Courseiva
CompTIA A+ Study GuideCompTIA A+ 220-1101/1102

NTFS vs Share Permissions: A+ Exam Traps

NTFS and share permissions both control file access, but they combine differently when both apply. Here is the rule the A+ exam tests and how to apply it every time.

10 min read
12 sections
Courseiva Study Hub

Quick answer

NTFS and share permissions both control file access, but they combine differently when both apply. Here is the rule the A+ exam tests and how to apply it every time.

In this guide

  1. 1.NTFS Permissions
  2. 2.Share Permissions
  3. 3.When Both Apply: The Most Restrictive Rule
  4. 4.The Exam Trap
  5. 5.Effective Permissions
  6. 6.Inheritance
  7. 7.Worked Scenario with Three Groups
  8. 8.Special Permissions — Beyond Basic Levels
  9. 9.Propagation and Inheritance — The Real-World Confusion
  10. 10.NTFS Permissions When Moving vs Copying Files
  11. 11.Common Ticket Scenarios That Map to These Rules
  12. 12.Practice Question Sets

NTFS and share permissions questions on the A+ Core 2 exam give you a scenario with specific permissions applied at both levels and ask you to determine what the user can actually do. The rule for combining them is simple once you know it, but it catches candidates who have not seen it before.

NTFS Permissions

NTFS permissions are stored on the file system and apply to both local and network access. They are the most granular level of access control.

Common NTFS permission levels:

Permission What It Allows
Full Control Read, write, delete, change permissions, take ownership
Modify Read, write, delete files and subfolders
Read & Execute View and run files
Read View files only
Write Create new files and folders; write to existing files

NTFS permissions are cumulative — if a user is a member of multiple groups with different NTFS permissions, they receive the combination of all granted permissions. Except: an explicit Deny overrides all Allow permissions.

Share Permissions

Share permissions only apply when accessing a folder over the network. They have no effect on local access. Share permissions have three levels: Full Control, Change, and Read.

When Both Apply: The Most Restrictive Rule

When a user accesses a shared folder over the network, both NTFS and Share permissions apply. The effective permission is the most restrictive (least permissive) of the two.

Example:

  • NTFS permission for User A on the Sales folder: Modify
  • Share permission for User A on the Sales folder: Read

Effective permission when accessing over the network: Read (the more restrictive of the two).

If User A accesses the same folder locally (sitting at the computer), only NTFS permissions apply — Share permissions are irrelevant for local access. User A would have Modify access locally.

The Exam Trap

Scenario: "A shared folder has the following permissions: Share = Full Control for Everyone; NTFS = Read for User A. User A accesses the folder over the network. What can User A do?"

Many candidates see "Full Control" in the Share permissions and answer Full Control. The correct answer is Read — the NTFS permission is more restrictive, and when both apply over the network, the most restrictive wins.

The Everyone group with Full Control share permission is a common configuration that confuses candidates. The NTFS permissions are what actually restrict access in this scenario.

Effective Permissions

To determine effective permissions for a user who is in multiple groups:

  1. List all NTFS permissions granted to the user through all groups (combine them — most permissive)
  2. List all Share permissions granted to the user through all groups (combine them — most permissive)
  3. For network access: effective = most restrictive between step 1 and step 2
  4. For local access: effective = step 1 only (NTFS only)

Example:

  • User is in Group A (NTFS: Read) and Group B (NTFS: Modify)
  • Combined NTFS: Modify (cumulative — most permissive between groups)
  • Share permission: Full Control
  • Network access effective: Modify (NTFS Modify is more restrictive than Share Full Control)

Inheritance

NTFS permissions are inherited from parent folders by default. Subfolders and files inherit the permissions of the folder above them.

Blocking inheritance: you can stop inheritance on a specific folder. When you do this, you can:

  • Remove all inherited permissions (start with a clean permission set)
  • Convert inherited permissions to explicit permissions (they remain but are no longer inherited — changes to the parent won't affect this folder)

Exam scenario: "An administrator wants a subfolder to have different permissions from its parent. What should the administrator do?" — Block inheritance on the subfolder and set the required permissions explicitly.

Practice A+ permissions questions with multi-group scenarios to build speed on the most-restrictive-wins rule.

Worked Scenario with Three Groups

This is the type of scenario the A+ exam will give you. Work through it step by step.

Setup: User Alice is a member of three groups: Marketing, Editors, and Everyone.

NTFS permissions on the Reports folder:

  • Marketing: Read
  • Editors: Modify
  • Everyone: Read

Share permissions on the Reports folder:

  • Marketing: Full Control
  • Everyone: Read

Step 1 — Calculate Alice's cumulative NTFS permissions. Alice is in Marketing (Read) and Editors (Modify) and Everyone (Read). NTFS permissions are cumulative across groups — you combine all the Allow permissions. Modify includes everything Read allows plus the ability to change and delete files. Combined NTFS: Modify.

Step 2 — Calculate Alice's cumulative Share permissions. Alice is in Marketing (Full Control) and Everyone (Read). Combined Share: Full Control (most permissive across groups).

Step 3 — Apply the most-restrictive rule for network access. Combined NTFS = Modify. Combined Share = Full Control. Most restrictive = Modify. Alice's effective permission when accessing over the network: Modify.

Step 4 — Local access. If Alice sits at the computer and accesses the Reports folder locally, only NTFS applies. Alice has Modify.

Where candidates go wrong: They see "Full Control" in the share permissions and answer Full Control. They forget that NTFS is the limiting factor. The most-restrictive rule means the more permissive permission (Share Full Control) gets cut down to what NTFS allows (Modify).

Second trap: They calculate the NTFS permissions wrong by looking at only one group. Always combine all groups the user belongs to before comparing with share permissions.

Special Permissions — Beyond Basic Levels

The A+ exam can ask about permissions that don't appear in the basic Full Control / Modify / Read list.

List Folder Contents: Allows viewing file and subfolder names in a folder, but not opening files or running executables. A user with only this permission can see what's in the folder but cannot actually read or launch anything inside. This is useful for directory browsing without data access.

Write Attributes: Allows changing basic attributes of a file (read-only, hidden, system) but does not allow reading or modifying the file content. This is a granular permission below the standard Write.

Take Ownership: Allows the user to become the owner of a file or folder. The owner of an object always has the right to change permissions on it. This permission is particularly powerful — a user with Take Ownership can grab a file they normally could not access, take ownership, then grant themselves Full Control.

Delete Subfolders and Files: Allows deleting items within a folder even if the user does not have Delete permission on the specific files themselves. This is separate from the Delete permission that appears in the Modify level.

Exam context: When a question describes a user who can see file names in a folder but cannot open any of the files, the likely permission is List Folder Contents. When a question asks "which special permission lets a user become the owner of a resource they do not currently own," the answer is Take Ownership.

Propagation and Inheritance — The Real-World Confusion

NTFS permission inheritance is automatic — subfolders and files inside a folder inherit the permissions of the parent by default. This makes administration easier but creates problems when specific folders need different access.

Blocking inheritance scenario: An exam question describes this situation: "The Finance folder has permissions that allow the Accounting group full access. There is a Confidential subfolder inside Finance that should only be accessible to Finance Directors. The Accounting group should not have access to Confidential."

The solution: block inheritance on the Confidential subfolder. When you block inheritance, Windows presents two choices:

  1. Remove all inherited permissions — Start clean. No inherited permissions carry over. You must explicitly define all permissions from scratch.
  2. Convert inherited permissions to explicit permissions — The current inherited permissions are converted to explicit permissions on this folder. Changes to the parent's permissions will no longer affect this folder, but the current permissions remain.

Exam trap: "After blocking inheritance on a subfolder, users who should still have access are locked out." This happens when the administrator chose "Remove all inherited permissions" and then forgot to add explicit permissions for the users who need access. The correct approach for the scenario above: block inheritance, convert inherited permissions (to preserve Finance Director access), then remove Accounting from the Confidential folder's explicit list.

NTFS Permissions When Moving vs Copying Files

This is one of the most-tested permission behaviours on the A+ exam and one of the most consistently confused.

Copying a file:

  • The copy goes to the destination folder
  • The copy inherits the permissions of the destination folder
  • The original remains with its original permissions
  • The person making the copy must have Write permission on the destination

Moving a file within the same volume (same drive letter):

  • The file does not physically move — only the directory entry changes
  • The file retains its original permissions (it is the same file, just pointed to by a different directory)
  • The person moving the file must have Write permission on the destination and Delete permission on the source

Moving a file across volumes (different drive letters):

  • This is a copy followed by a delete
  • The file inherits the permissions of the destination folder (copy behaviour)
  • The person must have Write on destination and Delete permission on the original

Memory rule: Same volume = keep permissions. Different volume = inherit destination permissions. Copy = always inherit destination.

Exam question: "A user copies a sensitive file from the Confidential folder (restricted permissions) to their Desktop (less restricted). What permissions does the copy have?" The copy inherits the Desktop's permissions — which are less restrictive. This is a common data security concern: users copying restricted files to less-restricted locations.

Common Ticket Scenarios That Map to These Rules

Help desk scenario 1: "A user was added to the Managers group two days ago but still cannot modify files in the Managers folder."

Check for an explicit Deny on the user's account. Deny overrides all Allow permissions. Also check if the user has logged off and back on — group membership changes require a new login token to take effect. If neither applies, verify the NTFS permissions on the specific files (not just the folder).

Help desk scenario 2: "A user can read files in a shared folder from their workstation but cannot read those same files when working from home via VPN."

The home access is likely using a different authentication context or the VPN assigns different group memberships. More likely: share permissions are restricting VPN access differently, or a firewall is blocking the SMB protocol. Check share permissions first for remote access issues.

Help desk scenario 3: "A user accidentally deleted files from a shared folder. The user's NTFS permission is Read — how were they able to delete files?"

They likely have the permission through group membership they are not aware of. Check all groups the user belongs to. Also check: was the permission set at the folder level with inheritance? Was there a Modify permission inherited that was not visible at first glance?

Practice Question Sets

Work through these A+ permission scenarios to lock in the rules before exam day.

Session Questions Estimated time Link
Quick check 10 10–12 min Start →
Standard session 20 20–25 min Start →
Focused drill 30 30–40 min Start →
Deep study block 50 50–65 min Start →
Full mock exam 120 2–2.5 hours Start →

Practise A+ questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

A+ practice testAll A+ questions

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.