I'm facing slight confusion over permissions on a Fileserver running Windows Server 2003.

I've created a number of new shared folders and moved data across no problem.

The share permissions are set as 'everyone' having full control and since the most restrictive permissions are applied I've allocated individual NTFS permissions for read, write, modify etc.

all good until disaster strikes in the form of a basic user being able to access confidential info in a share locked down as described above. they were not added to the NTFS access control list so presumably should have been denied entry to the folder.....

I guess the crux of my query is...if a user does not have any permissions applied through NTFS and the share permissions are set as everyone : full control, then by default will people have full control or no access?? :confused:

thanks in advance like.


9 Years
Discussion Span
Last Post by andybot

You have set permission for everyone to access everything and then set special permision for some people to access some things. Now everyone can access everything and some people can access everything plus they can also access the files you have set for them that you have already given them permission to access.


hmmmm i'm sure i've read it's best practice to give everyone full access using share permissions and restrict using NTFS (because these permissions take affect both locally and over the network.)

if i'm doing this then the only way i can lock down access further is by using the deny attribute in NTFS(?) which, as it overwrites all other permissions can't be used to lock down the everyone group. alternatively maybe i need to add 'everyone' as a entry in NTFS and remove all permissions???

i'm sure there must a (relatively) simple solution to this as really i'm just after the best practice method of locking down folders and opening up access to individual users using share and NTFS rights...

hope this makes sense and ta for the reply :icon_cool:

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.