Confused again by Share, Advanced Sharing and NTFS permissions

timeshifter

timeshifter

Well-Known Member
Reaction score
2,160
Location
USA
Want one user to have read only access to the files in the main company shared folder. What I've been trying hasn't been working. I'm getting confused (again) by the different Share permissions and NTFS permissions.

I see three different ways to manage this. I start by right-clicking the folder on the server and choosing Properties. From there I can:

a) Click the Sharing tab then click "Share..."
b) Click the Sharing tab then click "Advanced Sharing..."
c) Click the Security tab then edit permissions.

I think the best way to work with this is to use option B and set permissions for Everyone and Administrators to Full Control, Change, and Read. The go to C and edit the NTFS permissions for users or groups (preferably groups).

What I've noticed is that when I do it this way and add a user through C (NTFS permissions) then I end up seeing them under A with custom permissions.

I've been doing all this with a test share. I need to clean up the main share but want to make sure I'm going about this right.

So, is it best to just ignore what shows up in the A option?
The A option is just a reflection of what is configured in the C option?
 
I think this is a good answer.
superuser.com

What's the difference between Sharing and Advanced Sharing in Windows Server 2008?

First, I've researched this and found one question that was not answered, and one that was answered not completely. https://serverfault.com/questions/652215/file-sharing-methods (incomplete or vague
superuser.com superuser.com

I typically never use the "Share" option. Always advanced sharing. Mostly to set the share name. So since I use advanced sharing I just give everyone full control and use NTFS permissions to actually manage it.
 
Windows 101...

Never... EVER...

Let me say that again NEVER!

Set permissions on the share. Share permissions should be Everyone Full Control, or Authenticated Users Full Control.

Put 100% of your ACLs in the NTFS permissions, then you have 1 place to check. Network access is the most restrictive of the two if both are in play. So all you do by setting share permissions is make yourself more work.
 
So can I just ignore what I see under Share permissions?

This box and several others I work with use Windows Server Essentials. As I mentioned it appears that I can have a user not shown in the Share permissions at all. I add them in NTFS permissions. Then I'll go back to look at the Share permissions and they're there. Don't know if this is unique to Essentials or if all (most) Server versions in recent memory do this.
 
timeshifter said:
So can I just ignore what I see under Share permissions?

This box and several others I work with use Windows Server Essentials. As I mentioned it appears that I can have a user not shown in the Share permissions at all. I add them in NTFS permissions. Then I'll go back to look at the Share permissions and they're there. Don't know if this is unique to Essentials or if all (most) Server versions in recent memory do this.
Click to expand...
The wizard will do this, manual setting will not. I've always used the latter, I use "advanced" sharing for everything.
 
Sky-Knight said:
The wizard will do this, manual setting will not.
Click to expand...
Hmm. Not my experience. Today I fired up a spare test 2016 Standard box. It's really plain, no services or anything really running on it, just a test box.

I created a folder. Right-clicked on it and chose Properties, then Sharing tab. Clicked Advanced Sharing then checked box for Share this Folder, then Permissions and set Everyone to Full Control.

The Sharing button (or wizard?) seems to interact with the NTFS permissions I set. I can add a user using the Sharing button and I'll see them in the NTFS permissions. I can add a user under NTFS permissions and see them in the Sharing button. Same with deletes and changes. The two seem linked.

Guess I'll go back to an earlier statement and simply set the Advanced Sharing to Everyone Full Control and then manage it all through the NTFS permissions.
 
You will have a much easier time if you but your ACLs in the filesystem instead of the share yes.

But the right click advanced sharing thing bypasses the wizard I was referring to.

If you right click on a folder, and over over "give access to" and then select "specific people" that wizard will put permissions in both share, and NTFS. Note, you cannot do this unless you're at least 2 folders deep from root.

I always use advanced sharing, and I always set permissions in the security tab. Everyone gets full control of the share itself UNLESS it's a very special circumstance. The only one that comes to mind are permissions for a profile folder for multiple users. Those permissions have to be just so or bad things happen. I think that mess does some whakyness with the shares too... but even that is mostly all NTFS permissions via the security tab.
 
If you have a real M$ server OS then you really should be using server file sharing. Enable File and Storage Services and do it all from there. I only use the properties vector is I have to do it between M$ clients.
 
You must log in or register to reply here.

Similar threads

HCHTech
Apple Business Essentials
Replies
1
Views
158
Markverhyden
Markverhyden
britechguy
Which Outlook has touched your Google Account, and when, makes a difference in what Microsoft apps & services can access
Replies
3
Views
272
John Kennedy
John Kennedy
Metanis
[WARNING] Network sharing credentials broke this morning.
Replies
2
Views
371
Diggs
Diggs
A
Webcam built into external monitor on Chromebook
Replies
4
Views
329
alexsmith2709
A
thecomputerguy
O365 Migration Question
Replies
1
Views
149
YeOldeStonecat
YeOldeStonecat
Back
Top