SMB permissions

SMB uses permission settings to authenticate a user or group and determine what access to allow. This authentication initially includes access to the file server, and then applies to files, directories, and resources on that server. Share permissions control what a user can do over an SMB connection. The SMB permission settings are only enforced when a user or group attempts to access a shared resource over the network. File permissions control what a user can do with the files, folders, and resources, whether accessed from the network or locally from the file server.

SMB authenticates shared file server access requests using either an Active Directory setup or using a local user database or user directory. For more information on these authentication methods, see Microsoft SMB Protocol Authentication.

Assigned SMB permissions include individual users (username) and groups of users (groupname). Users and groups are referenced using the domain name of the file server and the username or groupname (domainname\username or groupname). Each user or group can have different permissions. If there are conflicting entries for a user, SMB enforces the most restrictive. File permissions are effective regardless of whether SMB is used to access the data.

The SMB permission settings are Read, Read/Write (Change), and Full. Users or groups with Read permission can view information only. Users with Read/Write permission can view and edit information, and they can write (save files, create directories) information to the file share. Full permission allows the user to read and write, as well as set file permissions to limit or include access for others.

After SMB authenticates a user or group for access to the share, SMB verifies which files, directories, and resources the user or group can access. If the permissions for the files, directories, and resources don't match the user or group permissions in SMB, the user or group is unable to access those files, directories or resources. Make sure that the user and group permissions for the share and those for the files and directories grant the same access to the user.

SMB provides an optional Access Based Enumeration feature to filter and display files and directories for a particular user or group based on the user or group permissions.