NTFS Permissions Calculator

See the access a user really gets when Share and NTFS permissions combine over the network.

Set in the folder's Advanced Sharing dialog.
Set on the folder's Security tab.

How effective permissions are calculated

When a user reaches a folder over the network, Windows checks two separate access lists: the Share permission on the shared folder and the NTFS permission on the file system. The user only gets what both lists allow — the more restrictive of the two wins.

Effective network permission = Share permission ∩ NTFS permission

A user with Full Control on the share but only Read on NTFS ends up with Read. Reverse it — Read on the share, Full Control on NTFS — and the result is still Read. The lower level always caps the outcome.

Local logon is different. When a user signs in directly to the server and opens the folder locally, share permissions are ignored entirely and only NTFS permissions apply.

Note: this calculator groups execute under read access and reports the standard Read, Change, Modify and Full Control levels. Deny entries, which always override Allow, are not modelled here.

Common permission combinations

Share permissionNTFS permissionEffective access
Full ControlFull ControlFull Control
Full ControlModifyModify
Full ControlReadRead
ChangeModifyModify
ChangeReadRead
ChangeWriteWrite only (no read)
ReadFull ControlRead
ReadModifyRead
ReadWriteNo effective access

One folder is easy. A whole file server isn't.

This calculator answers a single combination. Working out effective permissions across thousands of folders, broken inheritance and nested AD groups by hand doesn't scale — and that's where audit findings come from. NTFS Permissions Auditor scans your network and reports NTFS and share permissions together, in one pass.

Explore NTFS Permissions Auditor →

Frequently asked questions

How are effective permissions calculated when share and NTFS permissions differ?

Windows applies the more restrictive of the two. The effective access over the network is the intersection of the Share permission and the NTFS permission, so the lower level always wins.

Do share permissions apply when a user logs in locally?

No. Share permissions only apply to network access. When a user signs in directly to the machine, only NTFS permissions are evaluated.

What is the difference between share and NTFS permissions?

Share permissions control network access to a shared folder and offer three levels: Read, Change and Full Control. NTFS permissions control file-system access with far more granularity and apply both locally and over the network.

Can a user have Write access but not be able to read files?

Yes. The NTFS Write permission grants creating and changing files without granting read. If the share allows it, the effective result can be write-only — an easy misconfiguration to miss.

Is this NTFS permissions calculator free?

Yes. It runs entirely in your browser at no cost, and nothing is installed or sent anywhere.


Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA