This article applies to:
- Acronis Files Connect (formerly ExtremeZ-IP)
Best practices for permissions on NTFS
The default rights we expect to see inheriting from the drive letter (or the root of the share) are:
- Administrators, Full Control, Applies to this folder, subfolders, and files
- SYSTEM (or the Files Connect service account), Full Control, Applies to this folder, subfolders, and files
- CREATOR OWNER, All the granular NTFS permissions except Full control, Change permissions, and Take ownership (see list below), Applies to subfolders and files only
A note regarding CREATOR OWNER: since it applies to subfolders and files only, this will display as "Special" on 2008 and above.
For typical workflows, the Mac users will need all the granular NTFS permissions except Full control, Change permissions, and Take ownership.
Listed out, this is:
- Traverse folder/execute file
- List folder/read data
- Read attributes
- Read extended attributes
- Create files/write data
- Create folders/append data
- Write attributes
- Write extended attributes
- Delete subfolders and files
- Read permissions
A basic share would appear as follows:
If you need restricted permissions at the root of a share, the best advice we have been able to give is to apply an explicit ACE with limited permissions, such as read only, for a staff group to a parent folder, typically the directory that is being shared and change the "Apply to" setting to "This folder only" so the clients can mount the share. That way the staff group ACE will not inherit down but the SYSTEM ACE will.
Then on the child folders, apply an explicit ACE granting permissions to each particular group. Don't forget that the .TemporaryItems at the root of all shares would need an explicit ACE granting all the granular permissions listed above. This will support the safe save operation documented in the Apple KB article at
You can see on the screenshot below that the child folder "test" did not inherit the read only ACE from the parent folder "Share" pictured in the screenshot above. Then we applied an explicit ACE on "test" granting full control the group "Users".
This PDF contains more detail, including file system maintenance on Windows systems.
If applying this guidance doesn’t minimize the issues sufficiently, you should consider switching to using a Files Connect “Search Only” volume deployment.
You can see details about using and creating these search volumes in the documentation at
QuickStart Guide > Configuring Your First Shared Volume
where it says:
Search only (Mac client will connect using SMB) – With this option, the volume will be displayed in the Files Connect Mac client app and will be searchable, but it will not be shared as an AFP volume. Macs connecting to the Files Connect server using AFP will not see this volume. Macs will automatically connect to "Search only" volumes and files found in Files Connect Mac client app search results using SMB. This connection uses preexisting Windows or NAS SMB file server shared volumes.
QuickStart Guide > The Mac client