This chapter covers Windows Shares and NTFS Permissions, a core topic for the CompTIA A+ Core 2 (220-1102) exam under Objective 1.5 (Given a scenario, manage and configure basic permissions). Understanding how share and NTFS permissions work together is critical because misconfiguration is a leading cause of access problems in Windows networks. Expect 3-5 exam questions on this topic, often testing the 'most restrictive' rule, effective permissions, and the difference between share and NTFS permissions.
Jump to a section
Imagine a large office building with multiple floors, each floor owned by a different company. The building has a main entrance with a security guard who checks IDs (this is the share-level permission). If your ID says you're allowed in the building, you get past the guard. But once inside, each company floor has its own locked door with a keycard reader (this is the NTFS permission). Even if the building guard lets you in, you still need a valid keycard to enter a specific company's floor. The guard can give you a building pass that says 'visitor' or 'employee' (share permissions: Read, Change, Full Control). The floor keycard can give you access to specific rooms within that floor (NTFS permissions: Read, Write, Modify, etc.). When you try to enter a company floor, the system checks both: you must have a building pass that allows entry to that floor (share permission) AND a keycard that allows entry to that specific door (NTFS permission). The most restrictive rule wins — if the building guard says you can enter any floor but the keycard only allows the lobby, you only get the lobby. This is exactly how Windows combines share and NTFS permissions: the effective permission is the most restrictive of the two.
Windows Shares (also called SMB shares) and NTFS permissions are two separate security mechanisms that control access to files and folders on Windows systems. Shares are used to make folders accessible over the network, while NTFS permissions control local and network access to files and folders on NTFS-formatted volumes.
Share Permissions: Apply only when a user accesses a folder over the network via SMB (Server Message Block) protocol. They do not apply to local logins.
NTFS Permissions: Apply to both local and network access. They are stored in the file system's ACL (Access Control List) and are more granular than share permissions.
How They Work Together
When a user accesses a shared folder over the network, Windows evaluates both the share permissions and the NTFS permissions. The effective permission is the most restrictive of the two. For example:
If share permission is Read and NTFS permission is Full Control, the effective permission is Read.
If share permission is Full Control and NTFS permission is Read, the effective permission is Read.
If share permission is Full Control and NTFS permission is Full Control, the effective permission is Full Control.
This is a critical concept for the exam. Many candidates mistakenly think permissions are additive or that share permissions override NTFS permissions. They are not — the most restrictive rule always applies.
Share Permissions in Detail
Share permissions have three levels: - Read: Users can view file and folder names, open files, and run programs. They cannot make changes or delete files. - Change: Users have Read permissions plus the ability to add files, modify files, delete files, and create folders. - Full Control: Users have Change permissions plus the ability to change permissions (take ownership) for the shared folder.
By default, when you share a folder, the Everyone group is granted Read permission. This is a security best practice — you should always restrict share permissions to only the necessary users or groups.
NTFS Permissions in Detail
NTFS permissions are more granular. The standard NTFS permissions are: - Full Control: Users can read, write, execute, delete files/folders, change permissions, and take ownership. - Modify: Users can read, write, execute, and delete files/folders. They cannot change permissions or take ownership. - Read & Execute: Users can read files and run programs. They cannot write or delete. - List Folder Contents: Users can view the names of files and subfolders. This permission only applies to folders. - Read: Users can view file contents and properties. - Write: Users can create new files and modify existing files. They can also change file attributes.
NTFS permissions can be set for users or groups. They are cumulative — a user gets the sum of all permissions granted to them and to any groups they belong to. However, Deny permissions override all other permissions.
Special Permissions
NTFS also includes special permissions that break down the standard permissions into individual actions. For example, Traverse Folder allows a user to move through a folder even if they cannot list its contents. The exam does not require deep knowledge of special permissions, but you should know they exist.
Inheritance and Propagation
By default, NTFS permissions are inherited from parent folders to child objects (files and subfolders). If you set permissions on a folder, all files and subfolders within inherit those permissions unless you explicitly block inheritance.
Inherited permissions appear as greyed-out checkboxes in the Security tab.
Explicit permissions are set directly on the object and appear as checked boxes.
You can disable inheritance to stop propagation from parent folders. When you do, you have the option to convert inherited permissions to explicit permissions or remove them entirely.
Effective Permissions
The Effective Permissions tool (available in the Advanced Security Settings) shows exactly what permissions a user or group has for a given object. It considers all group memberships, inherited permissions, and Deny entries. This is a common exam scenario — you should know how to use it to troubleshoot access issues.
Configuration and Verification Commands
To share a folder:
1. Right-click the folder > Properties > Sharing tab > Advanced Sharing > check 'Share this folder' > set share name and permissions.
2. Alternatively, use the net share command:
net share MyShare=C:\Data /grant:Users,READTo view share permissions:
- net share MyShare
To set NTFS permissions via command line:
- Use icacls:
icacls C:\Data /grant Users:(R,W)
icacls C:\Data /grant Administrators:(F)To view NTFS permissions:
- icacls C:\Data
To check effective permissions:
In File Explorer, right-click file > Properties > Security > Advanced > Effective Access tab > enter username > View effective access.
Common Exam Scenarios
User can access a file locally but not over the network: Check share permissions. NTFS permissions are fine, but share permissions are too restrictive.
User can access a file over the network but not locally: This is unusual but could happen if the user is denied locally via NTFS but allowed via share. However, share permissions only apply over the network, so local access is controlled solely by NTFS.
User gets 'Access Denied' even though they are in a group with Full Control: Check for a Deny entry. Deny overrides Allow.
Permissions are greyed out: The permission is inherited from a parent folder. To change it, you must either change the parent folder's permissions or disable inheritance.
Best Practices
Set share permissions to Full Control for Administrators and Change for users who need to modify files. Then use NTFS permissions to fine-tune access.
Use groups, not individual users, for assigning permissions.
Avoid using the Everyone group. Use Authenticated Users instead.
Always test with the Effective Permissions tool.
Troubleshooting Tools
icacls: Command-line tool for viewing and modifying NTFS permissions.
File Explorer: Security tab for GUI management.
Effective Permissions: In Advanced Security Settings.
Event Viewer: Security logs can show access denied events.
Interaction with Other Technologies
HomeGroup: Deprecated in Windows 10 (removed in later versions). Used simple sharing without NTFS granularity.
Public Folder: Used for simple sharing but relies on NTFS permissions.
File Server Resource Manager (FSRM): Quotas and file screening, not permissions.
DFS (Distributed File System): Shares can be replicated across servers; permissions are set on the underlying folders.
Summary of Key Values
Default share permission: Everyone Read.
Default NTFS permission on new folders: Inherited from parent.
Effective permission: Most restrictive of share and NTFS.
Deny overrides Allow.
Inheritance is enabled by default.
Use icacls for command-line management.
Effective Permissions tool shows combined result.
Create the shared folder
First, create a folder on an NTFS volume. For example, create C:\Data. Right-click the folder, go to Properties > Sharing tab > Advanced Sharing. Check 'Share this folder' and give it a share name (e.g., 'Data'). Click Permissions and set the share permissions. By default, Everyone has Read. For a typical scenario, remove Everyone and add Domain Users with Change or Full Control depending on needs. Share permissions are applied immediately and take effect for network access.
Set NTFS permissions on the folder
With the folder still selected, go to Properties > Security tab. Here you set NTFS permissions. Click Edit to change permissions. Add users or groups (e.g., SalesTeam) and assign appropriate permissions (e.g., Modify). NTFS permissions are also applied immediately. Note that if the folder inherits permissions from its parent, you may need to disable inheritance first. You can do this by clicking Advanced > Disable inheritance. Choose to convert inherited permissions to explicit or remove them.
Verify share permissions with net share
Open Command Prompt as Administrator. Run `net share Data`. This shows the share name, path, and a remark. To see share permissions, you need to use the GUI or PowerShell. For example, `Get-SmbShare -Name Data | Get-SmbShareAccess` in PowerShell shows the security descriptor. This step confirms that the share is published and accessible over the network.
Verify NTFS permissions with icacls
Run `icacls C:\Data` in Command Prompt. This lists the NTFS permissions for the folder. The output shows entries like `BUILTIN\Users:(OI)(CI)(R)` meaning Users have Read permission with object inherit and container inherit flags. You can verify that the SalesTeam group has the expected permissions. This command is essential for troubleshooting because it shows the exact ACL.
Test effective permissions
In File Explorer, right-click the folder > Properties > Security > Advanced > Effective Access tab. Click 'Select a user' and enter a username (e.g., a member of SalesTeam). Click 'View effective access'. The tool calculates and displays the effective NTFS permissions based on all group memberships, inherited permissions, and deny entries. This is the final word on what the user can do locally. For network access, you must mentally combine this with share permissions using the most restrictive rule.
Enterprise Scenario 1: Departmental File Server
A company has a file server running Windows Server with multiple shared folders for different departments (HR, Finance, Marketing). The goal is to allow all employees to read company-wide documents but restrict HR and Finance folders to their respective teams. The solution uses share permissions for broad access control and NTFS for fine-grained restrictions.
Configuration: The root share (e.g., \\Server\Company) has share permission set to Everyone: Read. Inside, each department folder has NTFS permissions: HR folder grants HR_Group Modify, Finance folder grants Finance_Group Modify, and so on. All other users get NTFS Read from inheritance.
Problem solved: Users can access the share but only see folders they have NTFS permissions to. If a user from Marketing tries to access the HR folder, they get 'Access Denied' because NTFS denies them. Share permissions allow all users to connect, but NTFS blocks specific folders.
Common mistake: Setting share permissions to Full Control for Everyone and relying solely on NTFS. This works but is less secure because local administrators can bypass share permissions. Best practice is to set share permissions to the most restrictive needed (e.g., Change for users who need to write) and then use NTFS for granularity.
Performance: No significant performance impact. The SMB protocol handles permissions efficiently.
Misconfiguration: If someone sets share permissions to Modify for Everyone but NTFS denies a user, the user still cannot access the folder. Conversely, if share permissions are Read but NTFS allows Modify, the user can only read over the network. This is a common source of help desk tickets.
Enterprise Scenario 2: Home Folder Redirection
An organization uses folder redirection to map user documents to a network share. Each user has a home folder (e.g., \\Server\Home$\username) with exclusive access.
Configuration: The parent share (Home$) has share permission set to Domain Admins: Full Control and Authenticated Users: Read (so users can see the share but not each other's folders). Then NTFS permissions on each user's folder grant that user Full Control (with inheritance disabled) and deny all others. The share's Read permission prevents users from writing to the root, but NTFS Full Control allows the user to write to their own folder.
Problem solved: Users can only access their own folder. The share permission prevents them from writing anywhere else in the share, while NTFS ensures they have full control over their own data.
Common mistake: Giving Everyone Full Control at the share level. This would allow any user to write to any folder if NTFS allowed it. Always use the most restrictive share permissions.
Performance: Home folder shares can be large. Use quotas (FSRM) to manage disk space.
Misconfiguration: If NTFS permissions are not set correctly, a user might be unable to save files. The Effective Permissions tool is essential for troubleshooting.
What the 220-1102 Exam Tests
Objective 1.5: Given a scenario, manage and configure basic permissions. This includes:
Understanding share permissions (Read, Change, Full Control)
Understanding NTFS permissions (Full Control, Modify, Read & Execute, List Folder Contents, Read, Write)
Knowing the 'most restrictive' rule when combining share and NTFS permissions
Using the Effective Permissions tool
Configuring permissions via GUI and command line (icacls, net share)
Troubleshooting access denied errors
Common Wrong Answers and Why Candidates Choose Them
'Permissions are cumulative': Candidates often think that share and NTFS permissions add together. For example, if share is Read and NTFS is Full Control, they think the user gets Read+Full Control = something better. But the reality is the most restrictive applies, so the user gets Read.
'Share permissions override NTFS permissions': Some think that because share permissions control network access, they take priority. In reality, both are evaluated and the most restrictive wins.
'NTFS permissions only apply to network access': This is false. NTFS permissions apply to both local and network access. Share permissions apply only to network access.
'Deny permissions are ignored if Allow exists': Deny always overrides Allow. This is a key point.
Specific Numbers and Terms on the Exam
Default share permission: Everyone: Read
Three share permission levels: Read, Change, Full Control
Six standard NTFS permissions: Full Control, Modify, Read & Execute, List Folder Contents, Read, Write
The phrase 'most restrictive' appears verbatim in questions.
The Effective Permissions tab is located in Advanced Security Settings.
Command: icacls for NTFS, net share for shares.
Edge Cases and Exceptions
Inheritance: If permissions are greyed out, they are inherited. You must disable inheritance to change them.
Special Identities: Groups like Everyone include anonymous users; Authenticated Users excludes anonymous.
Local vs Domain: On a workgroup computer, local accounts and groups are used. On a domain, domain accounts and groups.
Administrator Override: Administrators can take ownership and change permissions, even if denied. This is a security feature.
How to Eliminate Wrong Answers
Read the scenario: Is the user accessing locally or over the network? If locally, share permissions do not apply.
Identify the share and NTFS permissions given. Apply the most restrictive rule.
Check for Deny entries — they override.
Use the Effective Permissions tool in your mind: combine all group memberships, then apply the most restrictive between share and NTFS.
Example question: 'A user can read a file over the network but cannot modify it. Share permissions are Full Control. NTFS permissions are Modify. What is the problem?' The answer: NTFS permissions are Modify, which includes write. But wait — the user cannot modify. Check share: Full Control. NTFS: Modify. Most restrictive is Modify, which should allow modification. So why can't they? Possibly a Deny entry or inheritance issue. The exam expects you to think step by step.
Effective permission = most restrictive of share and NTFS permissions.
Share permissions only apply over the network; NTFS permissions apply both locally and over the network.
Deny permissions override all Allow permissions.
Use icacls to view and modify NTFS permissions from the command line.
Use net share to view share permissions from the command line.
The Effective Permissions tool in Advanced Security Settings shows the combined NTFS permissions for a user.
Always use groups for assigning permissions, not individual users.
These come up on the exam all the time. Here's how to tell them apart.
Share Permissions
Only apply to network access via SMB
Only three levels: Read, Change, Full Control
Set on the Sharing tab of folder properties
Less granular — cannot control individual file permissions
Default: Everyone Read
NTFS Permissions
Apply to both local and network access
Six standard levels plus special permissions
Set on the Security tab of folder/file properties
Granular — can set permissions on individual files
Default: Inherited from parent folder
Mistake
Share permissions and NTFS permissions are added together to determine access.
Correct
They are not additive. The effective permission is the most restrictive of the two. For example, if share is Read and NTFS is Full Control, the user gets Read.
Mistake
NTFS permissions only apply when accessing files over the network.
Correct
NTFS permissions apply to both local and network access. Share permissions apply only to network access.
Mistake
If a user is denied access via NTFS but allowed via share, they can still access the file over the network.
Correct
No. The most restrictive rule applies. If NTFS denies, the user is denied regardless of share permissions.
Mistake
The Everyone group includes only authenticated users.
Correct
The Everyone group includes all users, including anonymous and guest accounts. Authenticated Users excludes anonymous and guest.
Mistake
Permissions set on a parent folder always apply to child objects and cannot be changed.
Correct
Permissions are inherited by default, but you can disable inheritance on child objects and set explicit permissions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Share permissions control access to a folder when it is accessed over the network via SMB. They have three levels: Read, Change, Full Control. NTFS permissions control access to files and folders on an NTFS volume, both locally and over the network. They have six standard levels: Full Control, Modify, Read & Execute, List Folder Contents, Read, Write. NTFS permissions are more granular and can be set on individual files. When both are used, the effective permission is the most restrictive of the two.
The effective permission is the most restrictive of the share and NTFS permissions. For example, if share permission is Read and NTFS permission is Full Control, the effective permission is Read. If share is Full Control and NTFS is Read, effective is Read. If both are Full Control, effective is Full Control. You must also consider Deny entries, which override Allow. The Effective Permissions tool in the Advanced Security Settings can show the combined NTFS permissions, but you still need to mentally combine with share permissions for network access.
This usually happens because share permissions are too restrictive. Locally, only NTFS permissions apply. Over the network, both share and NTFS permissions apply, and the most restrictive wins. If share permissions are Read but NTFS allows Modify, the user can only read over the network. To fix this, adjust the share permissions to allow the desired level of access.
icacls is a command-line tool used to display and modify NTFS permissions on files and folders. For example, `icacls C:\Data` displays the current ACL. `icacls C:\Data /grant Users:(R,W)` grants Users Read and Write permissions. It can also be used to remove permissions, set inheritance, and more. It is a powerful tool for scripting and troubleshooting.
Right-click the folder > Properties > Security tab > Advanced button. In the Advanced Security Settings window, click 'Disable inheritance'. You will be prompted to either convert inherited permissions to explicit permissions or remove all inherited permissions. Choose the appropriate option. After disabling, you can set explicit permissions on the folder.
The Effective Permissions tool is part of the Advanced Security Settings in Windows. It shows the actual NTFS permissions a user or group has for a specific file or folder, taking into account all group memberships, inherited permissions, and Deny entries. To use it, right-click the file/folder > Properties > Security > Advanced > Effective Access tab. Enter the username and click 'View effective access'. It is invaluable for troubleshooting access issues.
No. Share permissions can only be set on folders. You cannot share an individual file directly. However, you can share a folder that contains the file, and then use NTFS permissions to control access to the specific file. NTFS permissions can be set on individual files.
You've just covered Windows Shares and NTFS Permissions — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?