Why can’t I use the file sharing wizard if I exclude inheritable permissions from a folder’s parent?


In Windows Vista and Windows Server 2008, if you go to a the advanced security settings for a directory and uncheck "include inheritable permissions from this object's parent", then go back to the Sharing tab, you'll find that the "Share" button is disabled. Why is this? We don't see this behavior on Windows 7 or Windows Server 2008 R2.

(Yes, a customer actually noticed and asked the question.)

The sharing wizard in Windows Vista and Windows Server 2008 does not support folders with the SE_DACL_PROTECTED security descriptor control bit because it isn't sure that it can restore the ACL afterward.

And as the customer noted, this restriction was lifted in Windows 7 and Windows Server 2008 R2.

Comments (34)
  1. Insert standard comments about Vista breaking things and 7 having to come in to fix Vista's mess.

    On the serious note, I'm shocked that a customer found that one, usually users pay no attention to anything on screen.

  2. Joshua says:

    Insert standard comments about Vista breaking things and 7 having to come in to fix Vista's mess.

    Fair enough. If we had to exert nontrivial effort to support Vista we'd drop it. As it stands, supporting both XP and 7 results in Vista working for us.

  3. xp.client says:

    Isn't the Sharing Wizard (or Share button) supposed to be about network sharing? But when you share it, the file system permissions also get modified! "Advanced sharing" is the only non-broken way of sharing on the network with the right permissions we want without touching NTFS permissions. (Even Homegroup is broken by design – it shares the entire C:Users folder! with "Everyone" read+write permissions on the network even if I tell it to just share "Music" or "Videos"). Why does the Share button touch NTFS permissions at all when we can set them from Security tab? I don't understand how the "Share" wizard is supposed to work and detailed documentation is non-existent.

  4. Gabe says:

    The reason that the Sharing Wizard needs to touch filesystem permissions is that it would be worthless otherwise. If I want to share my home directory with my brother, merely making a share he can access won't do anything because he can't access the files themselves. The only way to share files with my brother is to create a share to access the files, give him permissions on the share, and then give him permissions on the files.

    Otherwise you go through the process that 99.99% of people who create file shares go through: 1. create share; 2. go to use share, get "Access Denied"; 3. fix file permissions.

  5. xp.client says:

    Every file created by default has a set of default permissions and inherited permissions. There is no need to fool around with inherited permissions or set to explicitly. That's how advanced sharing works.

  6. Well, there are two schools of thought.  One is to set share permissions to be wide open and then control access based on NTFS permissions; the other is to set NTFS permissions to be wide open and then control access based on share permissions.

    I believe the Microsoft recommendation is the former but both are defensible.

  7. alegr1 says:

    It's a shame those wizards don't use inheritable ACLs.

    I had a large directory in Win7 system I wanted to share for DLNA (network playback). The frigging thing then wanted to add an ACL for the media sharing service for EVERY FRIGGIN FILE IN THE DIRECTORY, and it took FOREVER. The stupid media sharing service also reads the directory EVERY TIME THE COMPUTER STARTS. What's the matter?

  8. Joshua says:

    @alegrl: Maybe because inheritable ACLs don't affect files created before the ACL was.

  9. 640k says:

    @Maurits

    Then how do you share files on FAT partitions?

  10. @640k in that scenario you would have to restrict access using share permissions, since FAT doesn't support file-level permissions.

  11. @640k: in that scenario for any serious work, you format the drive with NTFS.

    What are you trying to do, share a removable USB thumb drive or secure digital or other digital media card?

    If it's a fixed drive, it should have been converted to NTFS long ago…

  12. chentiangemalc says:

    i hope the concept of using FAT partitions with windows was purely hypothetical, and people are not really using FAT partitions now.

    as for detailed documentation of the sharing wizard, it might not exist because it is not necessary. it's pretty straightforward to use and i cannot really imagine how it is in any way confusing what it does.

    The documentation here technet.microsoft.com/…/cc772501.aspx really do you need more than that? I hope not.

    The thing I've learnt about writing incredibly detailed documentation is nobody will read it, except for maybe the occasional xpclient, but that's a lot of effort just for xpclient.If you want to know how it works internally use ProcMon and a debugger/disassembler.

  13. Kevin says:

    I think Raymond said (recent versions of) Windows requires the root partition to be NTFS anyway.  I would be very surprised if you could install Windows on FAT.  I mean I suppose you could have two partitions, but why would you want that?

  14. David Walker says:

    FAT partitions (even FAT32X partitions) are not much fun these days, since the size of each file is limited to 4GB.

  15. I suppose you could use FAT32 as a way to share files across a Windows / Linux dual-boot installation, since Windows does not support ReiserFS as far as I know, and the NTFS support on Linux is kind of uneven (or it was when I last investigated)

  16. @xp.client – What if the default permissions don't include the people you want to share with using the sharing wizard? And of course you can do this with advanced permissions, but the sharing wizard does that for you, without you having to deal with the (potentially) complicated dialogs. That's the point of it.

  17. @Maurits: I use the ntfs3g Linux driver for files shared between Linux and Windows since about 4 years without any problem.

  18. Mark says:

    Maurits: ntfs3g works very nicely out of the box these days. Of course, I'm not sure how many digital cameras use it, but you normally won't be sharing SD cards.

  19. Joshua says:

    @Maurits: or run in test mode and use the ext2 driver.

  20. meh says:

    A few years back I bought an external USB hard drive that was formatted with FAT out-of-the-box. I suspect many people did the same. Sharing files from external drives is common, and if one doesn't want to bother backing up, re-formatting, and then restoring… well you get the idea.

  21. cheong00 says:

    @xp.client: I'll remind you that "Home" versions of Windows does not have the "Advanced Security" screen, so unless Sharing Wizard take care of the ACLs for them, they would not be able to share their folders.

  22. xp.client says:

    @cheong00, since Vista, no edition of Windows restricts any security permissions or share permissions functionality.

  23. Burak KALAYCI says:

    @xp.client: I want to thank you for your comments once again. (Because otherwise I'd have to spend lots of time trying to post similar ones). You rock!

    About this topic, I'm on XP, my C drive (system) is formatted FAT32, 8 GB. I'd format anything smaller than 8 GB (or even 16 GB) as FAT32. I also like the fact that when I copy a file on FAT32 no other crap comes with it. I don't need any sharing permissions etc. because my main machine is never directly connected (to any network) – nothing is ever shared so that it can be considered relatively safe.

  24. Gabe says:

    meh: If you want to convert a filesystem from FAT to NTFS, why reformat? Just run CONVERT.

  25. Engywuck says:

    @chentiangemalc:

    The problem with your reasoning is, that such detailed documentation *should* already exist. Just not "end-user-friendly"… but the next developer working on it should not have to go to ProcMon and/or a disassembler if (s)he wants to know what it does ;-)

  26. @Burak: "I'd format anything smaller than 8 GB (or even 16 GB) as FAT32."

    Why??  Have you any other reasons besides the fact it feels good with less "crap"?

  27. meh says:

    Sorry Gabe. Didnt know while I spewd that post.

  28. alegr1 says:

    @Burak:

    I'm afraid you don't understand advantages of NTFS for your system drive. It has bulletproof stability and security. As long as you are properly logged on as a non-administrator user, rogue code is not able to screw your system (and you should be logged on as non-administrative user, I hope you already know that). Ever had power failure or a BSOD because of some shoddy IHV driver? It's pretty common for FAT to not survive that without major damage. NTFS just shrugs it off.

  29. @Burak:

    Also, interestingly enough, most of the time very little "crap" comes along with the file. For example, ACL isn't copied along with the file. The ACL on the destination copy of the file is inherited from the parent container.

    There is also the other interesting fact that NTFS stores its files in extents and not cluster chains, so file operations are faster.

  30. @Burak:  Care to substantiate your position with some real test results?  The tests at http://www.tomshardware.com/…/ssd-file-system-ntfs,3166.html seem to suggest that FAT32 is dog slow.  Back when I dual-booted FAT and NTFS (think 12+ years ago), I never really noticed a difference between the two, but it looks like the performance gap has widened, as it's well-known that FAT32 doesn't scale.  Even a 16 GB partition, while small by today's (and your) standards, was gigantic back then – raising these questions about scalability.  Consider that Windows XP setup won't even let you format something > 32 GB as FAT32; there's a reason for that.  Even your "small" partitions can still contain thousands of files and directories – and FAT32 doesn't scale well to that.

    "NTFS has to deal with all these things that make it more secure which I don't need"   <— Again, can you substantiate these claims?  If you think about it, the file system likely stores the ACL with the rest of the file information record, so there wouldn't really be a notable cost to reading the ACL – as most of the cost is associated with seeking the disk and reading an entire sector.  Sequential performance is very good on any disk and generally orders of magnitude faster than seeking, and the difference of adding a few hundred bytes for the ACL is just not going to be noticeable.  Checking the ACL can be done using information buffered in memory, so again – the performance impact would not be noticeable.  The cost for ACL checking is probably 0.00001% or something really low like that.

    Also consider that very small files are stored in the MFT.  The performance of these files should be significantly better than FAT32.

    Regarding backups:  I keep backups too, in the event of drive failure.  But NTFS lets me recover from situations that might trip up FAT.  And then I can avoid doing a restore.  Or, maybe you just like spending quality time with your backup software?

    And you didn't address the security concerns raised by alegr1.  Every user on the system effectively has "administrator" access to a FAT disk.  If it's your system drive, then every user has administrator access to the entire system.  Basically, you have no way of limiting rights to users.  FAT is hopelessly inadequate for this.  Then again, you come across as the type of person who runs as administrator all the time anyway.

  31. Burak KALAYCI says:

    @JamesJohnston @Crescens2k In my experience FAT32 is faster for small partitions (NTFS has to deal with all these things that make it more secure which I don't need). Stability may be a valid argument but for small partitions I prefer speed.*

    @alegr1: OK, you rely on NTFS features to save you after a power failure or a BSOD, I keep daily backups like crazy. Hope your drive hardware does not fail because NTFS won't help with that one.

    @Gabe: Convert had cluster alignment issues in the past (and wouldn't provide the same result as initially NTFS formatted partition). I don't know if this is still true.

    * AFAIK, NTFS has versions, which I'm not familiar with (because I really don't care). Your NTFS may not be the same as my NTFS. Also, currently I don't use an SSD as my C drive.

  32. Gabe says:

    JamesJohnston: Starting with Win2k, NTFS stores ACLs in a security descriptor index, not in the MFT file record segment. Since even a filesystem with millions of files probably only has a few thousand SDs, this makes sense. It also makes caching more effective.

    If you have large, contiguous files, I would expect FAT to have some performance advantages. I don't expect it to perform better in most circumstances, but certainly in some. In particular, there are times when the logging will slow down NTFS, and those may be the times that FAT is faster. I wouldn't boot off a FAT partition, but I'd probably have no issue using one for a pagefile or Photoshop scratch disk.

  33. @Gabe:

    For large contiguous files, surprisingly NTFS beats FAT. This is down to how the file is stored. In the MFT, it uses extents, this is really a list of virtual clusters that the file takes up. Now, when the file isn't fragmented there is only one extent, so the NTFS driver knows right away the starting and ending cluster of the file. On the other hand FAT uses cluster chains to chain together the file. So for file access, reading and writing the file should be a lot faster on NTFS.

    The biggest advantage FAT has over NTFS is how the directories are stored. For small directories the b-trees that NTFS uses have a bit of a performance hit. But with the improvements in the NTFS driver, from even back in the XP era I doubt that FAT would be comparable in speed any more. Even back then, for smaller partitions you couldn't perceive a difference in the file system performace, you could only get an idea when you run it through benchmark software and the difference wasn't that great.

    @JamesJohnston:

    Quite a lot of the information on NTFS around these days is based on stuff that people came up with in the days of Windows 2000 and Windows XP. I think people find it easier seeing what it is written and parroting that rather than running performance tests themselves.

  34. Erk, I got something wrong in my previous post. It is logical clusters, not virtual clusters.

Comments are closed.

Skip to main content