Shared folder permissions determine who can gain access to resources on remote computers. When a folder is shared, users can connect to the folder over the network and gain access to its contents. Shared folder permissions allow you to control which users or groups can gain access to the contents of a shared folder.
Shared folder permissions are different from NTFS permissions. NTFS permissions use access control lists (ACLs) to limit access to resources, and can only be assigned to resources on an NTFS volume. In addition, NTFS permissions can be assigned to both files and folders. Shared folder permissions do not use access control lists, and can therefore be used on a volume that is formatted with any file system. In addition, shared folder permissions can only be assigned to folders. For more information about NTFS permissions, see "File Systems" in this book.
In addition to folders you designate as shared, Windows XP Professional also creates several shared folders by default when you start a computer or when you stop and then start the Server service. These shared folders, called the administrative shares, are shared for administrative purposes and allow users to access administrative resources remotely. Some of the administrative shares cannot be configured, and access is restricted to users who have administrative rights. The administrative shares include folders such as the systemroot folder (ADMIN$), the root folder of every drive (C$, D$, and so on), and the printer driver folder (PRINT$).
Shared folder permissions can only be set by members of the Administrators, Power Users, or Server Operators groups. Users who have been granted the Create Permanent Shared Objects user right can also assign shared folder permissions. If a folder resides on an NTFS volume, you must have at least Read permission to assign shared folder permissions.
There are three types of shared folder permissions: Read (the most restrictive), Change, and Full Control (the least restrictive). Table 6.3 describes each of these permissions.
Table 6.3 Shared Folder Permissions
|Read||Users can display folder and file names, display file data and attributes, run program files and scripts, and change folders within the shared folder.|
|Change||Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission.|
|Full Control||Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.|
You can allow or deny shared folder permissions to individual users or groups. From an administrative standpoint, it is usually most efficient to assign permissions to a group rather than to individual users. Also, deny permissions only when it is necessary to override permissions that are otherwise applied. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. For example, it might be necessary to deny permissions to a specific user who belongs to a group that has been granted permissions.
When you assign shared folder permissions, keep the following in mind:
To configure shared folder permissions