Windows Server 2012 R2 Share and NTFS file permissions (Objective 2.1)

A basic overview of Share and NTFS file permissions in Server 2012 R2.
Share Permissions are added to a file or folder when a folder is shared and/or accessed over the network. Share permissions provide three different levels of access Read, Change and Full Control.
Read permissions are the most basic and allow read only access as the name suggests.
Change permissions act in the same way as the NTFS Modify permissions and allow a user to both read and write files to the share.
Full Control permissions gives the user both read and write permissions to the files/folders within the share as well as the ability to change other people’s Share permissions.
An important thing to remember is that Share permissions do not apply when someone is accessing the files on their local systems or if they connected via a Remote Desktop.
 
NTFS Permissions act as the local set of file permissions and are enforced whether the file is accessed locally or over the network. The three main levels of permissions are Read, Modify and Full Control.
Read permissions are the most basic and allow read only access as the name suggests.
Modify permissions act in the same way as the Share Change permissions and allow a user to both read and write files to the share.
Full Control permissions gives the user both read and write permissions to the files/folders within the share as well as the ability to change other people’s NTFS permissions.
 
When a user accesses a file or folder over the network both Share and NTFS permissions are applied and their combined effect is knonw as Effective Permissions. Effectively the most restrictive permission wins when Share and NTFS permissions conflict with each other.
Full Control (Share Permission) + Modify (NTFS Permissions) = Modify (Effective Permissions) as Modify is more restrictive than Full Control.
A common practise on network shares to is grant the Everyone security principal Full Control Share permissions and then assign more restrictive NTFS permissions to different Active Directory security groups to manage access to network resources.
Everyone Full Control (Share permissions) + Domain Admins Full Control (NTFS permissions) = Domain Admins Full Control as there is no conflict of permissions
Everyone Full Control (Share permissions) + Domain Users Modify (NTFS permissions) = Domain Users Modify as tModify is the most restrictive.