How to Configure SMB File Shares and NTFS Permissions on Windows Server 2012 R2

File sharing on Windows Server 2012 R2 relies on two complementary permission systems: SMB share permissions and NTFS permissions. SMB (Server Message Block) permissions control access at the network share level, while NTFS permissions provide granular access control at the file system level. When a user accesses a shared folder over the network, the effective permissions are the most restrictive combination of SMB share permissions and NTFS permissions. Understanding how these two systems interact is essential for building a secure and well-organized file server. Windows Server 2012 R2 with SMB 3.0 also includes performance improvements, transparent failover, and encryption capabilities.

Prerequisites

You need Windows Server 2012 R2 with the File Server role service installed (part of the File and Storage Services role). Active Directory Domain Services is recommended for managing user and group accounts. Administrative rights on the server are required. Network connectivity must allow TCP port 445 (SMB) from client machines. All users and groups that need access should be created in Active Directory before applying permissions.

Step 1: Install the File Server Role

Ensure the File Server role service is installed:

Install-WindowsFeature FS-FileServer -IncludeManagementTools

Verify installation:

Get-WindowsFeature FS-FileServer | Select-Object Name, InstallState

Step 2: Create a Folder Structure

Plan and create a folder structure on an NTFS-formatted volume. Best practice is to share a parent folder and use subfolders with separate NTFS permissions rather than creating many individual shares:

$departments = @("HR", "Finance", "IT", "Marketing", "Operations")
$basePath = "D:Shares"

New-Item -Path $basePath -ItemType Directory -Force

foreach ($dept in $departments) {
    New-Item -Path "$basePath$dept" -ItemType Directory
    New-Item -Path "$basePath$deptGeneral" -ItemType Directory
    New-Item -Path "$basePath$deptConfidential" -ItemType Directory
}

Step 3: Create SMB Shares Using PowerShell

Create SMB shares for each department. Follow the principle of least privilege for SMB share permissions — for most cases, grant Everyone (or Domain Users) Full Control at the SMB share level and enforce granular restrictions through NTFS permissions:

New-SmbShare -Name "HR" `
    -Path "D:SharesHR" `
    -Description "Human Resources shared folder" `
    -FullAccess "Domain Admins" `
    -ChangeAccess "HR-Staff" `
    -ReadAccess "HR-Managers" `
    -FolderEnumerationMode AccessBased

The AccessBased folder enumeration mode is a key security feature — users only see files and subfolders they have permission to access, preventing unauthorized users from discovering the existence of confidential folders.

Create additional shares:

New-SmbShare -Name "Finance" -Path "D:SharesFinance" -FullAccess "Domain Admins" -ChangeAccess "Finance-Staff" -FolderEnumerationMode AccessBased

New-SmbShare -Name "IT" -Path "D:SharesIT" -FullAccess "Domain Admins","IT-Staff" -FolderEnumerationMode AccessBased

Step 4: Configure NTFS Permissions

NTFS permissions control actual file system access. Start by removing inherited permissions and setting explicit permissions on each shared folder. Best practice: disable inheritance at the share root and set clean permissions.

# Remove inheritance and set clean permissions on HR folder
$hrPath = "D:SharesHR"
$acl = Get-Acl -Path $hrPath

# Disable inheritance and remove inherited ACEs
$acl.SetAccessRuleProtection($true, $false)

# Add permissions for groups
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$hrStaffRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "HR-Staff", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)

$acl.AddAccessRule($adminRule)
$acl.AddAccessRule($hrStaffRule)
$acl.AddAccessRule($systemRule)

Set-Acl -Path $hrPath -AclObject $acl

Set more restrictive permissions on the Confidential subfolder:

$confPath = "D:SharesHRConfidential"
$confAcl = Get-Acl -Path $confPath
$confAcl.SetAccessRuleProtection($true, $false)

$hrManagerRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "HR-Managers", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$adminRule2 = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$systemRule2 = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)

$confAcl.AddAccessRule($hrManagerRule)
$confAcl.AddAccessRule($adminRule2)
$confAcl.AddAccessRule($systemRule2)

Set-Acl -Path $confPath -AclObject $confAcl

Step 5: Configure SMB Share Security Settings

Configure advanced SMB share settings for security and performance:

# Enable SMB encryption for sensitive shares (SMB 3.0 feature)
Set-SmbShare -Name "HR" -EncryptData $true

# Enable caching settings (offline availability)
Set-SmbShare -Name "HR" -CachingMode None  # Prevent caching for security

# Set concurrent user limit
Set-SmbShare -Name "HR" -ConcurrentUserLimit 0  # 0 = unlimited

Step 6: Verify Effective Permissions

Use PowerShell to verify the permissions are configured correctly:

Get-SmbShare -Name "HR" | Select-Object Name, Path, Description, EncryptData, FolderEnumerationMode

Get-SmbShareAccess -Name "HR" | Select-Object AccountName, AccessControlType, AccessRight

(Get-Acl "D:SharesHR").Access | Select-Object IdentityReference, FileSystemRights, AccessControlType, IsInherited

To simulate what effective permissions a specific user would have:

$user = [System.Security.Principal.WindowsIdentity]::new("CONTOSOjsmith")
$folderAcl = Get-Acl "D:SharesHR"
# Review what rights the user's groups have in the ACL

Step 7: Configure File Server Resource Manager (Optional)

For advanced quota and file screening management, install FSRM:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

# Create a quota on the HR share (1 GB soft limit)
New-FsrmQuota -Path "D:SharesHR" `
    -Size 10GB `
    -SoftLimit

Step 8: Test Access from Client Machines

From a client machine, verify access to the share:

Test-Path "\FileServer01HR"

Get-ChildItem "\FileServer01HR" -ErrorAction SilentlyContinue

# Map as a persistent drive
New-PSDrive -Name H -PSProvider FileSystem -Root "\FileServer01HR" -Persist

Summary

Properly configuring SMB file shares and NTFS permissions on Windows Server 2012 R2 requires understanding how both permission layers interact. By setting SMB permissions to broadly allow authenticated users while using NTFS permissions to enforce granular access control, administrators achieve both ease of management and strong security. Using Access-Based Enumeration, SMB 3.0 encryption, and FSRM quotas adds additional layers of security and control appropriate for an enterprise file server environment.