Hand pointing to NTFS permissions on computer screen.

If several people in a company need to use the same local resources, there must be a simple and efficient way of controlling access to these resources. Commonly, this is done using share permissions and/or NTFS permissions. Both serve the purpose of protecting data and preventing unauthorized access. While they can coexist, they work in different ways.

Today, we are going to take a closer look at what exactly the difference between share permissions and NTFS permissions is and illustrate some best practice examples for using both methods in Microsoft Windows environments.

Contents (show)

What Are NTFS Permissions?

NTFS (New Technology File System) is the standardized file system for Microsoft Windows NT and newer versions of Microsoft’s operating system. NTFS permissions govern access to folders and files on Windows drives. What’s special about NTFS permissions is that they apply both when access is made locally using a computer and for access via network. And that’s the main and also key difference between NTFS permissions and share permissions: The latter only applies when access is made via network. It does not apply for access via computer, i.e. locally.

Setting NTFS Permissions

Setting NTFS permissions is not overly complicated, though there are a couple of things you should be aware of. Our article Setting NTFS Permissions covers the 4 most common mistakes and outlines the best practices for dealing with NTFS permissions.

To set an NTFS permission, right-click on a folder or file and select “Properties”, then navigate to the “Security” tab to set your permissions. This is the window you will be looking at:

While share permissions only allow the three options (Full access, Modify and Read), NTFS permissions allow you to set access at a more granular level, both for individuals and groups.

The level of access you choose to set can be passed on to subordinate files or folders due to the NTFS permissions’ inheritance properties. The following NTFS permission levels are the most important ones:

  • Full control: The user has permission to change the contents of files and directories and can furthermore change system settings (e.g. permissions or ownership of the folder).

  • Modify: The user has permission to see, read, execute, write and delete files.

  • Read & Execute: The user has permission to view file contents in the folder including scripts and may execute programs.

  • List folder contents: The user has permission to see directories and files contained in the folder.

  • Read: The user has permission to see which directories and files the folder contains and can also view the contents of these files and folders.

  • Write: The user has permission to add files and subfolders and to write to files.

How Do Share Permissions Work?

Share permissions are used to control access to shared folders (and their subfolders and files) when accessed over a network. This means if access is made locally using a PC, the share permission has no influence. To set share permissions, right-click on the folder, go to “Properties“, click on the “Sharing“ tab, then “Advanced Sharing“ and, finally, click on “Permissions“. You will then see this window:

Unlike NTFS permissions, share permission levels are limited to “Read”, “Modify” and “Full access”.

  • Full Control: The user can change folders and files within the share, as well as edit permissions and take control of files.

  • Change: Users are permitted to read, execute, write and delete folders and files in the share.

  • Read: Users are permitted to view folder contents.

The Issue With Share Permissions

The last thing you need in your company are complicated, messy and convoluted access structures. But if you decide to use share permissions only, that’s probably what you’re going to be dealing with – one reason being that share permissions allow you to have different levels of permission within the same folder hierarchy, and that can be very confusing and misleading. Users might unintentionally end up receiving more rights to a folder than intended because the share permission at the lower-level folder allows more access than the folder on a higher root. Click here for more information about the disadvantages of using share permissions only.

Webinar Anmeldung Icon

Sign up for our webinar!

„Top 5 Access Management Risks“ –
held by Helmut Semmelmayer, tenfold Software

Register for free

Sign up for our webinar!

„Top 5 Access Management Risks“ –
held by Helmut Semmelmayer, tenfold Software GmbH

Register for free now

Is It Possible to Use NTFS and Share Permissions Simultaneously?

The short answer is, yes, it is. But you need to know exactly which permission has priority over another. Otherwise, you might end up giving your employees too many or not enough rights.

When accessing a folder or file via network, share permissions always have priority over NTFS permissions. If access is made locally on the file server, however, NTFS permissions rank first. Even if access is made via network, the share permission cannot be used as a means of extending the NTFS permission. It can only be used to further restrict the NTFS permission.

Note: If share permissions and NTFS permissions are used together, the most restrictive permission overrules the other.

Examples of Mixing Share and NTFS Permissions

Let’s examine how share and NTFS permissions behave when they are used together in the following example: Assume that access to our folder “\\srv\Department\Sales“ is made via network share and not locally.

Example 1

If the sharing permission is set to “Read“ and the NTFS permission is set to “Full Control“, the user will only get “Read“ access to the file because the share permission prohibits “Full control“ access via network.

Diagram illustrating different levels of permissions and the effective permissions that result.

Example 2

If the sharing permission is set to “Full Control“ and the NTFS permission is set to “Read & Execute“, the user will still only have “Read & Execute“ access to the file. While the share permission would permit “full“ access, the NTFS permission locally restricts access to “Read & Execute“.

Diagram illustrating different levels of permissions and the effective permissions that result.

Best Practices for Sharing and NTFS Permissions

As you can tell, folder sharing with only 3 available sharing permissions provides very limited security for folders. It is definitely more flexible to mainly rely on NTFS permissions to control access levels and then to ensure that your share permissions do not unnecessarily hinder access at network level.

We therefore recommend setting share permissions for admins to “Full Control” and to “Change” for domain users. Do not set any other share permissions. This way, it is guaranteed that the NTFS permissions you set apply and will not be restricted when access is made via network. Using NTFS to control access on file servers brings the following advantages:


This way, it is guaranteed that the NTFS permissions you set apply and will not be restricted when access is made via network. Using NTFS to control access on file servers brings the following advantages:

  • Combining NTFS permissions and share permissions is confusing and complex.
  • NTFS permissions can be fine-tuned.
  • NTFS permissions apply even if access is made locally on the server.

[FREE WHITE PAPER] Best practices for access management in Microsoft® environments.

Read our white paper to learn how to best handle access rights in Microsoft® environments.

Go to download

[FREE WHITE PAPER] Best practices for access management in Microsoft® environments.

Read our white paper to learn how to best treat access rights in Microsoft® environments.

Go to download