NTFS permissions list: click the Security tab, click Add and input their username.  By default they will be granted the ‘Read’ permission.
ntfs-permissions-read

In this example the user should be given ‘modify’ rights so they can write to files.
In order to grant the ‘Modify’ NTFS permission: simply click the Modify checkbox in order to change the permissions from ‘Read Only’ to ‘Modify’:
ntfs-permissions-allow-modify

Remove any default or inherited ntfs permissions so that the desired permissions take affect:
Remove the default Everyone, Users and Domain Users groups from the NTFS permissions list (security tab) by selecting the aforementioned Group and clicking the Remove button. If the inherited permissions remain in effect it defeats the whole purpose of restricting the permissions.
Note: In many cases the Users group is being inherited from the root of the drive and it’s permission checkboxes are greyed out and inheritance must be disabled in order to remove the inherited permissions.
ntfs-permissions-users-inherited

In order to remove the inherited Users group from the permissions you need to turn off permissions inheritance on the folder.
How to turn off ntfs permission inheritance:
Click Advanced > uncheck “Allow inheritable permissions from parent to propagate to this object and all child objects”

advanced-ntfs-permissions-inherit-checked

I recommend clicking “Copy” when prompted in order to copy any inherited permissions as there will be less chance of inadvertently breaking things.
ntfs-permissions-copy-inherited-permissions
Select the Users or Groups you wanted to remove from the ntfs permissions and click the Remove button.
ntfs-permissions-remove-users

Click OK.

You have now successfully limited the access to the folder.

Additional Resources:

Tools:

Related

Leave a Reply

Your email address will not be published. Required fields are marked *