Shared folder permissions
➤ NTFS permissions
➤ EFS-encrypted files
If you review these three major factors in the sequence listed, you should be
able to solve most access-control issues. Share permissions do not apply to
local users trying to access local folders and files. NTFS permissions and
EFS encryption apply to both local and network users.
For remote users attempting access files over the network, always check the
share permissions first. Also, the default share permissions are Everyone:
Allow Read for Windows XP Professional and Windows Server 2003.
Share permissions have no effect on local file access by local users; local
access includes users interactively logged on to a computer and users logged
on to a computer via Terminal Services (Remote Desktop Connections).
After you verify the share permissions for a folder, check the NTFS permis-
sions. NTFS permissions apply to all users—whether they are local users or
network users. Be sure to review all special NTFS permissions, not just the
basic NTFS permissions. Right-click the folder or file in question, select
Properties, and click the Security tab. Click the Advanced button to view and
adjust the special NTFS permissions, if necessary.
Also, from the Advanced Security Settings dialog box, click the Effective
Permissions tab and check the effective permissions for each user and group
that you are investigating. These measures should reveal why users can’t
access the folders or files that they need.
After you verify and make any necessary changes to the share permissions
and NTFS permissions to allow users to access the files and folders that they
need, be sure to check for EFS encryption if the access problem still persists.
To check a file or folder for EFS encryption, right-click the object and select
Properties. From the General tab, click the Advanced button to display the
Advanced Attributes dialog box, as shown in Figure 2.10.
If the Encrypt Contents to Secure Data check box is marked, the object is
encrypted: encryption limits access to the user who originally encrypted the
file, any users who have been granted shared access to the encrypted file, and
the designated Data Recovery Agent (DRA).