When multiple users edit Word documents on a network share, accidental overwrites and unauthorized changes can corrupt files and destroy work. The standard solution is to use file-system access control lists or ACLs to restrict who can open or modify each document. This article explains how to apply file-system ACL filters to Word documents on a network share so that only specific users or groups can read or write each file.
Windows file permissions let you set granular rules per user or group: Full Control, Modify, Read & Execute, Read, and Write. By applying these rules to individual Word documents or folders, you can lock a document against unwanted edits. You do not need Word’s built-in Restrict Editing feature or Information Rights Management. The ACL filter works at the file-system level and blocks changes before Word even opens the file.
This guide covers the prerequisites, step-by-step configuration, common pitfalls, and a comparison of ACL-based locking versus Word’s internal protection methods.
Key Takeaways: Locking Word Files With File-System ACL Filters
- Right-click the file > Properties > Security > Edit: Opens the ACL editor for a single Word document on the network share.
- Remove the Users group and add only specific users or groups with Read or Modify permissions: Prevents all unauthorized users from opening or editing the document.
- Apply ACLs to the folder and enable inheritance for new files: Automatically locks all future Word documents placed in that share folder.
How File-System ACLs Control Access to Word Documents
File-system ACLs are permission entries stored in the NTFS security descriptor of every file and folder on a Windows volume. Each ACL contains one or more access control entries or ACEs. Each ACE pairs a security principal such as a user account or a group with a set of allowed or denied rights. The rights include Full Control, Modify, Read & Execute, Read, Write, and Special Permissions.
When a user tries to open a Word document over a network share, Windows checks the file’s ACL. If the user’s account or any group the user belongs to has a Deny entry for Read, the file is inaccessible. If the user has an Allow entry for Read but not Write, Word opens the document in read-only mode. The user sees a yellow bar in Word stating that the file is read-only. The user cannot save changes to the original file. Saving to a new location is still allowed because the user has Write permission on the destination folder.
The key advantage of ACL-based locking is that it works at the operating system level. It blocks all applications including Word, Notepad, and even scripts from modifying the file. The filter is independent of Word’s version or configuration. It also applies to all file types in the folder if you set permissions on the folder itself.
Prerequisites for Using ACL Filters on a Network Share
Before you configure ACLs, confirm the following conditions are met:
- The network share is hosted on an NTFS volume. FAT32 and exFAT volumes do not support ACLs.
- You have Full Control permission on the file or folder. This usually means you are the owner or an administrator on the server.
- All users access the share over SMB, not FTP or HTTP. SMB preserves NTFS permissions.
- User accounts are either local to the server or domain accounts in Active Directory. Local accounts on client machines are not recognized by the server.
Steps to Lock a Word Document on a Network Share Using ACLs
The following steps apply to Windows Server 2022, 2019, and 2016, as well as Windows 11 and Windows 10 Pro or Enterprise when acting as the file server. The procedure is identical for a single document or a folder containing multiple documents.
- Locate the Word document on the server
Open File Explorer on the server or on a client with administrative access to the share. Navigate to the folder that contains the Word document you want to lock. Right-click the document and select Properties. - Open the Security tab
In the Properties dialog, click the Security tab. This tab shows the current permissions for the file. The top list box named Group or user names displays all principals that have an ACE on this file. - Edit permissions
Click the Edit button below the list. A new dialog titled Permissions for [filename] opens. This dialog lets you add, remove, or modify ACEs for the selected file. - Remove the Users group
In the Permissions dialog, select the entry for Users or Authenticated Users. Click Remove. Removing these broad groups prevents all users except those you explicitly add from accessing the file. Do not remove SYSTEM, Administrators, or the owner unless you are certain of the consequences. - Add specific users or groups
Click Add. In the Select Users or Groups dialog, type the name of a user account or a security group that should have access. For example, type “Accounting Team” if you have a domain group for the accounting department. Click Check Names to verify the name, then click OK. - Set the permission level
Back in the Permissions dialog, the newly added principal appears in the list. Select it. In the Permissions for [principal] list below, check the boxes for the rights you want to grant. For read-only access, check Read & Execute and Read. For full edit access, check Modify or Full Control. Click OK. - Apply the changes
Click OK on the Permissions dialog, then click OK on the Properties dialog. The new ACL is written to the file immediately. Any user who does not match the allowed principals will be denied access when they try to open the file over the network.
Locking a Folder Instead of Individual Files
If you want all Word documents in a specific folder to inherit the same ACL, apply the permissions to the folder rather than each file. Right-click the folder, go to Properties > Security > Advanced. Click Disable inheritance if inheritance is currently enabled. Choose Convert inherited permissions into explicit permissions. Then remove unwanted groups and add your allowed principals. Check the box Replace all child object permission entries with inheritable permission entries from this object. Click OK. All existing and future files in that folder will inherit the new ACL.
Common Mistakes and Limitations of ACL-Based Locking
Users Can Still Copy the File to a Writable Location
ACLs control direct access to the file on the share. If a user has Read permission, they can copy the file to their local desktop or another share where they have Write permission. The copy is not locked. To prevent copying, you must also remove the Read permission, which makes the file completely inaccessible. There is no ACL-based way to allow reading but block copying. Use Word’s Restrict Editing or Information Rights Management for that scenario.
Deny Entries Override Allow Entries
If a user belongs to two groups and one group has a Deny entry for Write while the other has an Allow entry for Write, the Deny entry wins. Windows evaluates Deny ACEs before Allow ACEs. To avoid confusion, use only Allow entries and remove all users and groups that should not have access. If you must use Deny, test the result with a non-administrator account.
Owners Can Always Change Permissions
The owner of a file can modify its ACL at any time, even if the current ACL denies them Write access. The owner can take ownership or edit permissions. If you need to prevent the owner from unlocking the document, you must change the owner to a trusted account such as a service account and remove the original owner’s Full Control. This is an advanced configuration that can break workflows if not managed carefully.
ACLs Do Not Prevent Deletion
A user with Modify permission on a folder can delete any file in that folder, even if the file’s own ACL denies Delete. The folder’s permission overrides the file’s permission for delete operations. To prevent deletion, set the folder’s permission to deny Delete for the user or group.
ACL Filter vs Word’s Restrict Editing Feature
| Item | File-System ACL Filter | Word Restrict Editing |
|---|---|---|
| Protection level | Operating system | Application layer |
| Blocks other apps from editing | Yes | No |
| Works without Word installed | Yes | No |
| Prevents copying via file copy | No | No |
| Requires password to unlock | No | Yes |
| Survives file format conversion | Yes | No |
| Applies to all users on the share | Yes | Per file only |
File-system ACLs provide a hard lock that no application can bypass. Word’s Restrict Editing feature is a soft lock that can be removed by anyone who knows the password or by opening the file in a text editor and stripping the XML protection element. For sensitive documents on a network share, use ACLs as the primary lock and add Word’s Restrict Editing as a secondary layer if you need to prevent copying or printing.
You can now lock any Word document on a network share by editing its file-system ACL. Start by removing broad groups like Users and adding only the specific users or groups that should access the file. For a folder full of documents, disable inheritance and apply the ACL to the folder with the option to replace permissions on all child objects. As an advanced tip, use the icacls command-line tool to apply ACLs to hundreds of files at once: run icacls docx /grant "Domain\Group":R /inheritance:e from an elevated Command Prompt on the server to grant Read access to a group for all .docx files in the current folder.