[an error occurred while processing this directive] Share and NTFS Permissions on a File Server

[an error occurred while processing this directive]

Access to a folder on a file server can be determined through two sets of permission entries: the share permissions set on a folder and the NTFS permissions set on the folder (which can also be set on files). Share permissions are often used for managing computers with FAT32 file systems, or other computers that do not use the NTFS file system.

Share permissions and NTFS permissions are independent in the sense that neither changes the other. The final access permissions on a shared folder are determined by taking into consideration both the share permission and the NTFS permission entries. The more restrictive permissions are then applied.

The following table suggests equivalent permissions that an administrator can grant to the Users group for certain shared folder types. Another approach is to set share permissions to Full Control for the Everyone group and to rely entirely on NTFS permissions to restrict access.

Folder type Share permissions NTFS permissions

Public folder. A folder that can be accessed by everyone.

Grant Change permission to the Users group.

Grant Modify permission to the Users group.

Drop folder. A folder where users can drop confidential reports or homework assignments that only the group manager or instructor can read.

Grant Change permission to the Users group.

Grant Full Control permission to the group manager.

Grant Write permission for the Users group that is applied to This Folder only. (This is an option available on the Advanced page.)

If each user needs to have certain permissions to the files that he or she dropped, you can create a permission entry for the Creator Owner well-known security identifier (SID) and apply it to Subfolder and files only. For example, you can grant the Read and Write permission to the Creator Owner SID on the drop folder and apply it to all subfolders and files. This grants the user who dropped or created the file (the Creator Owner) the ability to read and write to the file. The Creator Owner can then access the file through the Run command by using \\ServerName\DropFolder\FileName.

Grant Full Control permission to the group manager.

Application folder. A folder containing applications that can be run over the network.

Grant Read permission to the Users group.

Grant Read, Read & Execute, and List Folder Contents permissions to the Users group.

Home folder. An individual folder for each user. Only the user has access to the folder.

Grant Full Control permission to each user on his or her respective folder.

Grant Full Control permission to each user on his or her respective folder.

Additional considerations

Additional references


[an error occurred while processing this directive]