We help IT Professionals succeed at work.

Nonuniform Share permissions across files and folders of a Windows 10 drive

High Priority
162 Views
1 Endorsement
Last Modified: 2019-10-16
I've been trying to apply uniform Share permissions across the files and folders of an entire drive in a domain-joined Windows 10 Pro workstation.
I can take the steps but the results look strange.
(I've run sfc and DISM just lately on the host).

If I look at the Share permissions, they vary across the folders.
I did re-propogate the Security permissions just in case that it would have some effect.  Wishful thinking...

I've not yet tried logging into different users on the host to see if there are differences.
When I look at properties over the network, I don't see a Sharing tab at all......
Comment
Watch Question

kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
There are two kinds of permissions that control access to files and folders over a network. The first is the share permissions, which apply to everything in the entire share. Over the network, you cannot have permissions greater than the share permissions, even if you are an administrator or have full control on a sub folder.

The second set of permissions is NTFS, which you should be familiar with. NTFS permissions are granular and can vary per folder and even per file.

I continue to follow the initial model for setting permissions first laid out with Windows NT. Give EVERYONE full control permissions on the share, and put the real controls on the files and folders using NTFS. The effective permissions over the network is the intersection of permissions allowed through the share and the NTFS. By making the share permissions the least restrictive possible, it reduces the challenge of setting proper controls to just getting the NTFS permissions correct.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
You cannot see share permissions remotely via Windows Explorer. Shares are managed remotely via the Computer Management MMC snap-in.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
kevinhsieh:  Thank you!

Yes, I do know the two kinds of permissions (or thought I did!) and am digging into those types a bit deeper.  

If I might ask:
The first is the share permissions, which apply to everything in the entire share.
This seems to be at odds with what I observed on the local host:
If I look at the Share permissions, they vary across the folders.
What I found came as quite a surprise.  So I'm trying to understand.  As I understand your comment on this, it should not be that way - which is what I also thought!

even if you are an administrator or have full control on a sub folder
This was in the context of Share permissions.  Still, I assumed you meant:
even if you are an administrator or have NTFS full control on a sub folder
... because, if not NTFS, this suggests non-uniform Share permissions.   ???
Otherwise, we would have a folder shared FULL with this User residing within a folder with NONE or READ or....
Right?  
I do understand "the most restrictive applies between Share and NTFS permissions".
I feel like I'm missing something fundamental.

Yes, I understand the initial model idea. I'm trying to use it throughout - when it makes sense to change things.
But, I've been working on a case where I want to switch permissions quickly (avoiding long times for propagation of inheritance) and the Share permissions were recommended for that purpose.  So, I was treating it as a "special case".  

I posted this question mostly about Share permissions as seen at the host.
Principal
CERTIFIED EXPERT
Commented:
OK.  Well, I've done some experiments in order to see how things seem to work.
My original assertion about non-uniform Sharing status seems to be incorrect.

In the case I was originally working on was with an external USB hard drive.
The drive is Shared but none of the subordinate top-level folders are shown as shared.  That's what caused my question.

Once I figured that out, I should have tested any conclusions.
So, I did a test and I don't see the same behavior on other external USB hard drives.
In my latest test, all the folders show that they are shared IF the drive is shared.
That's what I would have expected.
So, it appears something is corrupted or missing on this one.

So, I guess I'm working with a special case.
Indeed, because I turned on "Shared with" column in Windows Explorer and it shows the expected sharing.
Yet, the Properties of the folders, in this case, show Not Shared.
The original drive was BitLockered.  But I can't imagine that would matter.

Thanks for the insights!
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Thanks Kevin!