Shared folders allow users to access files over a network. In Windows Server environments, shared folder access is usually controlled using share permissions, NTFS permissions, and Active Directory security groups.
This document explains the basics of creating a shared folder and assigning permissions in a safe and organized way.
This process helps demonstrate:
- Creating a shared folder
- Applying share permissions
- Applying NTFS permissions
- Using security groups for access
- Testing access from a workstation
- Troubleshooting common permission issues
Example lab setup:
- File Server: Windows Server
- Domain:
company.local - Shared folder path:
D:\Shares\Sales - Network path:
\\FileServer01\Sales - Security group:
SharedDrive-Sales-Modify
Windows shared folder access is controlled by two permission layers.
Share permissions apply when users access the folder over the network.
Common share permissions:
| Permission | Description |
|---|---|
| Read | View files and folders |
| Change | Add, edit, and delete files |
| Full Control | Change permissions and take ownership |
NTFS permissions apply to the folder on the disk.
Common NTFS permissions:
| Permission | Description |
|---|---|
| Read & Execute | Open and run files |
| List Folder Contents | View folder contents |
| Read | View files |
| Write | Create and edit files |
| Modify | Read, write, edit, and delete files |
| Full Control | Complete control including permissions |
The most restrictive permission usually applies when both share and NTFS permissions are involved.
A common approach is:
- Set share permission to allow broad access for authenticated users or a specific group.
- Use NTFS permissions for more detailed control.
- Assign permissions to Active Directory groups, not individual users.
Example:
Folder: D:\Shares\Sales
Share name: Sales
Security group: SharedDrive-Sales-Modify
Permission: Modify
- Sign in to the file server.
- Open File Explorer.
- Create a folder.
Example:
D:\Shares\Sales
- Right-click the folder.
- Select Properties.
- Go to the Sharing tab.
- Click Advanced Sharing.
- Select Share this folder.
- Enter the share name.
Example:
Sales
- Click Permissions.
- Add the required group.
- Assign the correct share permission.
- Click Apply.
Example share permission:
SharedDrive-Sales-Modify: Change
- Go to the Security tab.
- Click Edit.
- Add the required security group.
- Assign the correct NTFS permission.
Example NTFS permission:
SharedDrive-Sales-Modify: Modify
- Remove unnecessary permissions only if approved by policy.
- Click Apply.
On a domain-joined workstation:
- Sign in as a test user or assigned user.
- Open File Explorer.
- Enter the network path.
Example:
\\FileServer01\Sales
- Test the expected access:
- Can the user open the folder?
- Can the user create a test file?
- Can the user edit the test file?
- Can the user delete the test file, if Modify access is expected?
The folder can be mapped manually or through Group Policy.
Manual mapping:
- Open File Explorer.
- Right-click This PC.
- Select Map network drive.
- Choose a drive letter.
- Enter the folder path.
Example:
S: -> \\FileServer01\Sales
Example documentation:
Created shared folder: D:\Shares\Sales
Share path: \\FileServer01\Sales
Security group: SharedDrive-Sales-Modify
Share permission: Change
NTFS permission: Modify
Tested access with user jsmith.
Folder access confirmed.
| Issue | Possible Cause | Resolution |
|---|---|---|
| User cannot open folder | Missing group membership | Add user to correct security group |
| User can open but cannot edit | NTFS permission is read-only | Update NTFS permission if approved |
| User was added but still cannot access | User session has old token | Ask user to sign out and sign back in |
| Access denied for everyone | Incorrect share or NTFS permissions | Review both permission layers |
| Folder path does not open | Incorrect server or share name | Confirm network path and DNS |
| User can access wrong folder | User is in extra group | Review group membership |
- Use Active Directory groups for folder access.
- Avoid assigning permissions directly to individual users.
- Follow least privilege.
- Use clear group names.
- Separate read-only and modify access groups.
- Test access after changes.
- Document permission changes.
- Review folder permissions regularly.
- Windows Server file sharing
- NTFS permission management
- Share permission configuration
- Active Directory group-based access
- Network path testing
- Access troubleshooting
- Documentation and support process