In this Daily Feature, we cover the tricky subject of what happens when you combine NTFS and file-sharing permissions in Windows XP. After reading this article, you’ll be able to set up and troubleshoot permissions on your network and client more quickly.
Read the whole seriesThe first two parts of our series on using permissions in Windows XP covered how to set up and troubleshoot file-sharing permissions and NTFS permissions. Before reading on, you might want to review these Daily Drill Downs: ”Establish the correct file-sharing permissions in Windows XP” and ”Effectively set and troubleshoot NTFS permissions in Windows XP.”
Rules for combining permissionsUnderstanding how permissions interact isn’t difficult if you stick with these rules:
- When working within a certain permission type [sharing or NTFS], permissions are cumulative. The most lenient setting wins for a particular user or group. Deny always overrides Allow and negates any permission with which it conflicts.
- When there’s a difference between the sharing permission and the NTFS permission, the most restrictive setting wins.
- Permissions are not cumulative across groups; each group’s permission is calculated separately. For example, if a user is a member of Group A, which has Full Control sharing permission but no NTFS permission for an object, and also of Group B, which has Full Control NTFS permission but no sharing permission for the object, that user has no permission for the object.
Examples
Let’s look at some examples. Say that on Tim’s PC is a folder, FOLDER-A, containing a file, PRIVATE.DOC. Tim has shared FOLDER-A with the Marketing group with Change permission and with the Everyone group with Read permission. In the NTFS permissions for the folder, he has allowed for the Marketing group to have only Read access. He has removed the default permissions to the folder for the Everyone group. If Sarah from Marketing accesses PRIVATE.DOC, will she be able to make changes to it? The Marketing group has Change [for sharing] and Read [for NTFS], with a net result of Read. The Everyone group has Read [for sharing] and None [for NTFS], with a net result of None. So Sarah’s permissions are the least restrictive of Read and None—in other words, Read. So no, she cannot make changes.
Sharing permissionNTFS permissionNet permissionMarketing groupChangeReadReadEveryone groupReadNoneNoneCumulative permission Read
Now, suppose Tim adds another group to his list of NTFS permissions: Managers. He gives the Managers group Modify access to FOLDER-A. If Sarah is a member of the Managers group, will she now be able to make changes to PRIVATE.DOC? The answer is still no, because even though permissions are cumulative within a type, they’re calculated as a whole on each group. As you can see below, the new Managers group has no net permission to the folder because it has no sharing permission, so it doesn’t help Sarah to be able to modify the file.
Sharing permissionNTFS permissionNet permissionMarketing groupChangeReadReadManagers groupNoneModifyNoneEveryone groupReadNoneNoneCumulative permission Read
Hint
Permission changes don’t take effect until the end user logs off and logs back on. After Tim changes the permissions, Sarah must log off and back on again or close the network connection to Tim’s PC and reopen it in order for his permission changes to take effect on Sarah’s end.
If Tim wanted to make sure Sarah had the ability to modify the file, he could:- Give the Marketing group Modify [or better] permission under NTFS permissions.
- Give the Managers group Change permission under sharing permissions.
Let’s say Tim takes the first option and changes the Marketing group’s NTFS permission to Modify. Now the chart looks like this:
Sharing permissionNTFS permissionNet permissionMarketing groupChangeModifyChange/ModifyManagers groupNoneModifyNoneEveryone groupReadNoneNoneCumulative permission Change/Modify
Note
Sharing and NTFS permissions use two different terms, Change and Modify, but both allow Sarah to make edits to the file.
Now, suppose Tim uses the NTFS special permissions to deny the Managers group the Write permission. Will Sarah be able to edit the file? No, because the Deny option settings override any Allow settings. Even though the Marketing group still has the right to edit the file, Sarah is also a member of the Managers group, which is specifically denied access.Sharing permissionNTFS permissionNet permissionMarketing groupChangeModifyChange/ModifyManagers groupNoneDeny WriteDeny WriteEveryone groupReadNoneNoneCumulative permission Deny Write
If Tim wanted Sarah, but nobody else from the Managers group, to be able to change the file, he could either remove Sarah from that group or create a separate group containing everyone from Managers except Sarah and deny that group the Write access instead of denying the Managers group.