This chapter introduces you to Microsoft Windows 2000 file system (NTFS) folder and file permissions. You will learn how to assign NTFS folder and file permissions to user accounts and groups, and how moving or copying files and folders affects NTFS file and folder permissions. You will also learn how to troubleshoot common resource access problems.

Lesson 1: Understanding NTFS Permissions

NTFS permissions are rules associated with objects that regulate which users can gain access to an object and in what manner. This lesson introduces standard NTFS folder and file permissions. It also explores the effects of combining user account and group permissions with file and folder permissions.

After this lesson, you will be able to

Estimated lesson time: 10 minutes

NTFS Permissions

Use NTFS permissions to specify which users and groups can gain access to files and folders, and what they can do with the contents of the file or folder. NTFS permissions are only available on NTFS volumes. NTFS permissions are not available on volumes that are formatted with the file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user gains access to the file or folder at the computer or over the network. The permissions you assign for folders are different from the permissions you assign for files.

NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folder.

Table 9.1 lists the standard NTFS folder permissions that you can assign and the type of access that each provides.

Table 9.1 NTFS Folder Permissions

NTFS Folder Permission
 
Allows the User To
 
Full Control
 

 

Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions
 

 

Modify
 

 

Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission
 

 

Read & Execute
 

 

Move through folders to reach other files and folders, even if the users do not have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission
 

 

List Folder Contents
 

 

See the names of files and subfolders in the folder
 

 

Read
 

 

See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-only, Hidden, Archive, and System)
 

 

Write
 

 

Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
 

 

You can deny folder permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.

NTFS File Permissions

You assign file permissions to control the access that users have to files. Table 9.2 lists the standard NTFS file permissions that you can assign and the type of access that each provides.

Table 9.2 NTFS File Permissions

NTFS File Permission
 
Allows the User To
 
Full Control
 

 

Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions
 

 

Modify
 

 

Modify and delete the file plus perform the actions permitted by the Write permission and the Read & Execute permission
 

 

Read & Execute
 

 

Run applications plus perform the actions permitted by the Read permission
 

 

Read
 

 

Read the file, and view file attributes, ownership, and permissions
 

 

Write
 

 

Overwrite the file, change file attributes, and view file ownership and permissions
 

 

Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been granted access for the file or folder, as well as the type of access that they have been granted. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user cannot gain access to the resource.

Multiple NTFS Permissions

You can assign multiple permissions to a user account by assigning permissions for a resource to an individual user account and to each group of which the user is a member. You need to understand the rules and priorities that are associated with how NTFS assigns and combines multiple permissions. You also need to understand NTFS permission inheritance.

Permissions Are Cumulative

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.

File Permissions Override Folder Permissions

NTFS file permissions take priority over NTFS folder permissions. A user with access to a file will be able to gain access to the file even if he or she does not have access to the folder containing the file. A user can gain access to the files for which he or she has permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides will be invisible if the user has no corresponding folder permission. In other words, if you do not have permission to access the folder containing the file you want to access, you must know the full path to the file to access it. Without permission to access the folder, you cannot see the folder, so you cannot browse for the file you want to access.

Note The Traverse Folder/Execute File special permission allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. This permission takes effect only when the group or user is not granted the Bypass Traverse Checking user right in the Group Policy snap-in. For more information on special permissions, see Lesson 3. For more information on user rights, see Chapter 13, "Administering a Security Configuration."

Deny Overrides Other Permissions

You can deny permission to a user account or group for a specific file, although this is not the recommended way to control access to resources. Denying permission overrides all instances where that permission is allowed. Even if a user has permission to gain access to the file or folder as a member of a group, denying permission to the user blocks any other permission that the user might have (see Figure 9.1).


If your browser does not support inline frames, click here to view on a separate page.

Figure 9.1 Multiple NTFS permissions

In Figure 9.1, User1 has Read permission for FolderA and is a member of Group A and Group B. Group B has Write permission for FolderA. Group A has been denied Write permission for File2.

User1 can read and write to File1. The user can also read File2, but she cannot write to File2 because she is a member of Group A, which has been denied Write permission for File2.

NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure 9.2.


If your browser does not support inline frames, click here to view on a separate page.

Figure 9.2 Permissions inheritance

Understanding Permissions Inheritance

Files and subfolders can inherit permissions from their parent folder. Whatever permissions you assign to the parent folder can also apply to subfolders and files that are contained within the parent folder, depending on the inheritance option set for a given object. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and sub folders, as well as any new files and subfolders that are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder by setting an inheritance option set for a given object. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.

If you prevent permissions inheritance for a folder, that folder becomes the top parent folder. Permissions assigned to this folder will be inherited by the subfolders and files that it contains.

Lesson Summary

In this lesson you learned how NTFS permissions are used to specify which users and groups can gain access to files and folders, and what these permissions allow users to do with the contents of the files or folders. NTFS permissions are only available on NTFS volumes. You also learned that the folder permissions are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. The file permissions are similar to the folder permissions. The file permissions are Full Control, Modify, Read & Execute, Read, and Write.

You learned about applying NTFS permissions. NTFS stores an ACL with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been granted access for the file or folder, as well as the type of access that they have been granted.

You also learned that you can assign multiple permissions to a user account by assigning permissions to the individual user account and to each group of which the user is a member. You learned that NTFS file permissions take priority over NTFS folder permissions.

Finally, you learned how permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder by setting an inheritance option set for a given object. When permissions inheritance is prevented for a folder, the folder at which you prevent inheritance becomes the new parent folder. Permissions assigned to this folder will be inherited by the subfolders and files that are contained within it. Permissions inheritance can also be prevented for a file.

Lesson 2: Assigning NTFS Permissions

There are certain guidelines you should follow for assigning NTFS permissions. Assign permissions according to group and user needs; this includes allowing or preventing permissions inheritance from parent folders to subfolders and files that are contained in the parent folder. This lesson presents guidelines for planning NTFS permissions and then walks you through the steps of assigning NTFS permissions.

After this lesson, you will be able to

Estimated lesson time: 60 minutes

Planning NTFS Permissions

If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that NTFS permissions are easy to manage. Use the following guidelines when you assign NTFS permissions:

    To simplify administration, group files into application, data, and home folders. Centralize home and public folders on a volume that is separate from applications and the operating system. Doing so provides the following benefits:

  1. Allow users only the level of access that they require. If a user only needs to read a file, assign the Read permission to his or her user account for the file. This reduces the possibility of users accidentally modifying or deleting important documents and application files.
  2. Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.
  3. When you assign permissions for working with data or application folders, assign the Read & Execute permission to the Users group and the Administrators group. This prevents application files from being accidentally deleted or damaged by users or viruses.
  4. Turn off the permissions inheritance option at the home directory level. This allows the user to consider permissions for each file or folder in the home directory.
  5. When you assign permissions for public data folders, assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER identity group. The user who creates a file is by default the creator and owner of the file. After you create a file, you may grant another user permission to take ownership of the file. The person who takes ownership would then become the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users group, and the Full Control permission to CREATOR OWNER, users have the ability to read and modify documents that other users create and the ability to read, modify, and delete the files and folders that they create.
  6. Deny permissions only when it is essential to deny specific access to a specific user account or group.
  7. Encourage users to assign permissions to the files and folders that they create and educate them about how to do so.

Setting NTFS Permissions

By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions that you have assigned to the Everyone group.

Assigning or Modifying Permissions

Administrators, users with the Full Control permission, and the owners of files and folders (Creator Owner) can assign permissions to user accounts and groups.

To assign or modify NTFS permissions for a file or a folder

  1. Right-click the file or folder for which you want to assign permissions, then click Properties.
  2. In the Security tab (see Figure 9.3) of the Properties dialog box for the file or folder, configure the options that are described in Table 9.3.

    09WTK03

    Figure 9.3 Security tab of the Properties dialog box for the Data folder

Table 9.3 Security Tab Options

Option
 
Description
 
Name
 

 

Select the user account, group, or special entity for which you want to change permissions or that you want to remove from the list.
 

 

Permission
 

 

To allow a permission, select the Allow check box. To deny a permission, select the Deny check box.
 

 

Add
 

 

Opens the Select Users, Computers, Or Groups dialog box, which you use to select user accounts and groups to add to the Name list.
 

 

Remove
 

 

Removes the selected user account, group, or special entity and the associated permissions for the file or folder.
 

 

Advanced
 

 

Opens the Access Control Settings For dialog box, which you use to add, remove, view, or edit special permissions for selected user accounts and groups.
 

 

Allow Inheritable Permissions From Parent To Propogate To This Object
 

 

Specifies whether permissions for this object will be affected by inheritance.
 

 

Preventing Permissions Inheritance

By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Security tab in the Properties dialog box by a check in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If the check boxes under Permissions are shaded, then the file or folder has inherited permissions from the parent folder. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check box, you are prompted to select one of the options described in Table 9.4.

Table 9.4 Preventing Permissions Inheritance Options

Option
 
Description
 
Copy
 

 

Copy the permissions from the parent folder to the current folder and then deny subsequent permissions inheritance from the parent folder.
 

 

Remove
 

 

Remove the permissions that are assigned to the parent folder and retain only the permissions that you explicitly assign to the file or folder.
 

 

Cancel
 

 

Cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
 

 

Practice: Planning and Assigning NTFS Permissions

In this practice you plan NTFS permissions for folders and files based on a business scenario. Then you apply NTFS permissions for folders and files on your computer based on a second scenario. Finally, you test the NTFS permissions that you set up to make sure that they are working properly.

Exercise 1 Planning NTFS Permissions

In this exercise you plan how to assign NTFS permissions to folders and files on a computer running Windows 2000 Server, based on the scenario described in the next section.

Scenario

The default NTFS folder and file permissions are Full Control for the Everyone group. Figure 9.4 shows the folder and file structure used for this practice. You need to review the following security criteria and record the changes that you should make to the NTFS folder and file permissions to meet the security criteria.

09WTK04

Figure 9.4 Folder and file structure for practice

To plan NTFS permissions, you must determine the following:

Keep the following general guidelines in mind:

The decisions that you make are based on the following criteria:

When you apply custom permissions to a folder or file, which default permission entry should you remove?

Complete Table 9.5 to plan and record your permissions.

Table 9.5 Permissions Planning Table for Exercise 1

Path
 
User Account or Group
 
NTFS Permissions
 
Block Inheritance (Yes/No)
 
Apps
 

 

 

 

 

 

 

 

Apps\WordProc
 

 

 

 

 

 

 

 

Apps\Spreadsh
 

 

 

 

 

 

 

 

Apps\Database
 

 

 

 

 

 

 

 

Public
 

 

 

 

 

 

 

 

Public\Library
 

 

 

 

 

 

 

 

Public\Manuals
 

 

 

 

 

 

 

 

Exercise 2 Assigning NTFS Permissions for the Data Folder

In this exercise you assign NTFS permissions for the C:\Data folder (where C:\ is the name of your system drive) based on the scenario described next.

Before beginning the following exercises, create the users and groups listed in Table 9.6.

Table 9.6 Users and Groups for Exercise 2

Group
 
User Account
 
Managers
 

 

User81 (member of Print Operators)
 

 

Sales
 

 

User82 (member of Sales and Print Operators)
 

 

Sales
 

 

User83 (member of Managers and Print Operators)
 

 

Create the following folders (where C:\ is the name of your system drive):

Scenario

The permissions that you assign are based on the following criteria:

To remove permissions from the Everyone group

  1. Log on to your domain as Administrator.
  2. Right-click My Computer, then click Explore.
  3. Expand the Local Disk (C:), right-click the C:\Data folder, then click Properties.

    Windows 2000 displays the Data Properties dialog box with the General tab active.

  4. Click the Security tab to display the permissions for the Data folder.

    Windows 2000 displays the Data Properties dialog box with the Security tab active.

    What are the existing folder permissions?

    Notice that the current allowed permissions cannot be modified.

  5. Under Name, select the Everyone group, then click Remove.

    What do you see?

  6. Click OK to close the message box.
  7. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box to block permissions from being inherited.

    Windows 2000 displays the Security message box, prompting you to copy the currently inherited permissions to the folder or remove all permissions for the folder except those that you explicitly specify.

  8. Click Remove.

    What are the existing folder permissions?

To assign permissions to the Users group for the Data folder

  1. In the Data Properties dialog box, click Add.

    Windows 2000 displays the Select Users, Computers, Or Groups dialog box.

  2. In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.

    The Look In list allows you to select the computer or domain from which to select user accounts, groups, or computers when you assign permissions. You should specify your domain to select from the user accounts and groups that you created.

  3. In the Name column, select Users, then click Add.

    Users is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.

    In the box at the bottom of the Select Users, Computers, Or Groups dialog box, you can also type the name of the object you want. You can type multiple names by separating them with semicolons. If the object exists in a Windows 2000 domain or global catalog, you can type the first few characters of the name and then click Check Names. Windows 2000 either completes the name if there are no similar names, or prompts you to choose a name from a list of similar name.

  4. Click OK to return to the Data Properties dialog box.

    What are the existing allowed folder permissions?

  5. Make sure that Users is selected, and then next to Write, select the Allow check box.
  6. Click Apply to save your changes.

To assign permissions to the CREATOR OWNER group for the Data folder

  1. In the Security tab of the Data Properties dialog box, click Add.

    Windows 2000 displays the Select Users, Computers, Or Groups dialog box.

  2. In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.
  3. In the Name list, select CREATOR OWNER, then click Add.

    CREATOR OWNER is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.

  4. Click OK to return to the Data Properties dialog box.

    What are the existing allowed folder permissions?

  5. Make sure that CREATOR OWNER is selected, and next to Full Control, select the Allow check box, then click Apply to save your changes.

    What do you see?

  6. Click Advanced to display the additional permissions.

    Windows 2000 displays the Access Control Settings For Data dialog box.

  7. Under Name, select Creator Owner.

    What permissions are assigned to the Creator Owner group and where do these permissions apply? Why?

  8. Click OK.
  9. On the Data Properties dialog box, click OK, then log off your domain.

To test the folder permissions that you assigned for the Data folder

  1. Log on to your domain as User81, then start Windows Explorer.
  2. Expand the C:\Data directory.
  3. In the Data folder, attempt to create a text file named user81.txt.

    Were you successful? Why or why not?

    Attempt to perform the following tasks for the file that you just created, and then record those tasks that you are able to complete.

  4. Close all applications, then log off Windows 2000.

Exercise 3 Assigning NTFS Permissions

In this exercise you assign NTFS permissions to the Data, Managers, Reports, and Sales folders based on the scenario described in the following section.

Scenario

Assign the appropriate permissions to folders as listed in Table 9.7.

Table 9.7 Folder Permissions for Exercise 3

Folder Name
 
User Account or Group
 
Permissions
 
C:\Data
 

 

Users group
Administrators group
 

 

Read & Execute
Full Control
 

 

C:\Data\Managers
 

 

Users group
Managers group
Administrators group
 

 

Read & Execute
Full Control
Modify
 

 

C:\Data\Managers\Reports
 

 

Users group
Administrators group
User82
 

 

Read & Execute
Full Control
Modify
 

 

C:\Data\Sales
 

 

Users group
Administrators group
Sales group
 

 

Read & Execute
Full Control
Modify
 

 

To assign NTFS permissions for a folder

  1. Log on to your domain as Administrator, then start Windows Explorer.
  2. Expand the Local Disk (C:).
  3. Right-click the folder for which you are modifying permissions, then click Properties.

    Windows 2000 displays the Properties dialog box for the folder with the General tab active.

  4. In the Properties dialog box for the folder, click the Security tab.
  5. In the Security tab, if you need to modify the inherited permissions for a user account or group, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box, and then when prompted to copy or remove inherited permissions, click Copy.
  6. To add permissions to user accounts or groups for the folder, click Add.

    Windows 2000 displays the Select User, Computer, Or Group dialog box.

  7. Make sure that your domain appears in the Look In list at the top of the Select Users, Computers, Or Groups dialog box.
  8. In the Name column, type the name of the appropriate user account or group, based on the preceding scenario, then click Add.

    Windows 2000 displays the user account or group under Name at the bottom of the dialog box.

  9. Repeat Step 8 for each user account or group that is listed for the folder in the preceding scenario.
  10. Click OK to return to the Properties dialog box for the folder.
  11. If the Properties dialog box for the folder contains user accounts and groups that are not listed in the preceding scenario, select the user account or group, then click Remove.
  12. For all user accounts and groups that are listed for the folder in the preceding scenario, under Name, select the user account or group, and then under Permissions, select the Allow check box or the Deny check box next to the appropriate permissions that are listed for the folder in the preceding scenario.
  13. Click OK to apply your changes, and close the Properties dialog box for the folder.
  14. Repeat this procedure for each folder for which you are assigning permissions as specified in the preceding scenario.
  15. Log off Windows 2000.

Exercise 4 Testing NTFS Permissions

In this exercise you log on using various user accounts and test NTFS permissions.

To test permissions for the Reports folder while logged on as User81

  1. Log on as User81, then start Windows Explorer.
  2. In Windows Explorer, expand the C:\Data\Managers\Reports directory.
  3. Attempt to create a file in the Reports folder.

    Were you successful? Why or why not?

  4. Log off Windows 2000.

To test permissions for the Reports folder while logged on as User82

  1. Log on as User82, then start Windows Explorer.
  2. Expand the C:\Data\Managers\Reports directory.
  3. Attempt to create a file in the Reports folder.

    Were you successful? Why or why not?

  4. Log off Windows 2000.

To test permissions for the Sales folder while logged on as Administrator

  1. Log on to your domain as Administrator, then start Windows Explorer.
  2. Expand the C:\Data\Sales directory.
  3. Attempt to create a file in the Sales folder.

    Were you successful? Why or why not?

  4. Close Windows Explorer, and then log off Windows 2000.

To test permissions for the Sales folder while logged on as User81

  1. Log on as User81, then start Windows Explorer.
  2. Expand the C:\Data\Sales directory.
  3. Attempt to create a file in the Sales folder.

    Were you successful? Why or why not?

To test permissions for the Sales folder while logged on as User82

  1. Log on as User82, then start Windows Explorer.
  2. Expand the C:\Data\Sales directory.
  3. Attempt to create a file in the Sales folder.

    Were you successful? Why or why not?

  4. Close all applications, then log off Windows 2000.

Lesson Summary

In this lesson you learned that by default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. You learned that you should change this default permission and assign other appropriate NTFS permissions to control the access that users have to resources. You learned that Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders. You learned how to assign or modify NTFS permissions for a file or a folder by using the Security tab of the Properties dialog box for the file or folder.

You also learned that by default, subfolders and files inherit permissions that you assign to their parent folder, and you learned how to disable this feature so that subfolders and files do not inherit the permissions assigned to their parents. In the practice exercises, you created some folders, assigned NTFS permissions, and then tested the permissions you set up to determine if you set them up correctly.

Lesson 3: Assigning Special Permissions

The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, there are instances in which the standard NTFS permissions do not provide the specific level of access that you may want to assign to users. To create a specific level of access, you can assign NTFS special permissions. This lesson introduces the NTFS special permissions. It then outlines the requirements and procedures for taking ownership of a folder or file.

After this lesson, you will be able to

Estimated lesson time: 20 minutes

Special Permissions

Special permissions provide an additional level of access to assign to users. Table 9.8 lists the special permissions that can be assigned to files and folders.

Table 9.8 Special File and Folder Permissions

Special Permission
 
Function
 
Traverse Folder/Execute File
 

 

Traverse Folder allows or denies moving through folders that the user does not have permission to access, to reach files or folders that the user does have permission to access (applies to folders only). Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right in group policy. (By default, the Everyone group is given the Bypass Traverse Checking user right.) Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. Execute File allows or denies running program files (applies to files only).
 

 

List Folder/Read Data
 

 

List Folder allows or denies viewing file names and subfolder names within the folder (applies to folders only). Read Data allows or denies viewing data in files (applies to files only).
 

 

Read Attributes
 

 

Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.
 

 

Read Extended Attributes
 

 

Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary.
 

 

Create Files/Write Data
 

 

Create Files allows or denies creating files within the folder (applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).
 

 

Create Folders/Append Data
 

 

Create Folders allows or denies creating folders within a folder (applies to folders only). Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).
 

 

Write Attributes
 

 

Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
 

 

Write Extended Attributes
 

 

Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary.
 

 

Delete Subfolders and Files
 

 

Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
 

 

Delete
 

 

Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted the Delete Subfolders and Files permission on the parent folder.
 

 

Read Permissions
 

 

Allows or denies reading permissions for the file or folder, such as Full Control, Read, and Write.
 

 

Change Permissions
 

 

Allows or denies changing permissions for the file or folder, such as Full Control, Read, and Write.
 

 

Take Ownership
 

 

Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
 

 

Synchronize
 

 

Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs.
 

 

Special permissions are set on the Permission Entry For dialog box for the file or folder. This dialog box is accessed by selecting Advanced on the Security tab of the Properties dialog box for the file or folder, and then selecting View/Edit for a Permission Entry on the Access Control Setting For dialog box for the file or folder.

Each of the standard file and folder permissions consists of a logical group of special permissions. Table 9.9 lists each standard file or folder permission and specifies which special permissions are associated with the standard permission.

Table 9.9 Special Permissions Associated with Standard File and Folder Permissions

Special Permission
 
Full Control
 
Modify
 
Read & Execute
 
List Folder Contents
 
Read
 
Write
 
Traverse Folder/Execute File
 

 

x
 

 

x
 

 

x
 

 

x
 

 

 

 

 

 

List Folder/Read Data
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

 

 

Read Attributes
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

 

 

Read Extended Attributes
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

 

 

Create Files/Write Data
 

 

x
 

 

x
 

 

 

 

 

 

 

 

x
 

 

Create Folders/Append Data
 

 

x
 

 

x
 

 

 

 

 

 

 

 

x
 

 

Write Attributes
 

 

x
 

 

x
 

 

 

 

 

 

 

 

x
 

 

Write Extended Attributes
 

 

x
 

 

x
 

 

 

 

 

 

 

 

x
 

 

Delete Subfolders and Files
 

 

x
 

 

 

 

 

 

 

 

 

 

 

 

Delete
 

 

x
 

 

x
 

 

 

 

 

 

 

 

 

 

Read Permissions
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

Change Permissions
 

 

x
 

 

 

 

 

 

 

 

 

 

 

 

Take Ownership
 

 

x
 

 

 

 

 

 

 

 

 

 

 

 

Synchronize
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

x
 

 

Note Although the List Folder Contents and Read & Execute standard permissions appear to have the same special permissions, these special permissions are inherited differently. List Folder Contents is inherited by folders but not files, and it only appears when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.

When you assign special permissions to folders, you can choose where to apply the permissions down the tree to subfolders and files.

The Change Permissions and Take Ownership special permissions are particularly useful for controlling access to resources.

Change Permissions

Using the Change Permissions special permission, you can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder.

To give administrators the ability to change permissions, assign Change Permissions to the Administrators group for the file or folder.

Take Ownership

Using the Take Ownership special permission, you can give users or groups the ability to take ownership of files or folders. As an administrator, you can take ownership of a file or folder.

following rules apply for taking ownership of a file or folder:

Important You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing that user to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder, as explained later in this chapter.

Setting Special Permissions

You can assign the Change Permissions or Take Ownership special permissions to enable users to change permissions and take ownership of files and folders.

To set Change Permissions or Take Ownership permissions

  1. Locate the file or folder for which you want to apply special permissions. Right-click the file or folder, click Properties, then click the Security tab.
  2. Click Advanced.
  3. In the Access Control Settings For dialog box (see Figure 9.5) for a file or folder, in the Permissions tab, select the user account or group for which you want to apply special permissions.


    If your browser does not support inline frames, click here to view on a separate page.

    Figure 9.5 Access Control Settings For dialog box for the Program Files folder

    On the Access Control Settings For dialog box, you can view the permissions that are applied to the file or folder, the owner, and where the permissions apply.

    For the Allow Inheritable Permissions From Parent To Propagate To This Object check box:

    For the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions check box:

  4. Click View/Edit to open the Permission Entry For dialog box for the file or folder (see Figure 9.6).

    09WTK06

    Figure 9.6 Permission Entry For dialog box for the Program Files folder

The options in the Permission Entry For dialog box are described in Table 9.10.

Table 9.10 Options in the Permission Entry For Dialog Box

Option
 
Description
 
Name
 

 

The user account or group name. To select a different user account or group, click Change.
 

 

Apply Onto
 

 

The level of the folder hierarchy at which the special NTFS permissions are inherited. The default is This folder, subfolders, and files.
 

 

Permissions
 

 

The special permissions. To allow the Change Permissions permission or Take Ownership permission, select the Allow check box.
 

 

Apply These Permissions To Objects And/Or Containers Within This Container Only
 

 

Specify whether subfolders and files within a folder inherit the special permissions from the folder. Select this check box to propagate the special permissions to files and subfolders. Clear this check box to prevent permissions inheritance.
 

 

Clear All
 

 

Click this button to clear all selected permissions.
 

 

Taking Ownership of a File or Folder

To take ownership of a file or folder, the user or a group member with Take Ownership permission must explicitly take ownership of the file or folder.

To take ownership of a file or folder

  1. In the Access Control Settings For dialog box for the file or folder, in the Owner tab, in the Change Owner To list, select your name.
  2. Select the Replace Owner On Subcontainers And Objects check box to take ownership of all objects and subcontainers within the folder.
  3. Click OK.

Practice: Taking Ownership of a File

In this practice you observe the effects of taking ownership of a file. To do this, you determine permissions for a file, assign the Take Ownership permission to a user account, and then take ownership as that user.

To determine the permissions for a file

  1. Log on to your domain as Administrator, then start Windows Explorer.
  2. In the C:\Data directory (where C:\ is the name of your system drive), create a text file named OWNER.TXT.
  3. Right-click OWNER.TXT, then click Properties.

    Microsoft Windows 2000 displays the OWNER.TXT Properties dialog box with the General tab active.

  4. Click the Security tab to display the permissions for the OWNER.TXT file.

    What are the current allowed permissions for OWNER.TXT?

  5. Click Advanced.

    Windows 2000 displays the Access Control Settings For OWNER.TXT dialog box with the Permissions tab active.

  6. Click the Owner tab.

    Who is the current owner of the OWNER.TXT file?

To assign permission to a user to take ownership

  1. In the Access Control Settings For OWNER.TXT dialog box, click the Permissions tab.
  2. Click Add.

    Windows 2000 displays the Select User, Computer, Or Group dialog box.

  3. In the Look In list at the top of the dialog box, select your domain.
  4. Under Name, click User83, then click OK.

    Windows 2000 displays the Permission Entry For OWNER.TXT dialog box.

    Notice that all of the permission entries for User83 are blank.

  5. Under Permissions, select the Allow check box next to Take Ownership.
  6. Click OK.

    Windows 2000 displays the Access Control Settings For OWNER.TXT dialog box with the Permissions tab active.

  7. Click OK to return to the OWNER.TXT Properties dialog box.
  8. Click OK to apply your changes and close the OWNER.TXT Properties dialog box.
  9. Close all applications, then log off Windows 2000.

To take ownership of a file

  1. Log on to your domain as User83, then start Windows Explorer.
  2. Expand the C:\Data directory.
  3. Right-click OWNER.TXT, then click Properties.

    Windows 2000 displays the OWNER.TXT Properties dialog box with the General tab active.

  4. Click the Security tab to display the permissions for OWNER.TXT.

    Windows 2000 displays the Security message box, indicating that you can only view the current permission information on OWNER.TXT.

  5. Click OK.

    Windows 2000 displays the OWNER.TXT Properties dialog box with the Security tab active.

  6. Click Advanced to display the Access Control Settings For OWNER.TXT dialog box, then click the Owner tab.

    Who is the current owner of OWNER.TXT?

  7. Under Name, select User83, then click Apply.

    Who is the current owner of OWNER.TXT?

  8. Click OK to close the Access Control Settings For OWNER.TXT dialog box.

    Windows 2000 displays the OWNER.TXT Properties dialog box with the Security tab active.

  9. Click OK to close the OWNER.TXT Properties dialog box.

To test permissions for a file as the owner

  1. While you are logged on as User83, assign User83 the Full Control permission for the OWNER.TXT file, then click Apply.
  2. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
  3. In the Security dialog box, click Remove to remove permissions from the Users group and the Administrators group for the OWNER.TXT file.

    Were you successful? Why or why not?

  4. Click OK to close the OWNER.TXT Properties dialog box.
  5. Delete the OWNER.TXT file.
  6. Close all applications.

Lesson Summary

In this lesson you learned about special permissions. You learned specifically about two of them: Change Permissions and Take Ownership. You can give administrators and other users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. This prevents the administrator or user from deleting or writing to the file or folder, but it allows them to assign permissions to the file or folder.

You also learned how to use the Take Ownership special permission to give users or groups the ability to take ownership of files or folders. The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special permission to another user account or group, allowing the user account or a member of the group to take ownership. You cannot assign anyone ownership of a file or folder. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder.

An administrator can take ownership of a folder or file, regardless of assigned permissions. When an administrator takes ownership of a file or folder, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

In the practice portion of this lesson you determined the permissions for a file, assigned the Take Ownership permission to a user account, and then took ownership as that user.

Lesson 4: Copying and Moving Files and Folders

When you copy or move files and folders, the permissions you set on the files or folders might change. There are rules that control how and when permissions change. It is important that you understand how and when permissions change during a copy or move. This lesson explains what happens to permissions when a folder or file is copied or moved.

After this lesson, you will be able to

Estimated lesson time: 15 minutes

Copying Files and Folders

When you copy files or folders from one folder to another folder, or from one volume to another volume, permissions change, as shown in Figure 9.7.


If your browser does not support inline frames, click here to view on a separate page.

Figure 9.7 Copying files or folders between folders or volumes

When you copy a file within a single NTFS volume or between NTFS volumes

Note When you copy files or folders to non-NTFS volumes, the folders and files lose their NTFS permissions because FAT volumes do not support NTFS permissions.

Moving Files and Folders

When you move a file or folder, permissions might or might not change, depending on where you move the file or folder (see Figure 9.8).


If your browser does not support inline frames, click here to view on a separate page.

Figure 9.8 Moving files or folders between folders or volumes

Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume

Moving Between NTFS Volumes

When you move a file or folder between NTFS volumes

Note When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes do not support NTFS permissions.

Practice: Copying and Moving Folders

In this practice you see the effects of permissions and ownership when you copy and move folders.

To create a folder while logged on as a user

  1. While you are logged on as User83, in Windows Explorer, in C:\, create a folder named Temp1.

    What are the permissions that are assigned to the folder?

    Who is the owner? Why?

  2. Close all applications, then log off Windows 2000.

To create a folder while logged on as Administrator

  1. Log on to your domain as Administrator, then start Windows Explorer.
  2. In C:\ (where C:\ is the name of your system drive), create the following two folders: Temp2 and Temp3.

    What are the permissions for the folders that you just created?

    Who is the owner of the Temp2 and Temp3 folders? Why?

  3. Remove the Everyone group, then assign the permissions shown in Table 9.11 to the Temp2 and Temp3 folders. You will have to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. To assign permissions for a group, click Add, select the group(s) from the Select Users, Computers, Or Groups dialog box, click Add, then click OK. Set the appropriate permissions for the group(s) on the Properties dialog box.

Table 9.11 Folder Permissions for Practice

Folder
 
Assign These Permissions
 
C:\Temp2
 

 

Administrators: Full Control
Users: Read & Execute
 

 

C:\Temp3
 

 

Backup Operators: Read & Execute
Users: Full Control
 

 

To copy a folder to another folder within a Windows 2000 NTFS volume

  1. Copy C:\Temp2 to C:\Temp1.
  2. Select C:\Temp1\Temp2, then compare the permissions and ownership with C:\Temp2.

    Who is the owner of C:\Temp1\Temp2 and what are the permissions? Why?

  3. Close all applications, then log off Windows 2000.

To move a folder within the same NTFS volume

  1. Log on to your domain as User83.
  2. Select C:\Temp3, then move it to C:\Temp1.

    What happens to the permissions and ownership for C:\Temp1\Temp3? Why?

  3. Close all applications, then log off Windows 2000.

Lesson Summary

In this lesson you learned that when you copy or move files and folders, the permissions you set on the files or folders might change. You also learned that there are rules that control how and when permissions change. For example, when you copy files or folders from one folder to another folder, or from one volume to another volume, permissions change. Windows 2000 treats the file or folder as a new file or folder, and therefore it takes on the permissions of the destination folder. You must have Write permission for the destination folder to copy files and folders. When you copy a file, you become the Creator Owner of the file. When you move a file or folder within a single NTFS volume, the file or folder retains the original permissions. However, when you move a file or folder between NTFS volumes, the file or folder inherits the permissions of the destination folder.

In the practice portion of this lesson you observed the effects of permissions and ownership when you copy and move folders.

Lesson 5: Troubleshooting Permissions Problems

When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. This lesson describes common permission-related problems and their solutions.

After this lesson, you will be able to

Estimated lesson time: 5 minutes

Troubleshooting Permissions Problems

Table 9.12 describes some common permissions problems that you might encounter and provides solutions that you can try to resolve these problems.

Table 9.12 Permissions Problems and Solutions

Problem
 
Solution
 
A user cannot gain access to a file or folder.
 

 

If the file or folder was copied, or if it was moved to another NTFS volume, the permissions might have changed. Check the permissions that are assigned to the user account and to groups of which the user is a member. The user might not have permission or might be denied access either individually or as a member of a group.
 

 

You add a user account to a group to give that user access to a file or folder, but the user still cannot gain access.
 

 

For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again or close all network connections to the computer on which the file or folder resides and then make new connections.
 

 

A user with Full Control permission to a folder deletes a file in the folder although that user does not have permission to delete the file itself. You want to stop the user from being able to delete more files.
 

 

Clear the special permission Delete Subfolders And Files check check box on the folder to prevent users with Full Control of the folder from being able to delete files in the folder.
 

 

Note Windows 2000 supports Portable Operating System Interface for UNIX (POSIX) applications that are designed to run on UNIX. On UNIX systems, Full Control permission allows you to delete files in a folder. In Windows 2000, the Full Control permission includes the Delete Subfolders and Files special permission, allowing you the same ability to delete files in that folder regardless of the permissions that you have for the files in the folder.

Avoiding Permissions Problems

The following list provides best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems.

Practice: Deleting a File with All Permissions Denied

In this exercise you simulate the third problem described in Table 9.12. You grant a user Full Control permission to a folder, but deny all permissions to a file in the folder. You then observe what happens when the user attempts to delete that file.

To assign the Full Control permission for a folder

  1. Log on to your domain as Administrator, then start Windows Explorer.
  2. Expand C:\ (where C:\ is the name of your system drive), then create a folder named Fullaccess.
  3. Verify that the Everyone group has the Full Control permission for the C:\Fullaccess folder.

To create a file and deny access to it

  1. In C:\Fullaccess, create a text file named NOACCESS.TXT.
  2. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. Deny the Everyone group the Full Control permission for the NOACCESS.TXT, then click OK.

    Windows 2000 displays the Security dialog box with the following message:

    You have denied everyone access to noaccess.txt. No one will be able
    to access noaccess.txt and only the owner will be able to change
    permissions.
    Do you wish to continue?

  3. Click Yes to apply your changes and close the Security dialog box.

To view the result of denying the Full Control permission for a folder

  1. In Windows Explorer, double-click NOACCESS.TXT in C:\Fullaccess to open the file.

    Were you successful? Why or why not?

  2. Click Start, point to Programs, point to Accessories, then click Command Prompt.
  3. Type cd fullaccess to change the directory to C:\Fullaccess.
  4. Delete NOACCESS.TXT by typing del noaccess.txt.

    Were you successful? Why or why not?

    How would you prevent users with Full Control permission for a folder from deleting a file in that folder for which they have been denied the Full Control permission?

Lesson Summary

When you assign or modify NTFS permissions for files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. In this lesson you learned about some common permissions problems and some possible solutions to resolve these problems.

In the practice portion of this lesson you observed how users can delete a file with all permissions denied.

Review

Here are some questions to help you determine if you have learned enough to move on to the next chapter. If you have difficulty answering these questions, please go back and review the material in this chapter before beginning the next chapter. The answers for these questions are located in Appendix A, "Questions and Answers."

  1. What is the default permission when a volume is formatted with NTFS? Who has access to the volume?
  2. If a user has Write permission for a folder and is also a member of a group with Read permission for the folder, what are the user's effective permissions for the folder?
  3. If you assign the Modify permission to a user account for a folder and the Read permission for a file, and then copy the file to that folder, what permission does the user have for the file?
  4. What happens to permissions that are assigned to a file when the file is moved from one folder to another folder on the same NTFS volume? What happens when the file is moved to a folder on another NTFS volume?
  5. If an employee leaves the company, what must you do to transfer ownership of his or her files and folders to another employee?
  6. What three things should you check when a user cannot gain access to a resource?