How to Set Up Shared Folders with NTFS Permissions in Windows Server 2025

Set up Shared folders with NTFS are essential in business environments where multiple users need to access, collaborate, and manage files securely. With Windows Server 2025, administrators — specifically only users with administrator privileges or members of the built in administrators group — can set up shared folders and control access using NTFS permissions.

The NTFS file system provides advanced access controls and underlying permissions so the file system enforces folder permissions and file-level permissions consistently whether content is accessed locally or via a file share. The operating system (Windows Server 2025) and the file server role together enable administrators to combine share permissions and NTFS permissions to provide the most restrictive permission effective on any given file or folder.

In this guide, we’ll walk you step by step through how to set up shared folders with NTFS permissions in Windows Server 2025 using Server Manager, explain share permissions versus NTFS permissions, and show best practice controls for restricting access and appropriate access assignment.

Getting Started: Accessing Server Manager

Logging into Windows Server 2025

Begin by logging into your server using your Windows logon credentials and a valid user account. If you’re preparing a new build, verify hardware compatibility in the Windows Server hardware requirements guide. After you sign in, open Server Manager to manage roles, the file server role, and storage. If users need to gain access from a remote system or from a client, ensure their account and group memberships are correct.

Finding Server Manager

If Server Manager isn’t already open:

• Click the Start menu
• Search for “Server Manager”
• Double-click to launch it

Navigating to File and Storage Services

In Server Manager, use the left-hand navigation pane. Select File and Storage Services, then click Shares. The Shares tab lists existing file shares and shared folders and lets you create a new file share or modify properties for a shared folder.

Creating a New Share

Using the New Share Wizard

Click Tasks > New Share to launch the New Share Wizard. The wizard guides you through share creation and provides options for advanced sharing and granular control over share permissions and NTFS permissions.

Choosing the SMB Share Quick Option

By default, Windows selects SMB Share – Quick, the fastest way to provision a basic file share. For greater control, choose SMB Share – Advanced, which exposes extra settings for share permissions, offline caching, and access-based enumeration.

Alternative Share Types

Other options include:

• SMB Share – Advanced: good when you need specific share permissions and more options
• SMB Share – Applications: optimized for Hyper-V or SQL
• NFS Share: for UNIX/Linux clients

Selecting a Custom Path for the Shared Folder

Creating a New Folder (Demo-Data Example)

You can share an entire volume or create a custom folder. In this tutorial we create a data folder called demo-data on the C: drive. Plan your folder structure ahead of time: a clear folder structure makes folder permissions and NTFS permissions easier to manage.

Configuring Share Settings

Access-Based Enumeration

Enable access-based enumeration so users only see files and folders they have permission to view. It’s a best practice that improves usability and protects data.

Offline Caching, BranchCache and SMB Encryption

Allow caching for offline files if required. For distributed offices, BranchCache or Azure File Sync integration can improve performance. Newer trends also favor enabling SMB encryption and SMB signing to protect data in transit across the network, especially when network connections traverse untrusted segments.

Encryption Options and Data Protection

Enable BitLocker encryption on the share or rely on NTFS-level protection for sensitive data. Consider Microsoft Defender and DLP integrations for file classification and protection when files are stored or replicated to cloud services. Aslo check our article on Top security features in Windows

Setting NTFS Permissions

Understanding Share Permissions vs NTFS Permissions

Share permissions apply to access through a file share over the network. NTFS permissions apply at the file system level — the NTFS file system enforces read, write and modify rights when files and folders are accessed locally or remotely. When both types apply, the most restrictive permission wins. For example, if share permissions allow Full Control but underlying NTFS permissions restrict delete files, the user cannot delete files.

Default Permissions and Everyone Group

By default, a new file share may include the Everyone group with Full Control on the share. For secure deployments remove the Everyone group and set only permissions for specific groups or individual users. Use authenticated users carefully and prefer role-based security groups.

Disable Inheritance and Clean Up

If required, disable inheritance on the security tab and convert inherited permissions into explicit entries. Remove unnecessary groups such as Authenticated Users and replace them with security groups (for example, Marketing). Group-based assignments reduce administrative overhead and make audits easier.

Adding Security Groups and Built-in Groups

Create new group objects or use existing groups. Assign folder permissions to groups rather than individual users. Include the built in administrators group for emergency access, and use service accounts or Managed Service Accounts for application access.

Customizing Folder and File Permissions

Use granular control: give List Folder Contents to support file navigation, Read Access for general viewers, and Modify or Full Control only where needed. If you must restrict access or restrict access to delete files, explicitly deny Delete or remove Delete Subfolders and Files. Click Properties > Security tab and click Edit to set NTFS permissions, or use Advanced to set specific allow/deny entries and audit settings.

Setting Share Permissions

Set share permissions from the Sharing tab or via Advanced sharing. Click Permissions on the sharing tab, then click Edit to set share permissions. Remember that the effective rights when accessing the file share are the intersection of share permissions and NTFS permissions; test with a member of the target group to verify final access.

Finalizing the Share Setup

Review the share name, path, and both share permissions and NTFS permissions before creating the share. Click Create in the wizard and confirm the new file share appears under Shares in Server Manager. Map the file share on a client with a drive letter if desired.

Testing the Shared Folder on a Client Machine

If you map or access shares through Remote Desktop, see our walkthrough on how to activate Remote Desktop Services (RDS) on Windows Server 2025.

Accessing via UNC Path

On a client machine (e.g., Windows 11), press Windows + R and enter the UNC path or paste the UNC path into Windows Explorer:

\ServerName\ShareName

Verify that list folder contents and read access behave as expected for users.

Verifying Permissions as a Group Member

Ensure the user is a member of the correct group and can gain access. If a user cannot create files, check whether Create Files / Write Data and Create Folders / Append Data are allowed in NTFS permissions.

Troubleshooting Permission Issues

If users can’t create, modify, or delete files:

• Check both share permissions and NTFS permissions
• Verify membership in the correct groups
• Check the properties window and click Permissions and click Edit to inspect entries
• Review the server security event log for failed access events (configure the firewall on Windows Server 2025)
• Confirm whether files are accessed locally or via the network — different rules may apply

Best Practices for Shared Folders with NTFS in Windows Server 2025

Naming Conventions and Folder Organization

• Use hyphens instead of spaces (e.g., HR-Docs, Finance-Reports)
• Keep folder names descriptive for easier management and reporting

Security and Least-Privilege Control

• Assign permissions to groups (not individual users)
• Apply least privilege with the most restrictive permission approach
• Regularly audit and remove stale accounts

Management and Monitoring

• Schedule permission audits quarterly
• Use centralized group management for data folder governance
• Consider Azure File Sync for hybrid replication and modern data management

Other Practical Tips

• Avoid sharing entire drives; prefer folder level shares
• Use access-based enumeration to hide files users shouldn’t see
• Document folder structure, share permissions, and NTFS permissions for operations and compliance

Trends and Modern Considerations

When planning an upgrade or migration, review licensing options — see how to choose the best licensing option for your business.

• Zero Trust and least-privilege frameworks are increasingly applied to file servers
• Integration with Entra ID and Azure File Sync enables hybrid file services and centralized identity
• SMB encryption and DLP integrations are recommended for sensitive data
• Automation and IaC tools (PowerShell, Desired State Configuration) help enforce consistent permissions across file shares

Setting up shared folders with NTFS permissions on Windows Server 2025 is straightforward with the New Share Wizard and Server Manager. By combining appropriate share permissions with NTFS permissions, applying group-based access, and testing access from client computers, you can secure your file share environment while enabling collaboration.

Want to learn more about Windows Server best practices? Check out the official Microsoft documentation. Server product catalog

FAQs About NTFS Permissions and Shared Folders

Q1: What’s the difference between share permissions and NTFS permissions?
Share permissions control network access to a file share; NTFS permissions control access at the file system level for files and folders. NTFS permissions are more granular. To set NTFS permissions, right click the folder in Windows Explorer, click Properties, then open the Security tab and click Edit to configure permissions or Advanced for fine-grained control.

Q2: Can I share an entire drive instead of a folder?
Technically yes, but it’s a poor practice for security. Share specific folders instead to limit exposure.

Q3: What is access-based enumeration?
Access-based enumeration hides files and folders users don’t have permission to view, improving usability and reducing accidental exposure.

Q4: Should I assign permissions to users or groups?
Assign to groups. This simplifies management and reduces errors. Create a new group per function (example: Finance-Editors) and give that group appropriate access.

Q5: Why can’t my user create files even though they’re in the correct group?
Check whether Create Files / Write Data and Create Folders / Append Data are present in the NTFS permissions and also verify the share permissions on the file share.

Q6: Do I need BranchCache or Azure File Sync enabled for offline files?
No, but enabling BranchCache for distributed offices or using Azure File Sync for hybrid scenarios improves performance and sync capability for remote users.