Share permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Share permissions

A shared resource provides access to applications, data, or a user's personal data. You can assign or deny permissions for each shared resource.

You can control access to shared resources with a variety of methods. You can use share permissions, which are simple to apply and manage. Or, you can use access control on the NTFS file system, which provides more detailed control of the shared resource and its contents. You can also use a combination of these methods. If you use a combination of these methods, the more restrictive permission always applies. For example, if the share permission is set to Everyone = Read (which is the default), and the NTFS permission allows users to make changes to a shared file, the share permission applies, and the user is not allowed to change the file.

It is not always necessary to explicitly deny a permission to a shared resource. Denying permission is usually necessary only when you want to override specific permissions that are already assigned.

For information about how to set NTFS file permissions, see Set, view, change, or remove permissions on files and folders. For information about best practices for working with Shared Folders, including assigning permissions, see Best practices for Shared Folders.

Important

  • In the Windows Server 2003 family, when you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive.

Share permissions:

  • Apply only to users who gain access to the resource over the network. They do not apply to users who log on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.

  • Apply to all files and folders in the shared resource. If you want to provide a more detailed level of security to the subfolders or objects in a shared folder, use access control on NTFS.

  • Are the only way to secure network resources on FAT and FAT32 volumes, because NTFS permissions are not available on FAT or FAT32 volumes.

  • Specify the maximum number of users who are allowed to access the shared resource over the network. This is in addition to the security provided by NTFS.

You can assign the following types of access permissions to shared folders or drives:

  • Read
    Read is the default permission that is assigned to the Everyone group. Read allows:
    • Viewing file names and subfolder names

    • Viewing data in files

    • Running program files

  • Change
    Change is not a default permission for any group. The Change permission allows all Read permissions, plus:
    • Adding files and subfolders

    • Changing data in files

    • Deleting subfolders and files

  • Full Control
    Full Control is the default permission that is assigned to the Administrators group on the local computer. Full Control allows all Read and Change permissions, plus:
    • Changing permissions (NTFS files and folders only)