47135: Acronis Files Connect: Best Practices for Permissions on NTFS

Also read in:

use Google Translate

Last update: 08-04-2021

Best practices for permissions on NTFS

This article applies to:

  • Acronis Files Connect (formerly ExtremeZ-IP)


Best practices for permissions on NTFS

The default rights we expect to see inheriting from the drive letter (or the root of the share) are:

  • Administrators, Full Control, Applies to this folder, subfolders, and files
  • SYSTEM (or the Files Connect service account), Full Control, Applies to this folder, subfolders, and files
  • CREATOR OWNER, Full Control, Applies to subfolders and files only

A note regarding CREATOR OWNER: since it applies to subfolders and files only, Full Control will display as "Special" on 2008 and above.

For typical workflows, the Mac users will need all the granular NTFS permissions except Full control, Change permissions, and Take ownership.


Listed out, this is:


  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Create files/write data
  • Create folders/append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Read permissions

A basic share would appear as follows:


If you need restricted permissions at the root of a  share, the best advice we have been able to give is to apply an explicit ACE with limited permissions, such as read only, for a staff group to a parent folder, typically the directory that is being shared and change the "Apply to" setting to "This folder only" so the clients can mount the share. That way the staff group ACE will not inherit down but the SYSTEM ACE will.


Then on the child folders, apply an explicit ACE granting permissions to each particular group. Don't forget that the .TemporaryItems at the root of all shares would need an explicit ACE granting all the granular permissions listed above. This will support the safe save operation documented in the Apple KB article at 


You can see on the screenshot below that the child folder "test" did not inherit the read only ACE from the parent folder "Share" pictured in the screenshot above. Then we applied an explicit ACE on "test" granting full control the group "Users".


This PDF contains more detail, including file system maintenance on Windows systems.


More information

See also Acronis Files Connect: Troubleshooting Windows Server Access from Mac Clients.