Condividi tramite


Share and NTFS Permissions on a File Server

Applies To: Windows 7, Windows Server 2008 R2

Access to a folder on a file server can be determined through two sets of permission entries: the share permissions set on a folder and the NTFS permissions set on the folder (which can also be set on files). Share permissions are often used for managing computers with FAT32 file systems, or other computers that do not use the NTFS file system.

Share permissions and NTFS permissions are independent in the sense that neither changes the other. The final access permissions on a shared folder are determined by taking into consideration both the share permission and the NTFS permission entries. The more restrictive permissions are then applied.

The following table suggests equivalent permissions that an administrator can grant to the Users group for certain shared folder types. Another approach is to set share permissions to Full Control for the Everyone group and to rely entirely on NTFS permissions to restrict access.

Folder type Share permissions NTFS permissions

Public folder. A folder that can be accessed by everyone.

Grant Change permission to the Users group.

Grant Modify permission to the Users group.

Drop folder. A folder where users can drop confidential reports or homework assignments that only the group manager or instructor can read.

Grant Change permission to the Users group.

Grant Full Control permission to the group manager.

Grant Write permission for the Users group that is applied to This Folder only. (This is an option available on the Advanced page.)

If each user needs to have certain permissions to the files that he or she dropped, you can create a permission entry for the Creator Owner well-known security identifier (SID) and apply it to Subfolder and files only. For example, you can grant the Read and Write permission to the Creator Owner SID on the drop folder and apply it to all subfolders and files. This grants the user who dropped or created the file (the Creator Owner) the ability to read and write to the file. The Creator Owner can then access the file through the Run command by using \\ServerName\DropFolder\FileName.

Grant Full Control permission to the group manager.

Application folder. A folder containing applications that can be run over the network.

Grant Read permission to the Users group.

Grant Read, Read & Execute, and List Folder Contents permissions to the Users group.

Home folder. An individual folder for each user. Only the user has access to the folder.

Grant Full Control permission to each user on his or her respective folder.

Grant Full Control permission to each user on his or her respective folder.

Additional considerations

  • Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is restricted in some other way. Be cautious in granting Full Control.

  • If you want to manage folder access by using NTFS permissions exclusively, set share permissions to Full Control for the Everyone group.

  • NTFS permissions affect access both locally and remotely. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to network shares. Share permissions do not restrict access to any local user, or to any terminal server user, of the computer on which you have set share permissions. Thus, share permissions do not provide privacy between users on a computer used by several users, nor on a terminal server accessed by several users.

  • By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group.

Additional references