← Previous Active Directory Explained: Users, Groups, and Policies
Chapter 11 of 15 Windows Server ↑ Index
Next → Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More
Windows Server Chapter 11 of 15 by Administrator 4 min read

NTFS Permissions vs Share Permissions: What Every Admin Must Know

Misconfigured file permissions are among the most common security vulnerabilities in Windows environments — and they are almost always the result of not understanding how NTFS permissions and share permissions interact. This guide explains both permission types, how they combine, and the correct approach to securing shared folders on Windows Server.

Two Layers of Permission

When a user accesses a file share over the network, Windows applies two independent permission checks:

  1. Share permissions: Applied at the network share level. They only apply to users connecting over the network — local logon bypasses share permissions entirely.
  2. NTFS permissions: Applied by the NTFS file system. They apply to all access — local logon, network access, and Remote Desktop sessions.

Windows grants the user the more restrictive of the two permission sets. A user with Full Control share permission but Read-only NTFS permission gets Read-only access. A user with Change share permission and no NTFS permission gets no access.

Share Permissions

Share permissions have three levels: Read, Change, and Full Control. Right-click a folder > Properties > Sharing tab > Advanced Sharing > Permissions to configure them.

  • Read: View files and subfolders, open files, run programs
  • Change: Everything in Read, plus create files, modify files, delete files
  • Full Control: Everything in Change, plus change NTFS permissions and take ownership

The recommended practice is to set share permissions to Everyone: Full Control and control actual access entirely through NTFS permissions. This eliminates confusion caused by two overlapping permission systems and makes auditing simpler.

NTFS Permissions

NTFS permissions are more granular. Right-click a folder > Properties > Security tab to manage them. The standard permissions:

  • Full Control: All permissions including changing ACLs and taking ownership
  • Modify: Read, write, execute, and delete files and subfolders
  • Read & Execute: View and run files, traverse folders
  • List Folder Contents: View folder and file names only
  • Read: View file contents and attributes
  • Write: Create files, write to files, modify attributes — but not read existing content

Clicking Advanced shows the full Access Control List (ACL) with explicit and inherited permissions, the owner, and effective access for any user.

Inheritance

By default, NTFS permissions flow down from parent folders to child folders and files — this is inheritance. A permission set on D:Data automatically applies to all files and subfolders within. You can disable inheritance on a specific subfolder (right-click > Properties > Security > Advanced > Disable Inheritance) and either convert existing permissions to explicit entries or remove all inherited permissions — useful when a department subfolder needs different permissions from its parent.

Effective Permissions and the Combination Rule

When a user belongs to multiple groups with different NTFS permissions on the same folder, their effective NTFS permission is the union of all group permissions (most permissive wins) — except for Deny, which always overrides Allow. Deny is a sledgehammer: use it sparingly. Removing a user from a group is almost always a better approach than adding a Deny permission.

Check a user's effective permissions in the Security tab > Advanced > Effective Access. Enter a username and click View effective access to see exactly what they can do.

Best Practice: The AGDLP Model

Never assign NTFS permissions directly to user accounts. Use the AGDLP model:

  1. Place user Accounts into Global security groups (e.g., Finance-Staff)
  2. Place Global groups into Domain Local groups (e.g., Finance-Data-Modify)
  3. Assign Permissions (NTFS) to the Domain Local group

This model scales cleanly. When an employee joins or leaves a department, you change one group membership. You never touch the folder permissions.

Setting Permissions with PowerShell

# Create the share with Everyone: Full Control (let NTFS do the work)
New-SmbShare -Name "Finance" -Path "D:DataFinance" -FullAccess "Everyone"

# Set NTFS permissions: add Finance-Staff with Modify rights
$acl = Get-Acl "D:DataFinance"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CORPFinance-Staff",
    "Modify",
    "ContainerInherit,ObjectInherit",
    "None",
    "Allow"
)
$acl.AddAccessRule($rule)
Set-Acl "D:DataFinance" $acl

Auditing File Access

Enable auditing to track who accessed or modified sensitive files. In Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System. Set to audit Success and/or Failure. Then enable auditing on the specific folder in its Security > Advanced > Auditing tab. Access events appear in the Security event log as Event ID 4663.

Tags: Tutorial Security Sysadmin Windows Server Active Directory NTFS

Related Articles

Windows Server Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More Windows Server performance monitoring with Resource Monitor, PerfMon, Data Collector Sets,... Windows Server DNS and DHCP Setup on Windows Server 2025: Step-by-Step Guide Learn to install and configure DNS and DHCP on Windows Server 2025. Covers zones, records,... Windows Server Group Policy Explained: How to Create and Apply GPOs in Windows Server Group Policy Objects (GPOs) let you configure hundreds of machines from one place. This gu... Windows Server PowerShell for Windows Server Admins: 10 Essential Scripts Ten essential PowerShell scripts for Windows Server admins: inventory reports, bulk AD use...
← Previous Chapter Active Directory Explained: Users, Groups, and Policies
View All Chapters
Next Chapter → Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More