When we use both share and NTFS permission which one is applied?
SymptomsArticle Summary: This article discusses NTFS permissions and share permissions in Windows and how they work together to regulate access to files and folders. Show
Windows provides two sets of permissions to restrict access to files and folders: NTFS permissions and share permissions.
The most important thing to remember about NTFS permissions and share permissions is the manner in which they combine to regulate access.
What is the difference between NTFS permissions and Share Permissions? How do they work together? Read more on how to use them correctly! Difference between NTFS Permissions and Share PermissionsShare permissions are applied when a shared folder is accessed over a network. When you log into a local Windows machine (even if a file or folder is shared to other users within your network), and you access an object locally, NTFS permissions apply and share permissions do not apply. In other words, NTFS permissions are applied to users who are logged into the network locally while share permissions are not applied. It does not matter how restrictive share permissions have been set up on your network, if you have access to the object and you are logged into the workstation or server that “owns” the file or folder, you will be granted access. Combining NTFS Permissions and Share PermissionsWhen using share permissions and folder permissions, please keep in mind, you can apply different NTFS permissions to each folder within a shared folder. Working this way will ensure a permission strategy for each kind of data located in an appropriate folder structure. A frequently asked question when managing Windows Server environments is:
The answer is rather simple and helps you to determine the most effective form of permission for a shared folder.
To give you a better idea, take a look at the example below. You give “Full Control” NTFS permissions to the “FileShare-Operatoren” group for a folder called MyFolder, as seen in the image below: Full Control Permissions granted for MyFolder If you share MyFolder within the Windows Network to the “FileShare-Operatoren” group using “Read” permissions and a user that belongs to this group tries to access the folder from the network, that user will only have “Read” access and not “Full Control”. However, if that user then goes to the workstation or server where MyFolder is allocated, he will be granted “Full Control” permissions. Read Only Share Permissions granted for MyFolder 3 Examples of Combining Share Permissions with Folder PermissionsIn the next two examples, we have shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. Combined Share and NTFS Permissions First example:
The effective permissions for any member of the Accounting group for the subfolder called Orga is “Read”. Second example:
The effective permissions for John and Maly for their own home folder is “Full Control”. But John has no access to Maly’s home folder and Maly has no access to John’s home folder. Third example: In this last example, the group Sales has these permissions, as seen in the image below:
The effective permissions are:
Effective NTFS Permissions Best Practices For Working With Permissions
What happens when share and NTFS permissions combined?If you use share permissions and NTFS permissions together, the most restrictive permission will take precedence over the other. For example, if NTFS share permissions are set to Full Control, but share permissions are set to “Read,” the user will only be able to read the file or look at the items in the folder.
Can you mix NTFS permissions and share permissions on the same system?You can apply different NTFS permissions to each file and subfolder that a shared folder contains. In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders.
How do share permissions relate to NTFS permissions?For maintenance and security reasons, you should not apply permissions to individual users. This is the window you will be looking at: While share permissions only allow the three options (Full access, Modify and Read), NTFS permissions allow you to set access at a more granular level, both for individuals and groups.
When NTFS and share permissions exist on a folder the most restrictive permissions apply?If the user is accessing a shared folder over the network and has both shared folder and NTFS permissions applied to it, the [most or least] restrictive permission is the effective permission. If the user is accessing a shared folder on the computer where it exists, shared folder permissions [do or do not] apply.
|