MCSA/MCSE 2003 - 70-290 TechNotes:
Shared Folders and NTFS Permissions

Shared folders and file system (NTFS) permissions have appeared on Microsoft exams since the first MCP certifications. Even though some major changes and additions have been made, overall the basics remained the same. What also remained the same is that it can still be a very confusing topic. Although this TechNotes is fairly complete for the 70-290 exam, make sure you practice these topics on a real Windows 2003 server.

There are two main types of access permissions in Windows 2003: NTFS file and folder permissions, and shared folder permissions. First we will go over the theory and practical aspect of both and then we’ll see how they work combined.

NTFS Permissions

Before NTFS became the default file system on all Windows operating systems, one of the main considerations to use NTFS, instead of FAT or FAT32, was the possibility to assign permissions for individual files and folders. Each file and folder on an NTFS volume contains an Access Control List (ACL). This list contains entries for groups and individual user accounts mapped to their corresponding permissions. When a user tries to access a resource, Windows checks the ACL if the user is listed and what level of permission is assigned. It doesn’t matter whether the user tries to access the resources on the hard drive or on a remote server.

First let’s go over the main NTFS permissions that can be assigned for files and folders:

Read permission allows a user to read the files, list the contents of folders, subfolders and volumes, and read the attributes, permissions and ownership. A user with only Read permission will not able to change the contents of the file or folder.

Write permission allows the same as Read, but additionally allows the user to modify and create files and subfolders as well as change attributes.

Read and Execute permission allows the same as Read, but additionally allows users to run applications.

Modify permission allows the same as Read, Write and Read and Execute combined, but additionally allows deleting.

Full Control allows everything permitted by the other permissions, but additionally a user with Full Control can change permissions for other users and take ownership of files and folders.

List Contents permission applies to folders only. It allows user to read files and list the contents of folders and volumes. Users with this permissions can see the files and folders, but cannot read or modify them nor can the create new files and folders.

By default, Windows 2003 assigns Full Control permissions to the Administrators group and the System group to any NTFS volume, which are also inherited by the folders and files in it. The Users group is assigned Read & Execute, List Folder Contents, and Read permissions. Users or groups who need to write and or modify files and folders will need additional permissions.

The above list describes what the NTFS permissions ‘allow’, but you can also explicitly deny the permissions to users. Denying permissions is usually only done to make an exception. For example, you could allow Modify permission for the Sales group and deny the same permission for certain user account in the Sales group for whom you want to make an exception.

Allow permissions are cumulative, which basically means the least restrictive permission becomes the effective permission. For example, John is a member of the Sales group and the Management group. Sales has been allowed Modify permissions for the folder SalesReports. Management has been allowed Read permissions for the same folder. Since John is a member of both groups, his effective permission in this case is Modify. The following table lists some more examples. Note that the listed permissions in these examples are ‘allowed’.


User Permissions

Sales Group

Management Group

Effective NTFS Permissions


Full Control



Full Control









Read & Execute





Full Control

Full Control

Configuring NTFS Permissions

There are several different ways to assign NTFS permissions but the most common way is to use Windows Explorer or My Computer, right-click a file, folder, or volume, click Properties and then the click on the Security tab. Under Group or user names on the Security tab, select or add a group or user. Then at the bottom allow or deny one of the available permissions.

By default, when you add a user or group to the list in the dialog show above, this user or group will have Read & Execute, List Folder Contents, and Read permissions.

File permissions override folder permissions. For example, if user David has been allowed Read permissions for the folder and Modify permission for a file work.doc, his effective permissions for the work.doc file is Modify. The exception to this rule is the permission Full Control on folders. Groups or users that have Full Control for a folder can delete files and subfolders in it regardless of the permissions set on those files and subfolders.

In addition to the permissions listed in the tables above, you can also assign special permissions by clicking the Advanced button on the Security tab to open the Advanced Security Settings dialog with the Permissions tab opened as displayed in the following screenshot. Here you can add, remove, and edit the permissions for users on a more granular level.

Permission Inheritance

Besides explicitly assigned permissions on a file or folder, it may inherit permissions from its parent folder (up to the root folder, which is the volume itself). By default, permissions set on a folder are automatically inherited by all files and subfolders in it. This simplifies administration but is not always desired.

In the image above, you can see the following two options:

Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
When this option is cleared, the file or folder will not inherit permissions from the parent folder.

Replace permission entries on all child objects with entries shown here that apply to child objects.
This option will actually reset the permissions on child objects (files and subfolders) to make sure they inherit the permissions from this folder and those permissions are not overridden by permissions explicitly assigned on child objects.

In some situation you may want to inherit most of the permissions from the parent, but make an exception for one or more users/groups. In that case you should set the opposite permission of the one that is inherited. For example, if James inherits Modify permissions from a parent folder through group permissions, you could deny Modify permissions for James on the child object to prevent inheritance for James only and still allow Modify access to the rest of the group.

Effective Permissions

On the Effective Permissions tab of the Advanced Security Settings for a file or folder you can select a user or group and see the effective permissions. These are the results of the permissions directly assigned to the file or folder and permission inherited from parent folders.

Change ownership of files and folders

When a user creates a file or folder Windows 2003 automatically assigns Full Control permissions to the creator/owner. This allows the user to assign permissions to other users for the files he or she creates. This means that besides the ACL, files and folders need to include information about who owns the file. By default, this is the account who creates the file or folder or the Administrators group. For several different reasons, the ownership of a file or folder may need to change. For example, if a user leaves the company, the ownership of his or her files and folders may need to be transferred to other users.

You can take ownership of a file by replacing the owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions Take Ownership to be able to take ownership of a file or folder. Users who has the Restore files and directories privilege can assign ownership to any user or group.

Moving and copying protected files

Moving and copying NTFS protected files is similar to moving and copying compressed file. When you copy a protected file to a folder on the same, or a different volume, it inherits the permissions of the target folder. When you move a protected file to a different NTFS volume, the file inherits the permissions of the target folder. A move between volumes is actually considered a copy; the source file is deleted after it is copied to the target volume.

However, when you move a protected file to a different location on the same volume, the file retains its permission. When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely changed and that is why it retains the ACL. In all cases the target volume needs to be a NTFS volume as well because as mentioned earlier, FAT, FAT32 and other file systems do not support NTFS file and folder permissions.

Shared Folder Access

A shared folder (commonly referred to as a share) is a folder or entire volume that is published on the network and can be remotely accessed by other users. The shared folder can be used as if it were a local folder; to store data, and even to run applications from the share over the network. Members of the built-in group Administrators, Server Operators and Power Users can share folders. If the shared folder is located on an NTFS volume, users need at least the NTFS permission Read for the local folder to be able to access it, regardless of the share permissions assigned to it. Following are some of the common methods for creating shared folders:

1. Using the Shared Folders snap-in, which is included by default in the Computer Management console. In the console tree, click Shares (below ComputerManagement|System Tools|Shared Folders). On the Action menu, click New File Share. You will be prompted to select the folder or drive, enter the share name and description, and set permissions.

2. Use the net share command at the prompt: net share sharename=drive:path

3. In Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Sharing tab. Enable the option Share this folder, enter a name for the share, a description and configure other settings as depicted in the following image.

Users can connect to a share in several ways, for example:

1. Use My Network Places/Windows Explorer a user can browse to the share or use the Add Network Place wizard to create a shortcut.
2. Use a direct UNC path, for example: //FileServer12/ShareX
3. Use My Network Places/Windows Explorer or the net use command to map a drive letter to a share.

By default, Windows 2003 creates the following hidden administrative shares depending on the configuration of the server:


This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.

C$, D$, E$, etc.

Each volume on a hard disk is shared by default and provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.


A system share that allows named pipes connections for communication between applications and other computers.


This points to the %systemroot%\System32\Spool\Drivers folder, and is created when printers are shared to allow clients to automatically download the printer drivers.


A system share used by fax clients.

You can create hidden shared folders yourself by adding a $ sign to the end of the share's name. Hidden shares do not show up when users browse the network through My Networks Places for example. To access these hidden shares, users need to enter the name including the $ sign. NETLOGON and SYSVOL are two other administrative shares that exist on domain controllers, but they are not hidden.

Shared Folder Permissions

There are three different share permissions that can be assigned to groups and individual user accounts. These permissions apply only when connecting to the share over the network. The share permissions do not apply to users who log on to the local machine. The following share three permissions are available for shared folders:

Allows user to read files and list the contents of folders and volumes. This allows executing applications as well. The default for new shared folders is Read permissions for Everyone.

Allows the same as Read and allows the user to modify, create and delete files and subfolders.

Allows the same as Change, but additionally allows the user to modify permissions.

Whether the permissions actually allow the desired access depends on the NTFS permission of the shared folder and the file subfolders in it. For example, if a user has the share permission Change for a shared folder, that user will not be able to actually change files for which the user has only Read NTFS permissions. We will go over some more examples in the following section “Combining Shared Folders with NTFS Permissions”. However, you can create share folders located on a FAT or FAT32 disk and assign share permissions to provide protected access for users that connect to the shared folder. Remember that share permissions are only used when a user connects to the shared folder from a remote computer. So if a user logs on locally to a computer with a FAT/FAT32 drive, the share permissions are ignored.

To configure share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above.

When you set permissions, you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shared folders is Read to Everyone. Whether Everyone will actually be able to read depends on the NTFS permissions.

Combining Shared Folders with NTFS Permissions

When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.

So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:

1. Determine the ‘effective’ NTFS permissions
2. Determine the ‘effective’ share permissions
3. Take the most restrictive of these two.

Following is a practice questions that raised discussion in our forums several times:

X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John's effective permissions when connecting to the shared folder?

a. Read
b. Read & Execute
c. Change
d. Full Control

The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.

1. Determine the effective NTFS permissions:
As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.

2. Determine the effective share permissions:
The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.

3. Take the most restrictive of these two:
The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.

Troubleshoot access to files and shared folders

Problems accessing shared folders are often caused by underlying network connectivity problems. Before you scratch yourself a bold spot trying to find an incorrectly configured ACL or Shared Folder, make sure you check basic network connectivity, ping the file server by name, check if the user is properly logged on to the domain, etc.

Probably the most common cause of problems with accessing files and shared folders is an incorrect configuration, so when things are not working as expected you should verify the configuration. A user that is not able to access a file or folder maybe a member of a group who was recently denied certain permissions. Configuration changes of permissions assigned to a parent folder my also cause problems through inheritance.

The Effective Permission tool on the Advanced Security Settings dialog provides an easy method to determine the NTFS permissions, but it does not include share permissions. I n large environments with many users and groups, it can be hard to determine the effective share permissions so it is important to maintain a structured user and group design and folder hierarchy. The following link points to document with Best practices for Shared Folders.

The Shared Folders snap-in, included by default in the System Tools of the Computer Management console, provides an overview of the Shares configured on the local computer, the active Sessions, and the currently Open Files. These can provide valuable information when troubleshooting access to shared folders.

Microsoft Virtualization Training Videos – Demand for Virtualization is escalating because it saves money, time, and makes testing and disaster recovery easier. Train Signal’s Microsoft Virtualization Course teaches you everything you need to know to utilize Virtual PC and Virtual Server!
Current related exam topics for the 70-290 exam:

Managing and Maintaining Access to Resources

Configure access to shared folders.
- Manage shared folder permissions.

Configure file system permissions.
- Verify effective permissions when granting permissions.
- Change ownership of files and folders.

Troubleshoot access to files and shared folders.

Date: Wednesday, March 14, 2007
Author: Johan Hiemstra