See the access a user really gets when Share and NTFS permissions combine over the network.
When a user reaches a folder over the network, Windows checks two separate access lists: the Share permission on the shared folder and the NTFS permission on the file system. The user only gets what both lists allow — the more restrictive of the two wins.
Effective network permission = Share permission ∩ NTFS permission
A user with Full Control on the share but only Read on NTFS ends up with Read. Reverse it — Read on the share, Full Control on NTFS — and the result is still Read. The lower level always caps the outcome.
Note: this calculator groups execute under read access and reports the standard Read, Change, Modify and Full Control levels. Deny entries, which always override Allow, are not modelled here.
| Share permission | NTFS permission | Effective access |
|---|---|---|
| Full Control | Full Control | Full Control |
| Full Control | Modify | Modify |
| Full Control | Read | Read |
| Change | Modify | Modify |
| Change | Read | Read |
| Change | Write | Write only (no read) |
| Read | Full Control | Read |
| Read | Modify | Read |
| Read | Write | No effective access |
This calculator answers a single combination. Working out effective permissions across thousands of folders, broken inheritance and nested AD groups by hand doesn't scale — and that's where audit findings come from. NTFS Permissions Auditor scans your network and reports NTFS and share permissions together, in one pass.
Explore NTFS Permissions Auditor →Windows applies the more restrictive of the two. The effective access over the network is the intersection of the Share permission and the NTFS permission, so the lower level always wins.
No. Share permissions only apply to network access. When a user signs in directly to the machine, only NTFS permissions are evaluated.
Share permissions control network access to a shared folder and offer three levels: Read, Change and Full Control. NTFS permissions control file-system access with far more granularity and apply both locally and over the network.
Yes. The NTFS Write permission grants creating and changing files without granting read. If the share allows it, the effective result can be write-only — an easy misconfiguration to miss.
Yes. It runs entirely in your browser at no cost, and nothing is installed or sent anywhere.