Windows Server 2016 002: File Sharing and Permissions

In a Windows based network chances are high that you’ll have to deal with file sharing and permissions. Here I’ll be giving and overview of permissions followed by showing you some examples. Lets get to it!

Permissions Overview

First up lets dive in to Permissions. In Windows we have 2 independent types of permissions, Share Permissions and NTFS Permissions. Anybody on the network trying to connect to a Share is going to have to deal with Share Permissions and NTFS Permissions meaning both would have to allow you access. However locally (if you’re sitting at the computer storing the files itself) Share Permissions won’t come in to play at all, only NTFS Permissions will determine if you can access folders or not.

Because NTFS Permissions and Share Permissions determine access to Shares for users on the network we will be able to set Share Permissions to the “Everyone” group and manage final access with only NTFS Permissions.

Sharing Folders

For this LAB environment I’m going to create a Shares folder on the C drive. We’ll go ahead and set the Share Permissions to everyone for this folder.

That’s it for creating the Share as this sets the Share Permissions and NTFS Permissions for us. Now we only need to focus on NTFS Permissions.

NTFS Permissions

I’ve gone and setup some users and groups to play with inside of an Organizational Unit (OU). Bob and Sam are part of the People group. CEO is part of the CEO grp group. I also have the CEO grp group in the People group so that the CEO can keep an eye on Bob and Sam’s work.

I’ve also gone and created some folders within the Shares folder for us to edit the permissions of.

To change the NTFS Permissions we’ll first need to disable inherited permissions. By default it’ll be on for all folders you create in the Shares folder meaning we can’t remove the Everyone group from subfolders within the Share unless we disable inheritance first.

Once you’ve done that, click OK and you’ll now be able to edit the NTFS Permissions however you like. We can edit the CEO’s folder so that only they have permission to it now.

Remove the Everyone group, click add and type the group you would like to add.

I did the same to the Work folder, removing the Everyone group and adding the People group. Now when the User Sam tries to view the share this is what they see.


However when the CEO view the share they see this.

Mapping at login

To map this Share at login we’ll make a quick GPO. Open the Group Policy Management window from Server Manager > Tools (Top right). Expand down to your Domain name, Right click it and Select Create a GPU in this domain, and Link it here….

Pick a name and click OK. Right click the new GPO and click Edit.

In the new Window, expand down User Configuration > Preferences > Windows Settings > Drive Maps. Right click Drive Maps and go New > Mapped Drive.

We can enter the network path for the drive here and we have many other options.

Action Update will create the map if it doesn’t already exist and update it if it does.

Location is the path to the Share.

Reconnect will make it automatically connect the drive

Lable as will be the name

Drive Letter network drives normally start from Z and go backwards through the alphabet.

Click OK and you’re done. Repeat this as many times as you need to if you’re adding more network shares. You’ll need to log out and back in to any client computers for this to take effect or type “gpupdate /force” in to cmd.

Once you log back in you should see the drive mapped automatically.

Share this post

This Post Has 7 Comments

  1. rardLef

    Hello. And Bye.

  2. rardLef

    hello everyone thanks for approve

  3. 우리카지노

    It is not my first time to pay a quick visit this site,
    i am browsing this website dailly and obtain good information from here everyday.

    1. John Keen

      Thank you, I hope you find many helpful bits of information!

  4. itaTub

    Ciao a tutti vengo dall’italia / itawero

  5. Marilynn

    Its like you read my mind! You seem to understand a lot
    approximately this, such as you wrote the guide in it or something.
    I believe that you simply can do with some percent to force
    the message home a bit, however instead of that, that is magnificent blog.
    A fantastic read. I will definitely be back.

    1. John Keen

      Thank you for the kind words!

Leave a Reply