Share Permission Interactions

If you implement classic sharing, it's also vital that you understand how these share permissions interact.

The most important rule to keep in mind is that share permissions are cumulative. For example, all users are part of the Everyone group, and by default, this group has the Read permission when setting up a share. Continuing the previous example, I've added a user, The Dude, to the ACL, and now grant that user Full Control. Permissions for The Dude have now been articulated twice: once as a part of the Everyone group, and once as an individual user (of course, it's possible for the user to be a part of multiple groups as well). What is the effective permission for The Dude?

Full Control, which is a combination of all group and individual permissions.

The exception to this is the Deny permission, which trumps any Allowed permission. For example, if the Everyone group were denied the Read permission, The Dude would be denied permission to Read the files in a folder he was otherwise able to fully control.

These sharing permission rules also apply:

• They are only effective when the shares are accessed over the network. They are not effective locally, when a user is sitting down at the computer that contains the share in question.

• They can be applied only to folders, not to individual files. (As a corollary, everything within a share is available, files and subfolders included.)

• Share permissions can be applied to any file system supported by Windows XP Professional. You can even share out directories on a CD-ROM, although all shares will be read-only due to the nature of the read-only media.

It's also vitally important to realize that share-level Permission entries that we've just seen are not the same as the ACL on the Security tab. We'll get to the Security tab presently.