Hand pointing to NTFS permissions on computer screen.

If several people in a company need to apply the same local resources, there must be a unproblematic and efficient way of controlling access to these resources. Commonly, this is done using share permissions and/orNTFS permissions. Both serve the purpose of protecting data and preventing unauthorized access. While they can coexist, they work in different ways.

Today, nosotros are going to take a closer look at what exactly the difference between share permissions and NTFS permissions is and illustrate some all-time practice examples for using both methods in Microsoft Windows environments.

What Are NTFS Permissions?

NTFS (New Engineering science File System) is the standardized file system for Microsoft Windows NT and newer versions of Microsoft's operating system. NTFS permissions govern access to folders and files on Windows drives. What'south special most NTFS permissions is that they apply both when access is fabricated locally using a calculator and for access via network. And that's the primary and besides key difference between NTFS permissions and share permissions: The latter only applies when access is fabricated via network. It does not apply for access via computer, i.due east. locally.

Setting NTFS Permissions

Setting NTFS permissions is non overly complicated, though there are a couple of things yous should exist aware of. Our articleSetting NTFS Permissions covers the4 most common mistakes and outlines the best practices for dealing with NTFS permissions.

To set up an NTFS permission, correct-click on a binder or file and select "Backdrop", and then navigate to the "Security" tab to set your permissions. This is the window you will be looking at:

While share permissions merely allow the three options (Full access, Alter and Read), NTFS permissions allow you to ready access at a more than granular level, both for individuals and groups.

The level of access you lot cull to set up can be passed on to subordinate files or folders due to the NTFS permissions' inheritance backdrop. The following NTFS permission levels are the most important ones:

  • Full control:The user has permission to change the contents of files and directories and tin can furthermore change organisation settings (e.g. permissions or buying of the folder).

  • Modify:The user has permission to meet, read, execute, write and delete files.

  • Read & Execute:The user has permission to view file contents in the folder including scripts and may execute programs.

  • Listing binder contents:The user has permission to see directories and files independent in the folder.

  • Read: The user has permission to run into which directories and files the binder contains and tin also view the contents of these files and folders.

  • Write: The user has permission to add files and subfolders and to write to files.

How Do Share Permissions Work?

Share permissions are used to command access to shared folders (and their subfolders and files) when accessed over a network. This means if access is made locally using a PC, the share permission has no influence. To set share permissions, correct-click on the binder, go to "Properties", click on the "Sharing" tab, then "Advanced Sharing" and, finally, click on "Permissions". You will then see this window:

Dissimilar NTFS permissions, share permission levels are limited to "Read", "Change" and "Full access".

  • Total Control: The user can modify folders and files within the share, also as edit permissions and take command of files.

  • Modify: Users are permitted to read, execute, write and delete folders and files in the share.

  • Read: Users are permitted to view folder contents.

The Issue With Share Permissions

The terminal matter you need in your visitor are complicated, messy and convoluted access structures. But if you decide to apply share permissions only, that's probably what you're going to be dealing with – one reason being that share permissions allow yous to take different levels of permission within the same folder hierarchy, and that can be very confusing and misleading. Users might unintentionally terminate upwardly receiving more than rights to a folder than intended because the share permission at the lower-level folder allows more than access than the folder on a higher root. Click here for more information about the disadvantages of using share permissions only.

Webinar Anmeldung Icon

Sign up for our webinar!

The Top 5 Risks in Access Management
held by Helmut Semmelmayer, tenfold Software

Sign up for our webinar!

The Tiptop 5 Risks in Access Management
held by Helmut Semmelmayer, tenfold Software GmbH

Is It Possible to Use NTFS and Share Permissions Simultaneously?

The short answer is, yes, it is. But you need to know exactly which permission has priority over another. Otherwise, you might stop up giving your employees also many or not enough rights.

When accessing a folder or file via network, share permissions always have priority over NTFS permissions. If access is made locally on the file server, however, NTFS permissions rank outset. Even if access is made via network, the share permission cannot be used every bit a means of extending the NTFS permission. It can only be used to further restrict the NTFS permission.

Note: If share permissions and NTFS permissions are used together, the almost restrictive permission overrules the other.

Examples of Mixing Share and NTFS Permissions

Let'southward examine how share and NTFS permissions behave when they are used together in the following example: Presume that access to our binder "\\srv\Section\Sales" is fabricated via network share and non locally.

Example 1

If the sharing permission is set to "Read" and the NTFS permission is prepare to "Total Control", the user will only get "Read" access to the file considering the share permission prohibits "Full command" access via network.

Diagram illustrating different levels of permissions and the effective permissions that result.

Case 2

If the sharing permission is gear up to "Full Command" and the NTFS permission is set to "Read & Execute", the user will still only take "Read & Execute" access to the file. While the share permission would allow "full" admission, the NTFS permission locally restricts access to "Read & Execute".

Diagram illustrating different levels of permissions and the effective permissions that result.

Best Practices for Sharing and NTFS Permissions

As yous can tell, folder sharing with merely 3 available sharing permissions provides very limited security for folders. It is definitely more flexible to mainly rely on NTFS permissions to command access levels and then to ensure that your share permissions practice not unnecessarily hinder access at network level.

Nosotros therefore recommend setting share permissions for admins to "Total Control" and to "Alter" for domain users. Practice not set any other share permissions. This way, it is guaranteed that the NTFS permissions y'all set apply and volition not be restricted when access is made via network. Using NTFS to command admission on file servers brings the post-obit advantages:


This mode, it is guaranteed that the NTFS permissions you set use and volition not exist restricted when admission is made via network. Using NTFS to command access on file servers brings the post-obit advantages:

  • Combining NTFS permissions and share permissions is confusing and circuitous.
  • NTFS permissions tin can exist fine-tuned.
  • NTFS permissions apply even if access is fabricated locally on the server.

[FREE WHITE PAPER] Best practices for access management in Microsoft®environments.

Read our white newspaper to learn how to best handle admission rights in Microsoft® environments.

[Complimentary WHITE Newspaper] All-time practices for admission direction in Microsoft®environments.

Read our white paper to learn how to best treat access rights in Microsoft® environments.