Access to shares is restricted through a combination of share-level and file-level permissions. These permissions determine the extent to which users can view and modify the contents of the shared directory. When users request access to a share, their share-level permissions are checked. If authorized to access the share, their file-level permissions are checked. If the share-level permissions differ from the file-level permissions, then more restrictive permissions are applied, as described in the following table, where [a] = “allowed” and [d] = “denied”:
| Activity | Read | Change | Full |
|---|---|---|---|
| View the names of files and subdirectories | a | a | a |
| Change to subdirectories of the shared directory | a | a | a |
| View data in files | a | a | a |
| Run applications | a | a | a |
| Add files and subdirectories | d | a | a |
| Change data in files | d | a | a |
| Delete files and subdirectories | d | a | a |
| Change permissions on files or subdirectories | d | d | a |
| Take ownership of files or subdirectories | d | d | a |
One of the features of SMB is the ability to assign rights to computer accounts. A computer account is generated automatically by the operating system and registered in Active Directory. It can be used for authentication within a domain. Computer account authentication can be done only by an application which has built-in support. For example, Hyper-V server allows storing virtual machines on remote shares. Such shares should allow full access for the computer account of a computer running Hyper-V server.
When configuring access to a share, it is only possible to add users or groups that are:
- Known to domain controllers.
- Seen by the server on the network.
When a user is granted access to a shared file, the user's access level is determined by the most permissive access level they have. For example, if a user has read access to a file, but also belongs to a group with change access to the same file, the user will have change access to the file.