What's the difference between Sharing and Advanced Sharing in Windows Server 2008?

First, I've researched this and found one question that was not answered, and one that was answered not completely. https://serverfault.com/questions/652215/file-sharing-methods (incomplete or vague answer)

Anyway, when I right-click on a folder in 2k8, I hit Properties, then Sharing. Now, I see two options--at the top is "Share..." which allows you to select users and apparently it also sets the Security permissions as well.

However, when I go down to "Advanced Sharing", I see the exact same share name--only none of the permissions I put in the top one are there. (The link above said that "Advanced Sharing" allowed you to add more refined permissions on what was done in the top "Share..." button, but this is not the case.)

Further, when I add a user in the "Advanced Sharing", he does not show up in the top "Share.." section. When I then close out of the top section, that user is REMOVED from the bottom sharing.

So...can anyone explain how these are related and which one takes precedence and more to the point--how does one share a folder on and have any sort of confidence that the users one puts there will actually have access to that share? If one share is a completely different share of the same name then one would think Windows would warn that you're overwriting a share that you'd already carefully set up, but no such warning appears. Thanks,


Solution 1:

The short answer:

The "Share" button sets filesystem permissions. The "Advanced Sharing" button sets CIFS share permissions.

Permissions are processed like this for a network user:

  • Computer (Remote Login) => Share (Advanced Sharing) => Filesystem (Security)

If a user is blocked at any stage they cannot proceed any further.


The long answer:

The 'Basic' sharing dialog does not apply any permissions on the share level.

Instead it defaults share-level security to allow all and any permissions you set are applied directly to the underlying filesystem. All ACLs are parsed in turn so by setting share-level permissions to allow everything just means control gets deferred to the filesystem itself.

The reasons for this are simple - so there is just one set of permissions to manage and the same rules are applied to both local and remote access. This is to avoid any conflicts and confusion for basic users. It is the "basic"/"home user" option after all.

The the "Advanced Sharing" option for administrators applies an additional level of share-level permissions that only act on remote/network access.

This allows advanced users to apply an additional level of access control for network access only, but does not apply any rules to the filesystem itself. As with all ACLs, users must pass both sets of permissions to gain access so giving users access to the share, but not the filesystem, would not work - hence why this option is protected behind an "Advanced" button.


So...can anyone explain how these are related and which one takes precedence

They are not related. Neither takes precedence.

how does one share a folder on and have any sort of confidence that the users one puts there will actually have access to that share?

Use the basic Sharing dialog.

If one share is a completely different share of the same name then one would think Windows would warn that you're overwriting a share that you'd already carefully set up, but no such warning appears.

They are not different shares. You cannot have multiple shares of the same name.

I have added 4 people with specific rules in the Sharing section but when i go to Advanced Sharing, Everyone has full access. Can i remove this Full Access ? what are the rules?

You can try, but it is needed for the standard Sharing permissions to work.