< Day Day Up >

Configuring NTFS Permissions

On an NTFS volume, you can set permissions down to the file level. This means for any file you can give individual
users different types of access. Although you can set such detailed permissions, this way lies madness for all but the
most meticulous of control freaks (who are, arguably, already mad).

Always try to operate with the simplest possible permissions. Set as few restrictions as possible. Assign permissions to
groups, not individuals. Don't set file-by-file permissions unless it is unavoidable. Managing the minutiae of permissions
can easily and quickly soak up all your time and much of your life's blood as well, unless you guard against it.

What the Permissions Mean

Windows 2003 Server has a set of standard permissions that are combinations of specific kinds of access. The
individual permissions are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these
permissions consists of a group of special permissions. Table 10-2 shows the special permissions and the standard
permissions to which they apply.

Table 10-2: Special permissions for folders

Special Permission Full Modify Read & List Folder Read Write
Control Execute Contents
Traverse Folder/Execute File Yes Yes Yes Yes No No
List Folder/Read Data Yes Yes Yes Yes Yes No
Read Attributes Yes Yes Yes Yes Yes No
Read Extended Attributes Yes Yes Yes Yes Yes No
Create Files/Write Data Yes Yes No No No Yes
Create Folders/Append Data Yes Yes No No No Yes
Write Attributes Yes Yes No No No Yes
Write Extended Attributes Yes Yes No No No Yes
Delete Subfolders and Files Yes No No No No No
Delete Yes Yes No No No No
Read Permissions Yes Yes Yes Yes Yes Yes
Change Permissions Yes No No No No No
Take Ownership Yes No No No No No
Synchronize Yes Yes Yes Yes Yes Yes

File permissions include Full Control, Modify, Read & Execute, Read, and Write. As with folders, each of these
permissions controls a group of special permissions. Table 10-3 shows the special permissions associated with each
standard permission.

Table 10-3: Special permissions for files

Special Permission Full Control Modify Read & Execute Read Write
Traverse Folder/Execute File Yes Yes Yes No No
List Folder/Read Data Yes Yes Yes Yes No
Read Attributes Yes Yes Yes Yes No
Read Extended Attributes Yes Yes Yes Yes No
Create Files/Write Data Yes Yes No No Yes
Create Folders/Append Data Yes Yes No No Yes
Write Attributes Yes Yes No No Yes
 Write Extended Attributes Yes Yes No No Yes
Delete Subfolders and Files Yes No No No No
Delete Yes Yes No No No
Read Permissions Yes Yes Yes Yes Yes
Change Permissions Yes No No No No
Take Ownership Yes No No No No

Caution Any user or group assigned Full Control on a folder can delete files and subfolders no matter what the
permissions are on the individual files or subfolders.

How Permissions Work

If you take no action at all, the files and folders inside a shared folder have the same permissions as the share.
Permissions for both directories and files can be assigned to the following:

Groups and individual users on this domain

Global groups, universal groups, and individual users from domains that this domain trusts

Special identities such as Everyone and Authenticated Users

The important rules for permissions can be summarized as follows:

By default, a folder inherits permissions from its parent folder. Files inherit their permissions from the folder in which
they reside.

Users can access a folder or file only if they were granted permission to do so or they belong to a group that has
been granted permission.

Permissions are cumulative, but the Deny permission trumps all others. For example, if the Technical Writers group
has Read access to a folder and the Project group has Modify permission for the same folder, and Alex is a
member of both groups, Alex has the higher level of permission, which is Modify. However, if the Technical Writers
group permission is changed to explicitly Deny, Alex is unable to use the folder, despite his membership-and
ostensibly higher level of access-in the Project group.

The user who creates a file or folder owns the object and can set permissions to control access.

An administrator can take ownership of any file or folder.

Members of the Administrators, Backup Operators, and Server Operators groups can take ownership and reassign
ownership.

Considering Inheritance
Just to complicate matters a bit more, there are two types of permissions, explicit and inherited permissions. Explicit
permissions are the ones you set on folders you create. Inherited permissions are those that flow from a parent object to
a child object. By default, when you create a subfolder, it inherits the permissions of the parent folder.

If you don't want the child objects to inherit the permissions of the parent, you can block inheritance at the parent level
or at the child level. Where you block inheritance is important. Block at the parent level and no subfolders will inherit
permissions. Block selectively at the child level and some folders will inherit permissions and others will not.

To block a file or folder from inheriting permissions, right-click the folder, select Properties, and then click the Security
tab. Click Advanced and clear the check box for Allow Inheritable Permissions From The Parent To Propagate To This
Object And All Child Objects.

If the check boxes for permissions appear shaded, it means the permissions are inherited from a parent object. If the
boxes are shaded and have a check mark (Figure 10-6), some permissions are inherited and others have been added.
There are three ways to change this situation:
 Figure 10-6: A folder with inherited and noninherited permissions.

Clear the check box for Allow Inheritable Permissions From the Parent To Propagate To This Object And All Child
Objects. When the check box is cleared, you can make changes to the permissions or change the users or groups
in the list.

Change the permissions of the parent folder.

Select the opposite permission-Allow or Deny-to override the inherited permission.

Note If neither Allow nor Deny is checked, the users or groups might have acquired the permission through a
group membership. Otherwise, failure to explicitly configure Allow or Deny effectively denies the
permission.

Configuring Folder Permissions

Before sharing a folder on an NTFS volume, set all the permissions on the folder. When you set folder permissions,
you're also setting permissions on all the files and subfolders in the folder.

To assign permissions to a folder, right-click the folder in Explorer and choose Properties from the shortcut menu. Then
click the Security tab.

To remove an individual or group from the list, just select the name and click Remove.

To add to the list of those with permissions, click Add. This opens the Select Users, Computers, Or Groups dialog box.
Optionally click Advanced to perform a more sophisticated search, as shown in Figure 10-7. Click OK when you're done.
 Figure 10-7: Selecting users and groups.

Assigning Permissions to Files

Permissions for individual files are assigned in the same way as folders. There are, however, some special
considerations:

Remember to grant permissions to groups, rather than to individuals.

Create domain-based groups and assign file permissions to them rather than assign permissions directly to local
groups.

Configuring Special Permissions

In some circumstances, you might find it necessary to set, change, or remove special permissions on either a file or
folder. To access special permissions, follow these steps:
1. Right-click the file or folder and choose Properties from the shortcut menu.

2. Click the Security tab, and then click Advanced.

To add a user or group, click Add. Double-click the user or group name to open the Permission Entry dialog
box.

To view or modify existing special permissions, select the name of the user or group and click Edit.

To remove special permissions, select the name of the user or group and click Remove. If the Remove
button is dimmed, clear the check box for Allow Inheritable Permissions From Parent To Propagate To This
Object, and skip to Step 6.

3. In the Permission Entry For Images dialog box (Figure 10-8), select where you want the permissions applied in
the Apply Onto box. (See Table 10-4 and Table 10-5 for explanations of the choices in this drop-down box.)
Apply Onto is available for folders only.
 Figure 10-8: Setting special permissions for a folder.

4. In Permissions, select Allow or Deny for each permission.

5. To prevent subfolders and files from inheriting these permissions, select Apply These Permissions To Objects
And/Or Containers Within This Container Only.

6. Click OK to close the dialog box.

In the Permission Entry For Images dialog box for folders, you can choose how and where the special permissions are
applied. Table 10-4 and Table 10-5 demonstrate the application of the special permissions depending on whether Apply
These Permissions To Objects And/Or Containers Within This Container Only is selected.

Table 10-4: Application of special permissions when Apply These Permissions To Objects And/Or Containers
Within This Container Only is selected

Selected in Apply Onto Applies Applies to Applies Applies to Applies to Files in

to Subfolders to Files Subsequent Subsequent
Current in Current in Subfolders? Subfolders?
Folder? Folder? Current
Folder?
This folder only Yes No No No No
This folder, subfolders, and files Yes Yes Yes No No
This folder and subfolders Yes Yes No No No
This folder and files Yes No Yes No No
Subfolders and files only No Yes Yes No No
Subfolders only No Yes No No No
Files only No No Yes No No

Table 10-5: Application of special permissions when Apply These Permissions To Objects And/Or Containers
Within This Container Only is not selected

Selected in Apply Onto Applies Applies to Applies Applies to Applies to Files

to Subfolders to Files Subsequent in Subsequent
Current in Current in Subfolders? Subfolders?
Folder? Folder? Current
Folder?
This folder only Yes No No No No
This folder, subfolders, and files Yes Yes Yes Yes Yes
This folder and subfolders Yes Yes No Yes No
 This folder and files Yes No Yes No Yes
Subfolders and files only No Yes Yes Yes Yes
Subfolders only No Yes No Yes No
Files only No No Yes No Yes

Ownership and How It Works

As you've seen, Administrators and members of a few other select groups are the only ones who can grant and change
permissions. The exception is when a user is the owner of the folder or file in question. Every object on an NTFS
partition has an owner and the owner is the person who created the file or folder. The owner controls access to the file
or folder and can keep out anyone he or she chooses.

Here's how it works. Let's say a user named Maxwell creates a folder on his computer called Max's Private Stuff. To
check the settings on his new folder, Maxwell right-clicks the folder and chooses Properties and then clicks the Security
tab (Figure 10-9).

Figure 10-9: Viewing the NTFS permissions for a new folder.

He sees that the Administrators group has full access to his folder, but because Maxwell is the owner of the folder, he
can change the permissions so that he has the folder all to himself. To do so, he clicks Advanced to open the Advanced
Security Settings dialog box. He then highlights the Administrators entry and clears the Inherit From Parent option
(Figure 10-10).

Figure 10-10: Removing inheritance from a permission entry.

After accepting the security warning, Maxwell can return to the Security Properties dialog box, highlight the
Administrators group, and click remove. After this is done, even the administrator sees an Access Denied message
when trying to open the folder.

Of course, nothing on the network can be completely beyond the reach of administrators, so an administrator can right-
click the folder and choose Properties from the shortcut menu. On clicking the Security tab, the information box shown
in Figure 10-11 opens.

Figure 10-11: The administrator tries to view permissions for a folder owned by a user.

In the Security Properties dialog box, no changes can be made. However, if the administrator clicks Advanced and then
the Owner tab (Figure 10-12), he or she can change the owner of the folder to an administrator.

Figure 10-12: Changing the ownership of a folder.

No matter what the status of the folder, the administrator can take ownership. When Maxwell logs on the next time, he
still has access to Max's Private Stuff, but when he clicks Advanced and then Owner, he sees that he's no longer the
owner of the folder. Changing the ownership of the folder doesn't automatically give Administrators access to the
contents of the folder, but ownership does grant the ability to read and change permissions. With that, an administrator
can change permissions and attain access to the folder contents.

Note The owner of a file or folder can also grant the Take Ownership special permission to others, allowing those
users to take ownership at any time.

< Day Day Up >