Administering Windows Server 2008: The Basics
Understanding Share Security
You can set both drives and folders as distinct shared resources, whether they are
located on a FAT-formatted drive or on an NTFS-formatted drive. In the case of an
NTFS-formatted drive (but not a FAT-formatted drive), you can also set permissions on
folders and files within the share that are separate from the permissions on the share
itself. Understanding how Windows Server 2008 handles security for shares, folders,
and files on NTFS drives is important.
Suppose that you created a share called RESEARCH and you gave the R&D security
group read-only access to the share. Within the share, you set the permissions on a
folder called PROJECTS to allow full read and write access (called change permission) for
the R&D security group. Will the R&D group have read-only permission to that folder
or change permission? The group will have read-only permission. This is because when
security permissions differ between folders within a share and the share itself, the most
restrictive permissions apply.
A better way to set up share permissions is to allow everyone change permission to
the share and then control the actual permissions by setting them on the folders within the
share itself. This way, you can assign any combination of permissions you want; then the
users will receive the permissions that you set on those folders, even though the share is
set to change permission.
Also, remember that users receive permissions based on the groups of which they
are members, and these permissions are cumulative. So, if you are a member of the
Everyone group who has read-only permission for a particular file, but you're also a
member of the Admins group who has full control permission for that file, you'll have
full control permission in practice. This is an important rule: Permissions set on folders
and files are always cumulative and take into account permissions set for the user
individually as well as any security groups of which the user is a member.
Another important point is that you can set permissions within a share (sometimes
called NTFS permissions) on both folders and files, and these permissions are also
cumulative. So, for instance, you can set read-only permission on a folder for a user,
but change permission for some specific files. The user then has the ability to read,
modify, and even delete those files without having that ability with other files in the
There's a special permission called no access, which overrides all other permissions,
no matter what. If you set no access permission for a user on a file or folder, then that's
it--the user will not be able to access that file or folder. An extremely important corollary
to this rule is that no access permission is also cumulative and overriding. So, if the
Everyone security group has change permission for a file, but you set a particular user
to no access for that file, that user will receive no access permission. If you set no access
permission for the Everyone group, however, then all members of that group will also
receive the no access permission, because it overrides any other permissions they have.
Be careful about using no access with security groups!