Data Centers

Windows Server 2012: Tips for setting share vs. NTFS permissions

Scott Lowe offers some tips on how NTFS and share permissions sometimes overlap. Here's how to make sure you grant the right set of permissions to users.

For those of you that are old hands when it comes to NTFS and share permissions, you're in for a disappointment; Microsoft hasn't changed much in these areas in Windows Server 2012. If, however, you're an up and coming sysadmin that was just handed responsibility for a Windows Server 2012 system, there are some things you should understand when it comes to using share and NTFS permissions in, well, any version of Windows Server to date.

Before you get started, though, make sure to read the previous two articles upon which this one expands:

As you get deeper into creating shares and applying NTFS permissions to various assets, you'll eventually run into a problem: What happens when you combine share and NTFS permissions?

For example, suppose you've shared a folder on a Windows Server 2012 system and you've created the share as a read-only share for the Everyone group, but the NTFS permissions for the folder are Full Control for the Everyone group. When conflicts like this arise between share and NTFS permissions, the most restrictive permission set wins out. So, in this example, the share's read-only permission would win the day and users would be unable to make changes to files and folders inside the share.

Likewise, if the share permissions granted the Everyone group Full Control, but the NTFS permissions were Read, the NTFS permissions would win because they're the most restrictive.

Bear in mind that NTFS vs. NTFS permissions are additive. So, if user A has been granted NTFS Read rights and a group to which user A belongs has been granted NTFS Modify rights, then user A gets both Read and Modify rights. However, once share permissions enter the equation, things are a bit different.

Another point to note: Share permissions are only enforced if the contents of the shared folder are accessed over the network. If a user manages to log in directly to a server and access the folder through the file system on the local server, only the NTFS permissions will apply.

For many administrators, it's considered a best practice to provide Full Control/Read & Write permissions to shares and then use NTFS permissions to further restrict access if necessary. So, you would simply grant a user or group full share permissions, which would not restrict any access. However, if you wanted to allow only Read rights on the items in the shared folder, you would use NTFS permissions and grant just Read rights.  In this way, regardless of how the folder is accessed - over the network or directly from the server - the same permission set will always apply and it simplifies the permissions game for administrators by basically eliminating one set of permissions that you need to worry about.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

3 comments
cmaritz
cmaritz

I'm asking since I inherited a file server which was configured this way. The aim was also to eliminate one set of permissions to worry about ... but now I'm worried :-) Just to add, it was interesting to find out the locations of these sets of permission information: - NTFS permission information resides on the the NTFS-reserved portion of the harddisk (which must be an NTFS disk of course) - Share permission information resides in the [b] registry [/b] of the server doing the sharing. This is perhaps less obvious but important in the event of a disaster recovery. If you have to reload your file server you might be able to restore all your files from a backup but you don't want to be re-creating 100's of Shares again. The reg key is [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Shares] Back this thing up regularly! Thanks,

Trentski
Trentski

Assigned everyone permissions to the share and then assign ntfs permissions to the folders