Section 9.2: NTFS Permissions
9.2.1: NTFS Folder Permissions
You can control the access that users have to folders and to the files and subfolders that are contained within the folder by assign folder permissions to the users and user groups.
Note: You require the NTFS file system to use NTFS File and Folder permissions.
There are six permissions that you can assign to users and user groups:
• Read Allows the user to see files and subfolders in the folder and view folder ownership, permissions, and attributes.
• Write Allows the user to create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions.
• List Folder Contents Allows the user to see the names of files and subfolders in the folder.
• Read & Execute Allows the user to browse through folders to reach other files and folders, even if the users do not have permission for those folders. It also allows the user to perform actions permitted by the Read permission and the List Folder Contents permission.
• Modify Allows the user to delete the folder and perform actions permitted by the Write permission and the Read & Execute permission.
• Full Control Allows the user to change permissions, take ownership, and delete subfolders and files. It also allows the user to perform actions permitted by all other NTFS folder permissions.
• Deny Denies a user account or group all access to a folder and denies the Full Control permission.
Note: Administrators, owners of files or folders, and users with Full Control permissions can assign NTFS permissions to other users and groups.
9.2.2: NTFS File Permissions
You can control the access that users have to files by assigning file permissions to the users. The NTFS file
permissions that you can assign are
• Read Allows the user to read the file, and view file attributes, ownership, and permissions.
• Write Allows the user to overwrite the file, change file attributes, and view file ownership and permissions.
• Read & Execute Allows the user to run applications. Also allows the user to perform the actions permitted by the Read permission.
• Modify Allows the user to modify and delete the file. It also allows the user to perform the actions permitted by the Write permission and the Read & Execute permission.
• Full Control Allows the user to change permissions and take ownership of the file. It also allows the user to perform the actions permitted by all the other NTFS file permissions.
Note: NTFS file permissions take priority over NTFS folder permissions. A user or user group with access to a file will be able to gain access to the file even if he or she does not have access to the folder containing the file. A user can gain access to the files for which he or she has permissions by using the full universal naming convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides will be invisible if the user has no corresponding folder permission. Without permission to access the folder, you will not see the folder, so you will not be able to browse for the file you want to access.
9.2.3: Multiple NTFS Permissions
You can assign multiple permissions to a user account and to each group that the user is a member of. The user can thus be granted multiple permissions on the basis of the user's group membership.
Note: The Deny permission overrides all other file and folder permissions that the user may have been granted in other groups. This can effectively prevent a particular user access to a file or folder without having to remove the user from the group.
9.2.4: Cumulative Permissions
A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.
9.2.5: The Deny Permission
Denying a permission overrides all instances where that permission is allowed. Even if a user has permission to gain access to the file or folder as a member of a group, denying permission to the user blocks any other permission that the user might have.
9.2.6: NTFS Permissions Inheritance
By default, permissions that are assigned to a parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. This is indicated on the Security tab in the Properties dialog box by a check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. You can however prevent permissions inheritance. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check box, you are prompted to select one of the options that are described in Table 9.1.
Note: The folder for which you prevent permissions inheritance becomes the new parent folder, and permissions that are assigned to this folder will be inherited by the subfolders and files that are contained within it.
Table 9.1: Permission Inheritance Options
| Option | Description |
|---|---|
| Copy | Copy the permissions from the parent folder to the current folder and then deny subsequent permissions inheritance from the parent folder. |
| Remove | Remove the permissions that are inherited from the parent folder and retain only the permissions that you explicitly assign to the file or folder. |
| Cancel | Cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From Parent To Propagate To This Object check box. |
9.2.7: Assigning Special Access Permissions
The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, sometimes the standard NTFS permissions do not provide the specific level of access that you might want to assign to users. To create a specific level of access, you can assign NTFS special access permissions.
There are fourteen special access permissions. Two of them are particularly useful for controlling access to resources: Change Permissions and Take Ownership.
9.2.7.1: Changing Permissions
You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder. To give administrators the ability to change permissions, assign Change Permissions to the Administrators group for the file or folder.
9.2.7.2: Taking Ownership
You can transfer ownership of files and folders from one user account or group to another user account or group. You can give someone the ability to take ownership of a file or folder. As an administrator, you can also take ownership of a file or folder.
Certain rules apply to taking ownership of a file or folder. These are:
• The owner of the file or folder, or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or a member of the group to take ownership.
• An administrator can take ownership of a folder or file, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.
• For example, if an employee leaves the company, an administrator can take ownership of the employee's files, assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.
The user or a group member with Take Ownership permission must explicitly take ownership of the file or folder
9.2.8: Copying and Moving Files and Folders
When you copy files or folders from one folder to another folder, or from one volume to another volume, permissions change.
When you copy a file within a single NTFS volume or between NTFS volumes:
• Windows Server 2003 treats it as a new file. As a new file, it takes on the permissions of the destination folder.
• You must have Write permission for the destination folder to copy files and folders.
• You become the creator owner.
Note: When you copy or move files or folders to FAT volumes or to a floppy disk, the folders and files lose their NTFS permissions because FAT volumes and floppy disks do not support NTFS permissions.
When you move a file or folder within a single NTFS volume
• The file or folder retains the original permissions.
• You must have the Write permission for the destination folder to move files and folders into it.
• You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows Server 2003 deletes the file or folder from the source folder after it is copied to the destination folder.
• The owner of the file or folder does not change.
When you move a file or folder between NTFS volumes
• The file or folder inherits the permissions of the destination folder.
• You must have the Write permission for the destination folder to move files and folders into it.
• You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows Server 2003 deletes the file or folder from the source folder after it is copied to the destination folder.
• You become the creator owner.
9.2.9: Troubleshooting NTFS Permission Problems
When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users.
Table 9.2: Troubleshooting Permission problems
|
Problem |
Solution |
|---|---|
|
A user cannot gain access to a file or folder. |
If the file or folder was copied, or if it was moved to another NTFS volume, the permissions might have changed. >Check the permissions that are assigned to the user account and to groups of which the user is a member. The user might not have permission or might be denied access either individually or as a member of a group. |
|
You add a user account to a group to give that user access to a file or folder, but the user still cannot gain access. |
For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again, or close all network connections to the computer on which the file or folder resides and then make new connections. |
|
A user with Full Control permission to a folder deletes a file in the folder, although that user does not have permission to delete the file itself. You want to stop the user from being able to delete more files. |
You have to clear the special access permission—the Delete Subfolders And Files check box—on the folder to prevent users with Full Control of the folder from being able to delete files in the folder. |