Skip to main content

ExtremeZ-IP: Best Practices for Permissions on NTFS

Forum Star
Posts: 124
Comments: 2672

The default rights we expect to see inheriting from the drive letter are:

  • Administrators, Full Control, Applies to this folder, subfolders, and files
  • SYSTEM, Full Control, Applies to this folder, subfolders, and files
  • CREATOR OWNER, Full Control, Applies to subfolders and files only

A note regarding CREATOR OWNER: since it applies to subfolders and files only, Full Control will display as "Special" on 2008 and above.

For typical workfiows, the Mac users will need all the granular NTFS permissions except Full control, Change permissions, and Take ownership.

Listed out, this is:

  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Create files/write data
  • Create folders/append data
  • Write attributes
  • Write axtended attributes
  • Delete subfolders and files
  • Delete
  • Read permissions

If you need restricted permissions at the root of a share, the best advice we have been able to give is to apply an explicit ACE with limited permissions, such as read only, for a staff group to a parent folder, typically the directory that is being shared and change the "Apply to" setting to "This folder only" so the clients can mount the share. That way the staff group ACE will not inherit down but the SYSTEM ACE will.

Then on the child folders, apply an explicit ACE granting permissions to each particular group. Don't forget that the .TemporaryItems at the root of all shares would need an explicit ACE granting pretty much full control to everyone. This will support the safe save operation documented in the Apple KB article at

http://support.apple.com/kb/TS3752 

You can see on the screenshot below that the child folder "test" did not inherit the read only ACE from the parent folder "Share" pictured in the screenshot above. Then we applied an explicit ACE on "test" granting full control the group "Users".

For more information see also ExtremeZ-IP: Troubleshooting Windows Server Access from Mac Clients.