Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

NTFS Permission on File and shared on domain and local?

0 like 0 dislike

Background about my system

  • Server 2008 R2
  • Windows XP and Windows 7 PC
  • I have different departments who have different access
  • All of my users are by default part of Domain Users Group

I have setup my system with UNC Path and shared folder.

I have few question on NTFS permission on file and share.

I have following permission setup on a shared folder.

Scenario 1:

  • Everyone has full control
  • Domain User (Group) has only ready access

Scenario 2:

  • Authenticated User has full control
  • Everyone has read only access

Local PC/Server has following default groups

  • Administrators
  • Everyone
  • Power Users
  • Backup Operators
  • Users

My question is

  • In Scenario 1 who will have full access?
  • In scenario 2 who will have access?
  • What takes priority Local groups or domain groups?
  • Some of the user were able to access Scenario 1 with full permission but some user were able to access the shares as ready only. Why?
  • Which groups take priority?
  • Difference between Share Permission and NTFS permission?
  • When Set Up your share what is best group to add into share permission and why (Everyone one or Domain Users or pacific Group which rates to that department)?

I really need to understand this. Please make your answer clear.

asked Apr 17, 2015 by maj  

1 Answer

0 like 0 dislike
All of this is covered in the Windows documentation on shares, file permissions, and groups.

Scenario 1: Everyone will have full access. Access is cumulative. Scenario 2: Everyone but Guest will have full access

As to why some users only had read-only in Scenario 1, it would have to be that some users have full vs. read-only file (NTFS permissions).

Neither local or domain group takes priority. Share permissions are cumulative.

Share permission function at the layer where the client accesses the share. File permissions function at the layer where files are accessed. I.e., if a user has no share permissions, but Full Control NTFS permissions, they won't be able to get to the files. Additionally, if they have all share permissions but no file permissions, they will be able to connect to the share, but not be able to do anything with the files.

Best practice is to always give minimal access. So permissions on shares and the files should be given only to the group(s) that needs to access them. Microsoft's approach is to create a domain group and a local group. Put the domain group in the local group, and then assign permissions to the local group.
answered Apr 17, 2015 by james