- Disdain for File Shares 99%
A recent (make-believe yet highly accurate) survey was conducted and the results were staggering. Although I feel these numbers may be a bit low, let’s just roll with them. 99% of system administrators would rather have their completely healthy teeth pulled without lidocaine performed by a student in training than deal with NTFS and file share permissions in Windows.
But you, sir/ma’am, are an elitist and you are the 1%. You woke up ready to destroy some file shares (figuratively of course, but you do have backups just in case you’re a little over zealous). After reading all of the possibilities that come along with NTFS permissions and Share permissions, you’re still feeling confident that you can tame the beast and get your stuff under control. The advice you’re given by your ancestral sys admins of days gone by is this:
“Young grasshopper, when you use NTFS and Share permissions together, the most restrictive permission gets applied.”
\\\Round 1: Share Restrictions
After bowing to your Sensei, you put the theory to test. You create a file share and set the NTFS permissions to “Full Control” for your specific user account and set the Share Permissions for Everyone to “Read.” You then connect to the share and lo and behold, you can (only) read! So Round 1 goes to Share Permissions, which is the most restrictive.
\\\Round 2: NTFS Restrictions
Let’s see if the reverse is true. Let’s set the Share Permissions for Everyone to “Full Control” and the NTFS permissions for our specific user account to “Read” and see who wins. Go ahead, don’t be shy. Do it.
Well, I can still create files. The most restrictive permission didn’t win…but why???
Before you cast doubt on your sensei, let’s look at what NTFS permissions are set on this folder. Nothing too conspicuous, but there’s one that catches my eye…the local “Users” group. If we open the local users and groups console, click on groups, and open up this “Users” group, we’ll see that the “Domain Users” group from our domain is a member of this group! No wonder we’re still able to write!
\\\Round 2.5: We’re Not Finished
Let’s do what we do best and delete some stuff—specifically the “Users” group from the NTFS ACL—and try again. In order to remove this group, by default your folder should have inheritance turned on and this group is coming from the parent folder/drive. You’ll have to turn off inheritance of this folder before you can remove the local “Users” group. After removing the local users group, we test it, and voila! The most restrictive permission—in this case our NTFS permission—wins!
With this information in mind, the next logical step would be to set your Share Permissions to “Full Control” for the Everyone group and then just restrict access with the NTFS permissions, right? This way, you’re only worrying about adjusting the permissions in one place. This sounds like a great idea. In fact, most guides you find on the interwebs will tell you to do this, but I stumbled upon a situation where these 2 settings really started duking it out and things got bloody.
\\\Death Match
Setting our Share permissions loosely and restricting access with our NTFS permissions works great in most scenarios, but what if we want to give users the ability to create files and sub folders but we don’t want them to be able to modify the access to the files they create? Have you ever had a user randomly change the permissions on a file that they created? Nothing’s worse (besides coloring out of the lines and mismatching display names in AD) than a perfectly ordered file share being imperfect and unorderly.
And like a new challenger in Street Fighter busting on to the scene, another group emerges. Introducing in the red corner wearing the red and blue trunks, weighing in at 185 pounds, it’s the CREATER_OWNER group! If we look at the NTFS permissions on our folder we see that the CREATER_OWNER group has “Special” permissions. Makes you feel all warm and fuzzy. After clicking on “Advanced” we see that it has “Full Control” to Subfolders and files. The CREATER_OWNER group is a special group that is essentially the permissions applied to the user who creates files/folders in this directory. If we’re wanting to change the permissions for the files users create, this group is the sucker punch. Let’s remove this group altogether from our ACL.
If we haven’t turned off inheritance already for this shared folder, we’ll have to do that first before we can remove the CREATER_OWNER group. Once it’s removed/changed, let’s check again and see if we’ve delivered the knockout punch.
\\\Endurance
Dang…this brute is taking a kicking and still ticking. Yes, this just became kick boxing. If I connect to the share and create a file, I can still edit the permissions…even after I’ve removed the CREATER_OWNER group from the ACL. As the ref starts the countdown and I’m seeing birdies from my comfortable spot lying face up on the mat, I think back to what my trainer once told me: “Son, have you tried to lower the Share permissions for the Everyone group from “Full Control” to “Change” on your share?”
I get my 6th wind and jump back to my feet, I see Adrian in the crowd and I start going at my opponent one more time before I give up and install Linux. I change the Share permissions for Everyone to “Change,” and it’s a knockout! I was nearly down for the count, but what a comeback! It turns out that setting the Share permissions to “Full Control” and controlling everything else with NTFS permissions works most of the time, but definitely not with the CREATER_OWNER group. This drove me nuts when I first discovered it and I couldn’t figure out why the NTFS permissions weren’t applying correctly. Hours of my life I’ll never get back; gone like that time I downloaded Flappy Bird.
The battle between NTFS and Share permissions wasn’t quite to the death, but if you run into issues with NTFS permissions not applying correctly, try lowering the Share permissions to “Change” rather than “Full Control” and see if they start applying correctly. Assuming you set up file shares instead of handing out USB sticks and telling your people to “deal with their own dang problems,” how do you set up your file shares in Windows? What tips do you have? Learn me something!