Microsoft Certified Professional Developer/Exam 70-290: Managing and Maintaining a Microsoft Windows Server 2003 Environment/Configure File System Permissions

From Wikibooks, open books for an open world
Jump to navigation Jump to search

NTFS Permissions[edit | edit source]

NTFS Permissios are used to control who has access to files and folders, and what they can do with them.

  • They can only be used on NTFS volumes (not FAT or FAT32)
  • They apply whether the files and folders are accessed locally or over a network
    • Note: Share permissions only apply to network access and cannot be used to control local access

Standard NTFS Folder Permissions[edit | edit source]

Permission Allows the following...
List Folder Contents See the names of subfolders and files within the folder
Read View files and subfolders within the folder, view attributes (e.g. Hidden, Read Only) and view permissions
Read & Execute Grants the same permissions as Read and List Folder Contents, and also allows you to move through folders to reach other files, even if you do not have permission for those folders
Write Create new subfolders and files within the folder, change attributes and view folder ownership and permissions

Does not grant any Read permissions!

Modify Grants the same permissions as Read & Execute and Write, and also allows you to delete the folder
Full Control Grants the same permissions as Modify, but also allows you to delete or take ownership of the folder, subfolders and files

Standard NTFS File Permissions[edit | edit source]

Permission Allows the following...
Read Read the contents of the file, view attributes (e.g. Hidden or Read Only) and view permissions
Read & Execute As for Read, but also allows you to run applications
Write Overwrite the file, change attributes, view file ownership and permissions
Modify As for Read and Write, but also allows you to delete the file
Full Control As for Modify, but also allows you to change permissions and take ownership

Special NTFS Permissions[edit | edit source]

Comparison of NTFS Permissions[edit | edit source]

Permissions Inheritance[edit | edit source]

By default, permissions for subfolders and files are inherited from the parent folder. You can prevent files and folders from inheriting permissions:

  • Right-click a file or folder
  • Choose Properties
  • Go to the Security tab and click the Advanced button
    • This will open the Advanced Security Settings dialog box
  • Untick the "Inherit from parent..." checkbox at the bottom
    • At this point you can either copy the permissions from the parent folder (in order to modify them), or clear all permissions from the selected file or folder (in order to set new permissions from scratch)

Effective Permissions[edit | edit source]

Generally, when a user is a member of more than one group which has permissions set on a file or folder, their effective permissions on that object are the sum of the permissions assigned to them. However, there are a few additional rules to take into account:

  • Deny permissions override Allow permissions
  • File permissions override Folder permissions
  • Explicit permissions override Inherited permissions

The order of precedence for permissions is:

  1. Explicit Deny overrides
  2. Explicit Allow overrides
  3. Inherited Deny overrides
  4. Inherited Allow