NTFS Permissions in WS 2012

  • Permissions can be set at both the folder and file level:

    • Full control: can add, change, move, delete and change permissions
    • Modify: combination of Read and Write; delete files within folder
    • Read & Execute
    • List folder contents (applies only to folder): does not allow direct read.
    • Read
    • Write: can create files and folders but cannot read existing information.

  • Note that NTFS permissions assigned are cumulative.

  • Deny permissions always override Allow permissions.

    • Useful when group permissions have been applied to a folder, but want a user in that group to be denied access to the folder.

  • More details from source: Setting basic NTFS permissions

  • NTFS Permission Precedence

    • A general hierarchy of precedence:

      • Explicit Deny
      • Explicit Allow
      • Inherited Deny
      • Inherited Allow

  • Files and Folder Basic NTFS Permissions Table

Permission of shares

- Full Control – it allows reading, writing, changing, and deleting of any file and subfolder.
- Change – it is the equivalent of the Modify permission level.
 Read – it is the equivalent of the Read & execute permission level.

What happens when combining share and NTFS permissions?

  • Share vs NTFS permissions: The most restrictive permission wins out.

    • E.g. Folder - Share: Read-Only for Everyone group NTFS: Full Control for Everyone group => Share permission will mean users are unable to make changes.

  • Share permissions are only enforced if the contents of the shared folder are accessed over the network.

    • This means that on local server only NTFS permissions will apply

  • NTFS vs NTFS permissions are additive

    • User A has read rights
    • User A belongs to group that has modify rights => User A will have read & modify rights.

For many administrators, it's considered a best practice to provide Full Control/Read & Write permissions to shares and then use NTFS permissions to further restrict access if necessary. So, you would simply grant a user or group full share permissions, which would not restrict any access. However, if you wanted to allow only Read rights on the items in the shared folder, you would use NTFS permissions and grant just Read rights. In this way, regardless of how the folder is accessed - over the network or directly from the server - the same permission set will always apply and it simplifies the permissions game for administrators by basically eliminating one set of permissions that you need to worry about.

Changing NTFS Folder Permissions

icacls
icacls dirname              # Displays ACL for dirname
icacls dirname /t           # Recursively lists ACLs
icacls dirname /grant:

References