// SECURITY

NTFS Permissions Calculator

Decode NTFS permission sets and calculate effective permissions when multiple groups or inheritance sources combine.

// PERMISSION DECODER

Select Allow and Deny for each permission to see the effective result.

// EFFECTIVE PERMISSIONS CALCULATOR

Add multiple permission sources to compute combined effective permissions.

What Are NTFS Permissions?

NTFS (New Technology File System) permissions control who can access, modify, or delete files and folders on Windows systems. There are six standard permissions that can be granted or denied individually:

Full ControlRead, write, modify, delete, change permissions, and take ownership of the file or folder.
ModifyRead, write, and delete the file or folder, but cannot change permissions or take ownership.
Read & ExecuteOpen files and run applications; includes List Folder Contents for folders.
List Folder ContentsView the names of files and subfolders in a directory (folder-only permission).
ReadOpen and view file contents or folder listings, but cannot make changes.
WriteCreate new files, write data to existing files, and create subfolders.

Allow vs Deny

Each NTFS permission can be set to Allow or Deny. When both are present for the same permission, Deny always wins. This is a critical rule: a single Deny entry overrides any number of Allow entries, regardless of where they come from.

For example, if a user belongs to Group A (Allow Read) and Group B (Deny Read), the effective permission is no Read access. Deny takes precedence even if the Allow comes from a parent folder and the Deny is set directly on the file.

Because of this behaviour, Deny entries should be used sparingly. In most cases, the preferred approach is to simply not grant Allow permissions rather than explicitly denying them. Overusing Deny can create confusing permission sets that are difficult to troubleshoot.

How Effective Permissions Are Calculated

When a user is a member of multiple groups, each with different NTFS permissions on the same resource, Windows calculates the effective permissions using these rules:

1Aggregate all Allow permissions from every group the user belongs to (union).
2Aggregate all Deny permissions from every group the user belongs to (union).
3Subtract the Deny set from the Allow set — any permission that appears in both is removed.
4The remaining Allow permissions form the effective permission set.

Inheritance also plays a role: permissions flow down from parent folders to child objects unless inheritance is blocked. A file inherits the cumulative Allow permissions of all parent folders, minus any Deny entries encountered along the chain.

NTFS vs Share Permissions

When a user accesses a file over the network via a Windows share, both NTFS permissions and share permissions apply. The effective access is the most restrictive combination of the two.

For example, if share permissions grant Full Control but NTFS permissions only allow Read, the effective network access is Read. Conversely, if NTFS allows Full Control but share permissions only allow Read, the result is still Read. The most restrictive permission from either layer always wins.

A common best practice is to set share permissions to Full Control for Everyone and manage actual access control entirely through NTFS permissions. This simplifies administration because you only need to manage one permission layer instead of coordinating two.

Frequently Asked Questions

What is the difference between Allow and Deny in NTFS permissions?: Allow grants access to a permission while Deny explicitly blocks it. When both are applied to the same user for the same permission, Deny always takes precedence. This ensures that an explicit block cannot be accidentally overridden by an Allow from another group.
What happens when Deny and Allow permissions conflict?: Deny always wins. Even if a user has Allow permissions from ten different groups, a single Deny entry for that permission will block access entirely. This is why Deny entries should be used sparingly and deliberately — they override all Allow sources regardless of quantity.
How are effective permissions calculated when multiple groups apply?: Windows aggregates all Allow permissions from every group the user belongs to (union of Allow sets), then aggregates all Deny permissions (union of Deny sets), and finally subtracts the Deny set from the Allow set. The remaining permissions are the effective set. Inheritance from parent folders is also included unless explicitly blocked.
What is the difference between Read and Read & Execute?: Read allows opening and viewing file contents or folder listings. Read & Execute includes everything in Read plus the ability to run applications and executables. For folders, Read & Execute also implies List Folder Contents, letting users navigate through the directory structure to reach subfolders.
What is the difference between NTFS permissions and share permissions?: NTFS permissions apply locally and over the network — they are always enforced. Share permissions only apply when accessing files through a network share. When both are in effect for network access, the most restrictive permission from either layer wins. Locally, only NTFS permissions apply.
Can I use this calculator for Linux file permissions?: No. Linux uses a completely different permission model based on owner/group/other with read/write/execute bits (e.g. chmod 755) and Access Control Lists (ACLs). NTFS permissions are specific to Windows and use Allow/Deny entries with inheritance. For Linux permissions, use a chmod calculator or octal permission reference instead.

// IT SECURITY

Need help with Windows file server permissions?

DMC IT Services designs and manages Windows file server permissions and access control strategies for SMBs across London, Cambridge, Hertfordshire, and Bedfordshire — from initial NTFS permission structures through to Active Directory group policy and share configuration.

Talk to an Engineer

← Back to all free tools

Permission	Allow	Deny
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write