Question about NTFS permission

Posted on 2009-12-16
Last Modified: 2012-05-08
I am trying to figure several different scenarios of permission settings, and how to know which permission takes precedence over another. Now I have been testing this alot, but sometimes it seems like I am not getting any logic into this. For example I have often read that if a user is a member of two groups, the group with the more restrictive permission takes precedence. Then there is the thing about inherited permission vs explicit permission - where explicit should take precedence over the other...

What happens in the following scenarios (On a computer client, joined to a domain)?

NTFS permission of a folder:
Administrator group : Inherited, Full Control
Users (builtin group) : Inherited, Read and Execute
Users (builtin group) : Explicit, Read.

In the above case, if a user is both a member of the Administrator Group and the Users group - what happens with the NTFS permissions of the administrators group? If Explicit permissions always takes precedence over the Inherited, do the users in the administrators group suddenly loose some of their permissions?

Another similar scenario is when the group "users (builtin)" has inherited read and execute permission on a folder, and I need to prevent this. Then I have the possibility of going into the advanced option and clear the box where it says "include permission from the parent object". But if I do that, ALL users and groups are removed - even the "SYSTEM" user account. Now why would anyone want to exclude the system account to begin with? Risking that the folder gets unusable, and cannot be deleted? Then again, I could specifically deny the "User group" permission to the folder - but how will that effect other specific users or groups which I want to allow access to this folder? Since every user in the domain automatically becomes a part of the "User Group (builtin)", through the "Domain Members group" - this explicit deny permission would take precence over all other group permissions?

Question by:andre_st
    LVL 74

    Assisted Solution

    by:Glen Knight
    The only thing you need to consider is that NTFS permissions are accumulative.
    This means if a user is a member if 2 groups they get a combination of both permissions put together.

    So if Group 1 has read permission and Group 2 has create/modify then the user that is in group 1 and group 2 has read + create/modify unless there is an explicit deny permission then this takes presedence!

    An the other hand the combination of NTFS+SHARE permission is the most restrictive.  For example if a user has got READ share permission but FULL CONTROL NTFS then they only have READ on the volume so it makes no difference what NTFS permissions they have.

    Conversely if they have FULL share permissions but only READ NTFS permissions then they only have READ access.
    LVL 70

    Accepted Solution

    The rules for NTFS permissions are simple:
    If a user is a member of multiple groups then they get the best (least restrictive) of the cumulative permissions
    UNLESS there is an explict DENY - in which case the deny always takes precidence.

    If you want to prevent permission inheritance then when you clear the "include from parent" checkbox select COPY, this leave the permissions but they are now editable and you can remove whatever you want.

    When NTFS and Share permissions are combined you get the most restrictive of the two tyoes of permissions

    When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

    If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

    You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

    It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

    Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

    If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

    It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

    See for more info

    Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

    An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.


    Author Comment

    Thanks alot for your replies!

    I have been reading alot about this subject on the Internet, and in books. But I mostly found the explanations  a bit confusing. But reading your answer - it suddenly made sence ;-)

    I havent had the time to test this in action, but I am assuming that you are right about this. Therefore I will close the question, and award you well deserved points.



    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now