Permissions on a file server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Permissions on a file server

Access on a shared folder is determined through two sets of permission entries; the permissions set on the share (called share permissions) and the permissions set on the folder (called NTFS file and folder permissions). Share permissions are often used for managing computers with FAT32 file systems, or other computers that don't use the NTFS file system.

Share Permissions and NTFS Permissions are independent in the sense that neither changes the other. The final access permissions on a shared folder are determined by taking into consideration both the Share permission and the NTFS permission entries. The more restrictive permissions are then applied.

The following table suggests permissions that a security-conscious administrator could grant to the Users group for certain shared folder types. The recommended permissions have been tested, and work correctly; but there are alternative approaches. For example, some experienced administrators prefer always to set share permissions to Full Control for Everyone, and to rely entirely on NTFS permissions to restrict access.

Folder type Share permissions NTFS permissions

Public folder. A folder that can be accessed by everyone.

Grant Change permission to the Users group.

Grant Modify permission to the Users group.

Drop folder. A folder where users can drop confidential reports or homework assignments that only the group manager or instructor can read.

Grant the Change permission to the Users group.

Grant the Full Control permission to the group manager.

Grant the Write permission for the users' group that is applied to This Folder only. (This is an option available on the Advanced page.) For more information, see Set, view, change, or remove special permissions.

If each user needs to have certain permissions to the files that he or she dropped, you can create a permission entry for the Creator Owner Security identifiers (SID) and apply it to Subfolder and files only. For example, you can grant the Read and Write permission to the Creator Owner SID on the drop folder and apply it to all subfolders and files. This grants the user who dropped or created the file (the Creator Owner) the ability to read and write to the file. The Creator Owner can then access the file through the Run command using \\ServerName\DropFolder\FileName.

Grant the Full Control permission for the group manager.

Application folder. A folder containing applications that can be run over the network.

Grant Read permission for the Users group.

Grant Read, Read and Execute, and List Folder Content permissions to the Users group.

Home folders. Individual folders for each user. Only the user has access to the folder.

Grant the Full Control permission to each user on their respective folder.

Grant the Full Control permission to each user for their respective folder.


  • Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is restricted in some other way. Be cautious in granting Full Control.

  • If you want to manage folder access by using NTFS permissions exclusively, set Share permissions to Full Control for Everyone. This frees you from having to think about Share permissions, but NTFS permissions are more complex than Share permissions, so using NTFS permissions correctly requires deeper understanding on your part. For more information on NTFS permissions, search for the term "NTFS permissions" on TechNet on the Microsoft Web site.

  • NTFS permissions affect access both locally and remotely. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to network shares. Share permissions do not restrict access to any local user, or to any terminal server user, of the computer on which you have set Share permissions. Thus, Share permissions do not provide privacy between users on a computer used by several users, nor on a terminal server accessed by several users.

  • By default, Everyone does not include Anonymous, so permissions applied to Everyone do not affect Anonymous. This default behavior is new for the Windows ServerĀ 2003 family.

For more information, see Set, view, change, or remove permissions on files and folders and Share a folder or drive.