network file sharing

Just a simple question(s):

What are the differences between sharing permissions (permissions when a file/folder is shared) and NTFS permissions, how do they interact, and when should I use which one?
David WilliamsonIT DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Across a network (ie. accessing a folder from a different machine), the most restrictive between share permissions and NTFS permissions takes effect. eg, Assuming a user has an NTFS permission of full control and share permision of change, the user will have an effective permission of change if he accesses the file across a network but full control if he accesses the folder directly
cg_from_vaIT DirectorCommented:
Share permissions are applied at the share level whereas NTFS permissions can be applied down to the individual file level.  Because of this, you have greater control of permissions using NTFS as opposed to share level.  

The only time you should ever user share level permissions is for file systems that do not have an NTFS file system such as FAT partitions, CDROM shares, and removable storage.  

For NTFS file systems, set the share level permissions to Full Control/Everyone and then set your NTFS permissions accordingly.  Doing it this way also assures that users will have the same access to files over the network and at the console.  Some administrators like to try and set the share permissions to match the NTFS permissions, but the problem with this is you not add confusion with no additional security, you also lock the share to the share level permissions.  What I mean by this is say you have a directory structure like this:

Folder      Share Permissions      NTFS Permissions
Share       Everyone - Full            Everyone - Read/List
--User1     N/A                             User1 - Modify (Don't give full)
--User2     N/A                             User2 - Modify (Don't give full)

If you set some share permissions at the share level (directory called 'share'), you could not have LESS restrictive permissions at the NTFS level.  So, If you set the share permissions also to Everyone - Read, you would not be able to give User1 Read/Write.

Also, never give Full Control to your users.  The difference between 'Full Control' and 'Modify' only includes the ability to Take Ownership and change permissions.  Your users should not be able to do these things since they might mess up what you worked hard to set up properly.  Some administrators think 'Modify' will not allow the users to delete files, but this is not the case.

Long story short, share permissions should not be used unless you have no other choice.

Hope this is helpful.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David WilliamsonIT DirectorAuthor Commented:
Thank you for the clear and detailed answer; exactly what I wanted to know!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.