The concept of SHARE vs NTFS permissions has confused many IT professionals over the years. SHARE permissions are the permissions you set for a folder when you share that folder. SHARE permissions are not applied to files.
The SHARE permissions determine the type of access users have to the shared folder when the resource is being accessed over the network. SHARE permissions are not evaluated when users are logged into the resource locally. There are three types of share permissions: Full Control, Change, and Read.
NTFS permissions determine the action users can take for a file or folder when accessed locally. When both permissions are in place, the most restrictive permission will be applied to the user accessing the resource.
If you are logged on a computer locally, the SHARE permissions applied to a folder have NO impact on the user. In a scenario where the user is logged on locally, only the NTFS permissions are evaluated. If you are accessing a resource [file, folder, etc.] over the network, then you combine the SHARE and NTFS permissions. The most RESTRICTIVE permission is the effective permission.
As a general rule, it is an acceptable practice to set the SHARE permissions to Authenticated Users/Full Control and manage the permissions via the NTFS Security tab. Whatever permissions you set in the Access Control List [ACL] will take effect since the NTFS permission will be equal to or more restrictive than the permissions defined in the SHARE tab.
Here is a simple example to help you better understand how SHARE and NTFS permissions impact the user accessing the resource. In this example, John Smith is the Authenticated Users group. Permissions are applied to the Authenticated Users group at the SHARE level and NTFS permissions are applied to John Smith directly.
Of course in realistic environments, permissions can become more complex. You will most likely find that different permissions are applied to more than one group. Users can be and are generally members of multiple groups.
In scenarios such as those, permissions are first COMBINED at each level [SHARE and NTFS] when users are members of multiple groups. Then, secondly, the most RESTRICTIVE permission is applied. In this example, John Smith is a member of both the Sales group and Managers group.
If you have grasped this basic concept, you’ll find that it will be easy to determine a user’s effective permission applied to a resource. Hopefully, this summary has clarified it for you.
Shared folders are used to provide other users, on your Windows network, access to the contents of those folders. You can only share folders, not individual files.
Share permissions are only applied when a shared folder is accessed over the network. It is a common misconception to think the process works in a different way. When you log into a Windows machine locally [even if a file or folder is shared to other users within the network], every time you access an object, NTFS permissions apply and not share permissions. It does not matter how restrictive share permissions have been set up, if you have access to the object and you are logged into the workstation or server that “owns” the file or folder, you will be granted access.
There are three types of share permissions:
- Full Control: Allows the user to read/execute/write/delete the contents of the folder and manage the folder permissions.
- Change: Allows the user to read/execute/write/delete the contents of the folder, but does not allow the user to modify its permissions.
- Read: Allows the user to read the contents of the folder and its files.