Configuring Shared Folder Permissions

Shared folder permissions determine who can gain access to resources on remote computers. When a folder is shared, users can connect to the folder over the network and gain access to its contents. Shared folder permissions allow you to control which users or groups can gain access to the contents of a shared folder.

Shared folders and NTFS permissions

Shared folder permissions are different from NTFS permissions. NTFS permissions use access control lists (ACLs) to limit access to resources, and can only be assigned to resources on an NTFS volume. In addition, NTFS permissions can be assigned to both files and folders. Shared folder permissions do not use access control lists, and can therefore be used on a volume that is formatted with any file system. In addition, shared folder permissions can only be assigned to folders. For more information about NTFS permissions, see "File Systems" in this book.

Administrative shares

In addition to folders you designate as shared, Windows XP Professional also creates several shared folders by default when you start a computer or when you stop and then start the Server service. These shared folders, called the administrative shares, are shared for administrative purposes and allow users to access administrative resources remotely. Some of the administrative shares cannot be configured, and access is restricted to users who have administrative rights. The administrative shares include folders such as the systemroot folder (ADMIN$), the root folder of every drive (C$, D$, and so on), and the printer driver folder (PRINT$).

Setting shared folder permissions

Shared folder permissions can only be set by members of the Administrators, Power Users, or Server Operators groups. Users who have been granted the Create Permanent Shared Objects user right can also assign shared folder permissions. If a folder resides on an NTFS volume, you must have at least Read permission to assign shared folder permissions.

There are three types of shared folder permissions: Read (the most restrictive), Change, and Full Control (the least restrictive). Table 6.3 describes each of these permissions.

Table 6.3   Shared Folder Permissions

Permission Description
Read Users can display folder and file names, display file data and attributes, run program files and scripts, and change folders within the shared folder.
Change Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission.
Full Control Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

You can allow or deny shared folder permissions to individual users or groups. From an administrative standpoint, it is usually most efficient to assign permissions to a group rather than to individual users. Also, deny permissions only when it is necessary to override permissions that are otherwise applied. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. For example, it might be necessary to deny permissions to a specific user who belongs to a group that has been granted permissions.

When you assign shared folder permissions, keep the following in mind:

To configure shared folder permissions

  1. Right-click the folder for which you want to configure shared folder permissions, and then click Properties.
  2. In the folder properties dialog box, click the Sharing tab, and then click Permissions.
  3. In the Permissions for dialog box, click Add.
  4. In the Select Users, Computers, or Groups dialog box, click Object Types, click the Users check box, and then click OK.
  5. Under Enter the object names to select, type the name of the group or user for which you want to set shared folder permissions, and then click OK.
  6. In the Permissions for dialog box, in the Group or user names box, click the group or user for which you want to set shared folder permissions.
  7. In the Permissions for dialog box, allow or deny permissions, and then click OK.