What are Shared Folder Permissions

An administrator must ensure that the users can gain access to folders on the network that contains the files in which they need to work on. Sharing a folder enhance security as you can set permissions for users who can access these shared folders.


Shared folders can have data, applications or a home folder which has user's personnel data. To share a folder you must be a member of one of the groups that have rights to share folders on the computer where the file resides. When you share the folder you can control access to the folder and its contents by granting permissions to selected users and groups. After creating a folder if you want to share it, you have to provide shared folder name and comment on folder description, can limit the total number of users to access the folder and then grant permissions. To create a shared folder, right-click the folder in Windows Explorer and click Sharing. On the sharing tab configure the options.

You use shared folder permissions to control users to gain access for shared folders. Shared folder permissions apply to shared folder only, not to individual files. Permissions which you can set on shared folders are:

Read: If user has Read permission it allows user to display name of the folder, name of the file, attributes, and file data. Within the shared folders run application files, and change folders.
Change: If user has Change permission it allows to add files to folder, can create folders. User has rights to change data in files, can change the attributes of file, and append data to files. Users can delete folders and files and have all the permissions of Read.
Full Control: With Full control permission user gets the ownership of the file and can change file permissions, and gets the same permissions of read and change also. By default every one group has this permission.
Permissions are Cumulative
A user's effective permissions for a resource are the combination of the shared folder permissions that you grant to the individual user account and the shared folder permissions that you grant to the groups to which the user belongs.

For example: If a user has Read permission to access the folder, but also a member of a group who has write permission for the same folder, then the user gets both Read and Write permissions for that folder.

Deny Overrides other Permissions
You can also deny shared folder permissions. Denied permission overrides any allowed permission set for groups and user accounts.

Granting Shared Folder Permissions
You can grant shared folder permission when the folder on a drive formatted to use the NTFS, FAT or FAT32 file system.

Open the shared folder Permission. On the sharing tab click Permission to open the permissions dialog box.
Click Add, in the Select Users, Groups or Computers dialog box click to see a list of domains from which you can select user account and group names.
Select the User or Group for which you want to grant permissions.
Select the Allow check box of the appropriate permissions for the User Account, Group or Computer.
Connecting to a Shared Folder
After you share a folder users can easily access to the folder which are placed across the network. Users can gain access to shared folder which is placed on another computer by using My Network Places, Map Network Drive or Run command.

Using My Network Places: Double click my network places. Enter the network path of the shared folder you want to connect to or click browse to find the computer on which the shared folder is created. Then double click the shared folder to open it.
Using Map Network Drive: You use drive letters to gain access to shared folders for which you cannot use a UNC (Universal Naming Convention) path, such as folder for an older application. Right click my network places and then click map network drive. In the map network drive wizard, select the drive letter that you want to use. Enter the name of the shared folder you want to connect to or click Browse to find the shared folder.
Using Run Command: Click Start, and then click Run. In the run dialog box, enter a UNC path in the open box, and then click OK.
Combining NTFS and Shared Folder Permissions
One strategy for controlling access to network resources on an NTFS partition is to share folders which have default shared folder permission and then to control access to these folders by granting NTFS permissions.

When you grant shared folder permissions on an NTFS Volume, rules applied are:

NTFS permissions are required on a NTFS volume. By default the Everyone group has the full control permission.
Users must have the appropriate NTFS permissions for each file and sub folder in a shared folder with the shared folder permissions in order to gain access to those resources.
When you combine NTFS permissions and shared folder permissions the resulting permission is the most restrictive permission on the combined shared folder permissions or the combined NTFS permissions. Administrative Shared Folders
Administrators use administrative shared folder to do administrative tasks.
Administrative shared folders are hidden from normal users.
Administrators have full control permission.
The root of each partition is automatically shared by C$, D$, and E$.
The C:\Winnt folder is shared as Admin$.
The folder containing the printer driver files is shard as Print$ (created when the first printer is created).
Publishing a shared folder in Active Directory
Publishing resources including shared folders in Active Directory enables users to search Active Directory to find resources on the Network, even if the physical location of the resources changes.

Open the Active Directory Users and Computers from the Administrative tools.
In the console tree of the Active Directory Users and Computers, right click the Domain in which you want to publish the shared folder, point to New, and then click Shared folder.
In the Shared folder Name box, type the Folder Name as you want it to appear in Active Directory.
In the Network path box, type the path to the Shared Folder (UNC) name and then click OK.