NTFS permissions are used to specify which users and group can access files and folders and what they can do with the contents of the file or folder. You can set permissions only on drives formatted with NTFS by using the Security-tab on the properties-sheet of a file or folder .
To change permissions, you must be the owner or have been granted permission to do so by the owner.
Special permissions are used to create standard permissions. Special permissions are :
| Traverse folder/Execute file. Allows or denies moving through folders to reach other files or folders, even
if the user has no permissions for the traversed folders (applies to folders
only). Traverse folder takes effect only when the group or user is not granted
the 'Bypass traverse checking' user right in the Group Policy snap-in. (By
default, the Everyone group is given the 'Bypass traverse checking' user right.) |
| List folder/Read data. Allows or denies viewing file names and subfolder names within the folder
(applies to folders only). |
| Read Data. Allows or denies viewing data in files (applies to files only). |
| Read attributes. Allows or denies viewing the attributes of a file or folder, such as
read-only, hidden, archive, compress, encrypted, indexed. Attributes are defined
by NTFS. |
| Read extended attributes. Allows or denies viewing the extended attributes of a file or folder.
Extended attributes are defined by programs and may vary by program. |
| Create files/Write data. Create Files allows or denies creating of files within the folder (applies to
folders only). Write Data allows or denies making changes to the file and
overwriting existing content (applies to files only). |
| Create folders/Append data. Create Folders allows or denies creating folders within the folder (applies
to folders only). Append Data allows or denies making changes to the end of the
file but not changing, deleting, or overwriting existing data (applies to files
only). |
| Write attributes. Allows or denies changing the attributes of a file or folder, such as
read-only or hidden. Attributes are defined by NTFS. |
| Write extended attributes. Allows or denies changing the extended attributes of a file or folder.
Extended attributes are defined by programs and may vary by program. |
| Delete subfolders and files. Allows or denies deleting subfolders and files, even if the Delete permission
has not been granted on the subfolder or file. |
| Delete. Allows or denies deleting the file or folder. If you don't have Delete
permission on a file or folder, you can still delete it if you have been granted
Delete Subfolders and Files on the parent folder. |
| Read permissions. Allows or denies reading permissions of the file or folder, such as Full
Control, Read, and Write. |
| Change permissions. Allows or denies changing permissions of the file or folder, such as Full
Control, Read, and Write. |
| Take ownership. Allows or denies taking ownership of the file or folder. The owner of a file
or folder can always change permissions on it, regardless of any existing
permission that protect the file or folder. |
| Synchronize. Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multi-process programs. |
Standard folder permissions are :
| Read. Enables the user to view the folder contents and to read the files (List
folder/Read data, Read attributes, Read extended attributes, Read permissions
and Synchronize) |
| Read & Execute. Enables the user to view the folder contents and to read and execute the
files. Read permissions plus Traverse folder/Execute file. |
| List folder contents. Same as Read and Execute but only for folders. List Folder Contents is
inherited by folders but not files, and it only appears when you view folder
permissions. Read & Execute is inherited by both files and folders and is
always present when you view file or folder permissions. |
| Write. Enables users to create and modify files and folders. (Create files/Write
data, Create folders/Append data, Write attributes, Write extended attributes,
Read permissions, Synchronize) |
| Modify. Enables users to read, create, modify, execute and delete folders without
changing permissions and taking ownership. Contains all special permissions
except Delete Subfolder and Files, Change permissions and Take ownership. |
| Full control. User has all rights. Contains all special permissions. |
Standard file permissions are :
| Read. Enables the user to read the file. (List folder/Read data, Read attributes,
Read extended attributes, Read permissions, Synchronize) |
| Read and Execute. Enables the user to read and execute the file. Read permissions plus Traverse
folder/Execute file. |
| Write. Enables the user to create and modify files, (Create files/Write data, Create
folder/Append data, Write attributes, Write extended attributes, Read
permissions, Synchronize) |
| Modify. Enables the user to read, create, modify, execute and delete files. Contains
all special permissions except Delete Subfolder and Files, Change permissions
and Take ownership. |
| Full control. User has all rights including the setting of permissions and take ownership. Contains all special rights. |
Note : Groups or users granted Full Control for a folder can delete files and subfolders within that folder regardless of the permissions protecting the files and subfolders.
After you set permissions on a parent folder, new files and subfolders created in the folder inherit these permissions. If you do not want them to inherit permissions, select 'This folder only' in 'Apply onto' when you set up special permissions for the parent folder or use the other choices available. In cases where you want to prevent certain files or subfolders from inheriting permissions clear the 'Allow inheritable permissions from parent to propagate to this object' check box. If the check boxes appears shaded, the file or folder has inherited permissions from the parent folder. There are three ways to make changes to inherited permissions:
| Make the changes to the parent folder, and then the file or folder will inherit these permissions. |
| Select the opposite permission (Allow or Deny) to override the inherited permission. |
| Clear the 'Allow inheritable permissions from parent to propagate to this object' check box. Now you can make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. |
If neither Allow nor Deny is selected for a permission, then the group or user may have obtained the permission through group membership. If the group or user has not obtained the permission through membership in another group, then the group or user is implicitly denied the permission. To explicitly allow or deny the permission, click the appropriate check box.
The 'Permission Entry' dialog box appears when you set permissions on files and folders. In this dialog box, 'Apply onto' lists the locations where you can apply permissions. How these permissions are applied depends on whether 'Apply these permissions to objects and/or containers within this container only' is selected. By default, this check box is clear.
If the 'Apply these permissions to objects and/or containers within this
container only' box is clear :
|
Apply onto |
Current
folder |
Subfolders
in current folder |
Files in
current folder |
All
subsequent subfolders |
Files in
all subsequent folders |
|
This
folder only |
X |
|
|
|
|
|
This
folder, subfolders and files |
X |
X |
X |
X |
X |
|
This
folder and subfolders |
X |
X |
|
X |
|
|
This
folder and files |
X |
|
X |
|
X |
|
Subfolders
and files only |
|
X |
X |
X |
X |
|
Subfolders
only |
|
X |
|
X |
|
|
Files only |
|
|
X |
|
X |
You can use the 'Reset permissions on all child object and enable propagation of inheritable permissions' on the Advanced tab to overwrite under laying permissions.
If the 'Apply these permissions to objects and/or containers within this container only' box is marked :
|
Apply onto |
Current
folder |
Subfolders
in current folder |
Files in
current folder |
All
subsequent subfolders |
Files in
all subsequent folders |
|
This
folder only |
X |
|
|
|
|
|
This
folder, subfolders and files |
X |
X |
X |
|
|
|
This
folder and subfolders |
X |
X |
|
|
|
|
This
folder and files |
X |
|
X |
|
|
|
Subfolders
and files only |
|
X |
X |
|
|
|
Subfolders
only |
|
X |
|
|
|
|
Files only |
|
|
X |
|
|
You can use the 'Apply onto' dropdown box to set which kind of object should inherit the permissions. E.g. This folder, subfolders, files etc. The following abbreviations are used :
| IO. Inherit only. The ACE does not apply to this object. |
| CI. Container inherit. Subordinate containers will inherit the ACE. |
| OI. Object inherit. Subordinate files will inherit the ACE. |
| NP. Non-propagate. The subordinate object will not inherit the ACE's. |
When ACE's (Access Control Entries) are checked by the security
reference monitor, non-inherited ACE's win from inherited ACE's. The security
reference monitor handles the NTFS security. It processes non-inherited
permissions first, then inherited permissions. The SRM processes these entries
one at a time, comparing the specified user or group SID in the ACE with the
SIDs in the program's access token.
If the ACE denies the type of access your program is requesting, the SRM
immediately exits the loop, denying access. Otherwise, the SRM accumulates the
permissions the ACE granted. Then, the SRM checks whether it has accumulated all
the permissions that the program requested. If the SRM has accumulated all
requested permissions, it grants the requested access; if the SRM hasn't
accumulated all requested permissions, it processes the next ACE. If the SRM
reaches the end of the ACL (Access Control List) before accumulating the
requested permissions, the SRM exits, denying access to the resource.
| Cacls is a standard utility to set and view NTFS permissions. |
| Xcacls is a Resource kit utility to set permissions. |
| Showacls (Resource kit) does show the acl's on files. |
| Perms is a Resource kit to view NTFS permissions per user. |
| Showaccs is part of the Windows 2000 support tools and can be used to read NTFS permissions. |
| Search for 'permissions' in knowledge base |
| Search for 'acl' in knowledge base |
| Search for 'inheritance' in knowledge base |
Last update : 12 June 2001