Scott Lowe offers some tips on how NTFS and share permissions sometimes overlap. Here's how to make sure you grant the right set of permissions to users.
For those of you that are old hands when it comes to NTFS and share permissions, you're in for a disappointment; Microsoft hasn't changed much in these areas in Windows Server 2012. If, however, you're an up and coming sysadmin that was just handed responsibility for a Windows Server 2012 system, there are some things you should understand when it comes to using share and NTFS permissions in, well, any version of Windows Server to date.
Before you get started, though, make sure to read the previous two articles upon which this one expands:
As you get deeper into creating shares and applying NTFS permissions to various assets, you'll eventually run into a problem: What happens when you combine share and NTFS permissions?
For example, suppose you've shared a folder on a Windows Server 2012 system and you've created the share as a read-only share for the Everyone group, but the NTFS permissions for the folder are Full Control for the Everyone group. When conflicts like this arise between share and NTFS permissions, the most restrictive permission set wins out. So, in this example, the share's read-only permission would win the day and users would be unable to make changes to files and folders inside the share.
Likewise, if the share permissions granted the Everyone group Full Control, but the NTFS permissions were Read, the NTFS permissions would win because they're the most restrictive.
Bear in mind that NTFS vs. NTFS permissions are additive. So, if user A has been granted NTFS Read rights and a group to which user A belongs has been granted NTFS Modify rights, then user A gets both Read and Modify rights. However, once share permissions enter the equation, things are a bit different.
Another point to note: Share permissions are only enforced if the contents of the shared folder are accessed over the network. If a user manages to log in directly to a server and access the folder through the file system on the local server, only the NTFS permissions will apply.
For many administrators, it's considered a best practice to provide Full Control/Read & Write permissions to shares and then use NTFS permissions to further restrict access if necessary. So, you would simply grant a user or group full share permissions, which would not restrict any access. However, if you wanted to allow only Read rights on the items in the shared folder, you would use NTFS permissions and grant just Read rights. In this way, regardless of how the folder is accessed - over the network or directly from the server - the same permission set will always apply and it simplifies the permissions game for administrators by basically eliminating one set of permissions that you need to worry about.