Access to shares is restricted through a combination of share-level and file-level permissions. These permissions determine the extent to which users can view and modify the contents of the shared directory. When users request access to a share, their share-level permissions are checked first; if authorized to access the share, their file-level permissions are checked.
When the share-level permissions differ from the file-level permissions, the more restrictive permissions apply, as described in the following table, where [a] = “allowed” and [d] = “denied”:
Note: One of the features of SMB is the ability to assign rights to machine (computer) accounts. A machine account is generated automatically by the operating system and registered in Active Directory. It can be used for authentication within a domain. A machine account authentication can be only done by an application which has built-in support. For example, Hyper-V server allows storing virtual machines on remote shares. Such shares should allow full access for the machine account of a computer running Hyper-V server.
Activity | Read | Change | Full |
---|---|---|---|
View the names of files and subdirectories | a | a | a |
Change to subdirectories of the shared directory | a | a | a |
View data in files | a | a | a |
Run applications | a | a | a |
Add files and subdirectories | d | a | a |
Change data in files | d | a | a |
Delete files and subdirectories | d | a | a |
Change permissions on files or subdirectories | d | d | a |
Take ownership of files or subdirectories | d | d | a |
When configuring access to a share, it is only possible to add users or groups that are:
- Known to domain controllers, and
- Seen by the server on the network.
Note: When a user is given access to a share, if the user has also a member of a group with a different access level, the more permissive level applies. For example, if a user is given Read access to a share, and that user also belongs to a group that has Change access to that same share, the user will have Change access to the share, because Change access is more permissive than Read access.