Share Permissions and NTFS Permissions Folder Access Control & Folder Permissions

Share Permissions and NTFS Permissions Folder Access Control & Folder Permissions


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Creation Date: 2/4/2010


 


Prelude


This question has come up from time to time in the public newsgroups and Technet forums. I thought to lay it out to make it as easy to understand as I would when I’m teaching this topic in a classroom.


 


Basic Understanding of Share and NTFS Permissions


To understand Sharing and NTFS permissions (Security Tab), when connecting to a Shared Resource (folder, printer, etc), the NTFS permissions are combined with the Share permissions to provide the Most Restrictive.


This means that if a user has Full Control on the Share permissions, and only Read on the NTFS permissions (Security Tab), the Effective (resulting) permissions is the user will only have Read. That’s why we can set higher Share permissions at the parent for the initial access, then control the resulting or Effective permissions with NTFS. No passwords are needed other than the user being successfully logged on to the domain. When a user is logged on successfully to a domain, an access token is given the user account. The access token is compared to the ACL (Access Control List) in the Share and NTFS (security tab) permissions to determine access. That’s why no passwords are required, and is much easier than trying to deal with multiple passwords. The system simply uses the AD user account for access enumeration.


Therefore due to the Most Restrictive evaluation, the easiest way to set permissions is to provide the Users (preferrably by Groups), Full Control on the Share side, but lock it down on the NTFS side (Security Tab). It works nicely, all the time, and is easier to document and keep track.


 


The Basic Rules


The basic rules are:


NTFS Permissions:   


  •  
    • All NTFS permissions for a specific account, whether a specific account is added, or the account is part of a group, are combined to provide an Effective Permission using the Least Restrictive rule.
    • This applies to a user accessing the folder directly on the hard drive while logged on to the machine.

Share Permissions: 


  •  
    • All Share permissions are combined to provide the Effective Permissions using the Least Restrictive rule.
    • This applies to a user accessing the share via a UNC, Network Neighborhood browsing, or mapped drive.

Accessing a Share across the network:    


  •  
    • The NTFS & Share permissions are combined and evaluated to provide the Effective Permissions using the Most Restrictive rule.
    • This is the end result of accessing files or folders across the network whether UNC, Network Neighborhood browsing, or mapped drives.
    • The first permissions that are looked at when accessing across a share across a network are the Share Permissions. If the Share permissions are set to Read, that is the best a user will get.


Access Deny Permission


If there are any Access Deny Permissions set on either the Share ACL or the NTFS ACL for an account, whether it was placed on the user account OR the group account  it is part of,  the user or group will be denied permissions to the resource.


 Default Share Permissions on Windows 2003 and newer are set to Everyone = Read


For example, if you provide theFull Control permissions for an account in the NTFS ACL and do not change the default Share Permissions on Windows 2003 or newer,  when the account attempts to acess the share across the network, the user will get ONLY Read and Read & Execute, therefore will not be able to change anything no matter if you even give the user Full Control in the NTFS permissions (Security tab).


Share permissions do NOT Logged on Locally


Share permissions do NOT apply to someone logging on locally accessing the resource in Windows Explorer. However, the NTFS permissions will apply.


 


Use Groups To Control Access


The best way is to do it with groups instead of individual user accounts. Using individual user accounts will tax the system trying to enumerate the ACL entries for each account.


 


Simple Examples


Consider the following scenario:


Joe needs Read on the shared network folder. No other user has access.


We’ll set it up as follows:


Share Permissions:

  • Click on Advanced Sharing
  • Share the Folder
  • Click on Permissions
  • Remove the default Everyone = Read Permissions
  • Add Administrators = Full Control
  • Add Authenticated Users = Full Control

 

NTFS (Security Tab Permissions):

  • Click on the Security Tab (NTFS Permissions)
  • Remove Inheritance
  • Remove Users = Read
  • Keep Administrators = Full Control
  • Keep System = Full Control
  • Add Joe = Read


 


Results:


 In the above scenario, Joe will only have Read.


The reason is when Joe connects to the folder across the network, the Share Permissions provide initially Full Control, then the system evaluates the NTFS permissions (Security Tab), which Joe only has Read, then it combines the Share Permissions and NTFS permissions, resulting in the Most Restrictive, which become Read Only, therefore Joe ONLY has READ.


 


 


Advanced Example


Keep in mind as I’ve stated above, the Share permissions controls the intial connection. If they are set to Read, and the NTFS permissions are set to Full Control,  then all they get is Read. You need to understand this basic principal with the Sharing feature to provide the proper permissions for your users and groups.


Then the NTFS permissions are combined with the Share permissions to provide the Most Restrictive. This means that if a user has Full Control on the Share permissions, and Read on the NTFS permissions, the Effective (resulting) permissions is the user will only have Read. That’s why we can set higher Share permissions at the parent for the initial access, then control the resulting or Effective permissions with NTFS. No passwords are needed other than the user being successfully logged on to the domain. When a user is logged on successfully to a domain, an access token is given the user account. The access token is compared to the ACL (Access Control List) in the Share and NTFS (security tab) permissions to determine access. That’s why no passwords are required, and is much easier than trying to deal with multiple passwords. The system simply uses the AD user account for access enumeration.


Let’s say you have the following folder structure.


Office Data
     Accounting Folder
     Marketing Folder
     Sales Folder
     Operations


Your users are as follows. They require access to their respective folders but to no others.
   Joe and Sally are accountants.
   Bob and Sue are Marketing reps.
   Tom and Jerry are in sales.
   Wyle E and the Road Runner are in operations.


You create the following groups and add the appropriate users into those groups.
   Accounting Group
   Marketing Group
   Sales Group
   Operations Group


Then you share the Office Data folder, but not the others below it. You’ve set the Share permissions and NTFS (security tab) permissions as follows:


   Office Data Folder:
       Sharename = Office Data
       Share Permissions on the Office Data Share:
       Domain Admins = FC
       Authenticated Users = Change


The following are the NTFS (security tab) Permissions you will set. This is assuming the respective users will require read/write access to their respective folders. If they only need Read, then alter the Modify permissions in the suggested instructions below to Read, Read + Execute.


It is important that inheritance is disabled, as stated below in each folder, so you that can remove the default Everyone or Domain users, if they exist. Otherwise, that will thwart security control.


   Office Data Folder
      Click Advanced, uncheck Inherited, click on Copy when the message pops up
      Remove Everyone and Domain users. Leave everything else. Add the following:
      Domain Admins = FC
      Authenticated Users = Modify


    Accounting Folder:
          Click Advanced, uncheck Inherited, click on Copy when the message pops up
          Remove Everyone and Domain users. Leave everything else. Add the following:
          Domain Admins = FC
          Accounting Group = Modify (not full control)


      Marketing Folder:
          Click Advanced, uncheck Inherited, click on Copy when the message pops up
          Remove Everyone and Domain users. Leave everything else. Add the following:
          Domain Admins = FC
          Marketing Group = Modify (not full control)


     Sales Folder:
          Click Advanced, uncheck Inherited, click on Copy when the message pops up
          Remove Everyone and Domain users. Leave everything else. Add the following:
          Domain Admins = FC
          Sales Group = Modify (not full control)


     Operations:
          Click Advanced, uncheck Inherited, click on Copy when the message pops up
          Remove Everyone and Domain users. Leave everything else. Add the following:
          Domain Admins = FC
          Operations Group = Modify (not full control)


With the permissions set as suggested, Bob in Marketing cannot access any other folder other than Marketing, and Jerry in Sales cannot access anything else other than Sales. They can see the other folders, but they simply can’t get into them.


If just Bob in Marketing needs Read Only access to the Sales folder, simply create an additional group, and call it “Marketing Group Access to Sales Folder,”  and place Bob in that group. Then in the NTFS (security tab) permissions, add the “Marketing Group Access to Sales Folder”  group to the Sales Folder group, and set the permissions to Read and Read + Execute. This way Bob has read only permissions to see the files in that folder.



Regarding Read and Read/Execute Permissions:


If an executable needs to be run, a user will need Execute, otherwise Read will suffice. You can view the specific permissions set by going into Advanced to see exactly what permissions are being provided. The ACL (the first list of permissions) are standard pre-canned permissions. Advanced will show you specifics. You can also set permissions in Advanced, but you must understand what they mean. If you do it in Advanced, and hit Ok, the ACL will show “Special Permissions” because what you set in ADvanced does not equal to any of the pre-canned permissions. the system provides.


 


Related links:


Planning Access to Shared Folders
http://technet.microsoft.com/en-us/library/cc787768(WS.10).aspx


Windows 2003 NTFS and Share Permissions
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml


When NTFS Mixes With Share
http://www.lockergnome.com/it/2004/10/01/when-ntfs-mixes-with-share/


Share permissions vs. NTFS permissions
http://www.ntfs.com/ntfs-permissions-share.htm


Combining Shared Folder Permissions and NTFS Permissions
http://www.ntfs.com/ntfs-permissions-combined.htm


 


I hope that helps understanding this feature.


Ace

Leave a Reply