Sharing and permissions in Windows NT

Introduction to folder sharing

Sharing allows resources to be designated as being available to all users over a network. When a folder is shared, users can log into the folder from across the network and access the files within, as though the folder were located on the hard drive of the computer they are currently using.

In order to increase network security, permissions can be applied to these resources to limit the actions that users can perform on them.
Once a folder is shared, users who have permission to it can access all the files and folders contained within.

Why share folders?

Folders are shared so that users can access applications, data, and user home folders over the network.

  • Keeping information together: Network application folders centralise system administration by specifying a single place for configuring and updating software.
  • Saving disk space: Data folders give users a central location to store and access files that they all use.
  • Data security: User home folders give users a central location for backing up their data.

Using shared folders is the only way to ensure the security of network resources in a FAT volume.

Shared folder permissions

Permissions may be applied to folders, and control the use of resource by a given user. In FAT, there are four different permissions:

  • Full Control (default permission) lets users change file permissions. On NTFS volumes, the users can also own files and carry out any tasks that the permission allows.
  • Change lets users create folders and add files, as well as modify and add file data. They can also change file attributes, delete folders and files, and perform any tasks authorized by the Read permission.
  • Read lets a user see the names of folders and files, see file data and attributes, run program files, and browse within folders.
  • No Access only allows a user to connect to the shared folder. Access to the folder is forbidden and its contents are not shown.

Permissions granted to the user will not take effect until the next time he or she logs in (meaning that this system is non-dynamic). Note that by default, "Full Control" permission is granted to the user group "Everyone." Therefore, before doing anything else, this group and its associated permissions must be deleted. Likewise, NEVER give "No Access" permission to the "Everyone" group, since the Administrator is part of this group. Your computer will be completely inaccessible and the only solution will be to reinstall Windows NT.

These two examples are a perfect illustration of security holes in Windows NT 4.0.

Granting permissions to users and groups

A user can have permissions attributed to him or her directly, or as a member of a group. Sometimes, a user may even be part of several groups that have different permissions on the same shared folder. Here is how these permissions are handled:

  • The user's permissions combine the differing permissions given to the different groups. Thus, a user in a group with "Read" permission on a folder who is also part of a group with "Full Control" permission on that same folder will have "Full Control" permission.
  • The only exception is the "No Access" permission, which is fully restrictive. If a user is part of both a group with "Full Control" permission on a folder and a group with "No Access" permission, the user will not be able to access that folder.

Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM reaches more than 50 million unique visitors per month and is available in 11 languages.
This document, titled « Sharing and permissions in Windows NT », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!