When NTFS Mixes With Share

Some of the exams required for an MCSA, MCSE, and MCDST will test your knowledge of permissions. What’s all the hubbub about? Well, the question begins simply enough: what happens when User Jane has X and Y share permissions, and A and B NTFS permissions? How does it all shake out? What’s more, let’s say that User Jane is a member of a group that gives her V and W share permissions, and another group that gives her C and D NTFS permissions. It gets pretty complicated relatively quickly. When dealing with multiple group memberships, it’s easy to understand why someone may become confused, and I certainly was until someone finally explained how share and NTFS permissions work.

The bottom line is that multiple NTFS permissions are cumulative. They stack upon each other, and the highest permission wins the day. Share permissions work the same way. Now when you mix NTFS permissions with Share permissions, the most restrictive permission between the two rules. In other words, the guy who’s at the bottom of the stack.

Think of this process as if you were looking over the network through a tunnel. A user attempts to access data over the network from left to right. The only way that he can do this is if the data is shared to begin with, so the permissions that are first encountered are share permissions. The resulting share permissions may reduce the size of the tunnel that the user looks through, reducing the amount of data that can be seen. The system then goes to the NTFS permissions. These permissions are unavoidable because they are attached to the file on the disk. The tunnel’s field of vision is further reduced based on the resulting NTFS permissions. From there, the user can see the data based on the resulting size of the tunnel.

Let’s put this to the practical test and see what happens. Jane has been denied all access share permissions to a specific folder. She has full control NTFS permissions to the same folder. The result is that she has no access to the folder because the share permissions completely blocked off the tunnel. Now, reverse the situation. Jane has Full control Share permissions to the same folder, but is Denied all NTFS permissions. Jane will first encounter the Share permissions, which do not reduce the size of the tunnel and will let her through to the NTFS permissions, but she will stop at that point because the NTFS permissions won’t allow any access. These are pretty clear-cut examples.

Let’s get a little more tricky. Jane has Read share permissions to the folder, but Change NTFS permissions. When Jane encounters the share permissions, she is granted Read and moves on. Because her field of vision has been effectively reduced to Read only, NTFS permissions cannot override this, and she accesses the data with Read only permissions. Now, turn it around: Change share permissions vs Read NTFS permissions. When Jane encounters the Change share permission, her field of vision is reduced to Change. When she encounters the Read NTFS permission, her vision is further reduced to read only, and that is the access she is granted.

What happens if Jane has multiple group memberships? This is one place where the Effective Permissions tool included with Windows Server 2003 comes in really handy. The Effective Permissions essentially runs through each membership-inherited share permission, takes the most permissive share permission, runs through each membership-inherited NTFS permission, takes the most permissive NTFS permission, and then runs the two of them through the share-first, NTFS-last procedure above.

Article Written by

  • Francis

    Thanks, for the examples. They are clear and easy to understand.

    Greetz,

    Francis

  • manoj calvin

    Perfect example! i appreciate the way you explained….

    Thanks

  • geosoft

    Clear like crystal. Thanks.

  • Alk

    Fantastic explanation, thank you. However, I thought that the effective permissions tool only cumulates the NTFS permissions and not the share permissions?

  • Eddy

    That’s right, the Effective Permissions Tool doesnt take into account share permissions.

  • http://www.mj.com michael

    Nice article, but led me just up to the point Im stuck. So……. permissions are cummulative, stack them up, but DENY is a trump card. The strictest of the 2 (share or NTFS) wins. I get confused when when I mix in JANE is member of users, accounting, etc. Mix in the groups and users in the share, in the NTFS and I get confused.

  • Jean

    Thanks, this was the best explanation I’ve seen anywhere! Just totally cleared it up for me.

  • http://www.jeopard.com Alex Trebek

    I’ll take NTFS permissions for 200 please.

  • Levi

    Question: to access files on an NTFS share on a server do you NEED to have your system formated in NTFS?

    I’m under the impression that you don’t but how else can you be granted user permissions?

  • Sew

    Very well put to a PC illiterate on his long journey to the MSCA.

  • Bill Sambrone

    I am studying for exam 70-290, and this is a very helpful example. Much clearer than the MS-Press book I have.

  • http://www.facebook.com/profile.php?id=100000004151461 Liam James Green

    Yes