permissions

wheely

I just want to make sure i understand this right. Suppose you are a member of the Everyone group and you want to access a folder. When accessed locally you have read permissions but when accessed through the share you still only have read permissions.

The NTFS permissions for the everyone group folder are Read.

The Share permissions for the everyone group folder are Change.

So even though i access it through the share i would still have only read permissions even if it says the everyone group has change permission for the share?

undomiel

Correct, sum up the Share permissions (which in yours results in Change) and then sum up the NTFS permissions (which is Read for yours) and then the effective permissions would be the most restrictive of the two, which in your case is Read. If for instance you changed the NTFS permissions to Full then the Share permissions would be most restrictive and you would only have Change permissions when accessing through the share.

wheely

Ok that makes sense. So for instance if i have a folder and my NTFS permissions are full control but the share permissions are read. When i access it through NTFS i still only have read permissions?

Mishra

"When i access it through NTFS i still only have read permissions?"

This means you are accessing it locally. If you are local to the machine accessing the shared folder, share permissions are not applied.

royal

Here's an analogy I've used in the past to describe how share vs ntfs permissions work:

royal wrote:

You have Share Permissions
You have NTFS Permissions

All your Share Permissions are cumulative
All your NTFS Permissions are cumulative

It then takes the most restrictive and assigns those as effective permissions. Think of it as a competition of Share vs NTFS. Share will gather as many teammates as possible (cumulating permissions). NTFS will also gather as many teammates as possible (cumulating permissions). Share and NTFS will then duke it out. The toughest (most restrictive permissions wins).

So lets say you have a user named John. John has ntfs Read. John is a part of the Sales Group. The sales group has Write. Because John has Read and is a part of the Sales group, he effectively has Read AND write. This means if John accesses the file system via console and goes to My Computer > C > bleh bleh and accesses that folder/file, he will be able to read AND write.

Now lets keep those ntfs permissions on that folder, but now lets share it out. By default, the Everyone group has read access to that share and that is all. Now lets say John instead goes to \\server\folder. He will be ONLY be granted Read access and will not be able to write. Why? Even though his ntfs permissions are Read/Write, he is restricted due to the Share permissions being more restrictive. Remember, it is Share vs NTFS. Share has more restrictive permissions (Everyone Read only, there is no Write there).

In real world, generally speaking, you'll just assign Share permissions to Everyone/Full Control. You will then restrict people's access via NTFS permissions.

Hope this helps.

wheely

So if my NTFS permissions are read and the share permissions are write when i access through the share i only have read permissions?

sprkymrk

wheely wrote:

So if my NTFS permissions are read and the share permissions are write when i access through the share i only have read permissions?

Correct. When you access a share remotely, you must factor in both NTFS and Share permissions. If you access a resource locally, you do not factor in the share permissions.