shared folder permissions

Definition of shared folder permissions in The Network Encyclopedia.

What is shared older permissions?

In Microsoft Windows, a set of permissions that can be assigned to a shared folder to control access by users and groups on the network. Shared folder permissions can be applied only to the entire shared folder, not to its files and subfolders.

If you want to control access to individual files and subfolders within a network share, you can use the more granular NTFS permissions on Windows NT and Windows 2000. In addition, shared folder permissions are effective only when a user accesses the folder over the network.

If a user can log on locally to the console of the computer where the share is located, that user can always access the contents of the shared folder regardless of the shared folder permissions set (unless the folder is on an NTFS volume and the NTFS permissions restrict the user from accessing the resource).

Finally, shared folder permissions are the only way to secure network resources that are stored on FAT volumes.

If a user belongs to two or more groups, and these groups have different permissions on a given share, the user’s ability to access the folder over the network can be calculated by two rules:

  • The effective permission is the least restrictive (most permissive) permission, as in this example:

    read + change = change permission

  • No access or deny access overrides all other permissions, as in this example:

    read + no access = no access

How It Works

Windows 95, Windows 98, Windows NT, and Windows 2000 each have different mechanisms for assigning shared folder permissions for users and groups. The following tables show the permissions for each of these operating systems and lists what the permissions allow users to perform.

Windows 95 and Windows 98 Shared Folder Permissions

Permission What It Allows Users to Do
Read-Only Access Rights
List names of folders and files
Browse hierarchies of folders
Display the contents of folders and files
Run executable files
Full Access Rights
Create and delete folders
Add files to folders
Create, modify, and delete files
Change file attributes
(Includes read permissions)
Custom Access Rights
Depending on the options specified, allows users to perform the following actions:
Read files
Write to files
Create files and folders
Delete files
Change file attributes
List files
Change access control

Graphic S-8. The Change Access Rights dialog box in Windows 95 and Windows 98.


Windows NT 4.0 Shared Folder Permissions

Permission What It Allows Users to Do
No Access
Connect to a share without viewing its contents
Read
List names of folders and files
Browse hierarchies of folders
Display the contents of folders and files
Run executable files
Change
Create and delete folders
Create, modify, and delete files
Change file attributes
Includes read permissions
Full Control
Take ownership of files on NTFS volumes
Change file permissions on NTFS volumes
Includes read and change permissions

Graphic S-9. The Access Through Share Permissions dialog box in Windows NT 4.0.


Windows 2000 Shared Folder Permissions

Permission What It Allows Users to Do
Read
List names of folders and files
Browse hierarchies of folders
Display the contents of folders and files
Run executable files
Change
Create and delete folders
Add files to folders
Create, modify, and delete files
Change file attributes
Includes read permissions
Full Control
Take ownership of files on NTFS volumes
Change file permissions
Includes read and change permissions

Graphic S-10. The Permissions dialog box in Windows 2000.


TIP

When you first share a folder in Windows NT and Windows 2000, the default permissions are Full Control for the Everyone group. You should remove this default permission and assign more appropriate permissions to the share, such as change permission for Domain Users and full control for Administrators.

When you assign permissions to shared folders, use group accounts instead of user accounts in order to simplify administration. Give users the most restrictive permissions that still enable them to perform the necessary tasks on the files in the share.

See also: