Before you start
Objectives: learn how to configure NTFS permissions for files and folders in XP
Prerequisites: you have to know what are NTFS permissions.
Key terms: permission, group, folder, user, modify, file, ntfs, acl, control, check, read
To modify the permissions of the file or folder, we need to go to its properties, and then the ‘Security’ tab. Here we can see the ‘Access Control List‘ (ACL). ACL shows us what our users can or can not do on particular file or folder. In ACL there are two columns of permissions. One column is the ‘Allow‘ column, and the other is the ‘Deny‘ column. The ‘Allow’ column shows us what is allowed for a particular user. The ‘Deny’ column allows us to deny access for particular user. This column becomes important when we have the same users assigned to different groups, and we want to deny some actions for that users on particular file or folder. The ‘Deny’ setting always takes precedence and overrides the ‘Allow’ setting. If users or groups of users are not listed in ACL, they don’t have access to that particular file or folder.
To edit NTFS permissions, we have to open the properties for the drive, folder or file, and then use the ‘Security’ tab. In our example, we will go to the E drive, and then open the properties of the ‘Paulaner’ folder.
Image 248.1 – Paulaner Properties
In our case we can see the ‘Security’ tab. If you don’t see a ‘Security’ tab, check that your drive is formatted with NTFS file system, and check that you don’t have ‘Simple sharing’ enabled. To disable ‘Simple sharing’ and enable ‘Advanced sharing’, go to the ‘Tools’ menu, ‘Folder options’, and then the ‘View’ tab. Scroll down and clear ‘Use simple file sharing’ and click OK. Let’s now open the ‘Security’ tab, and take a look at NTFS permissions.
Image 248.2 – Security Tab
The top box shows the users or groups with existing permissions for the folder. When we select a user, the bottom box shows the permissions of that user or group. Let’s select the ‘Administrators’ group.
Image 248.3 – Administrators Group
Notice that the ‘Allow’ permissions are grayed out, and we can’t modify them. We could use the ‘Deny’ option to modify permissions, but that is not recommended in this case. In addition, we can’t remove a user or a group from the list. Let’s check that out by trying to remove the ‘Users’ group.
Image 248.4 – Removing a Users Group
We get a warning message that we can’t remove users because this object is inheriting permissions from parent. In this case the parent is the E drive. The ‘Paulaner’ folder is inheriting its NTFS permissions from the E drive. Let’s click OK. To see more information about NTFS permissions, let’s click on the ‘Advanced’ button.
Image 248.5 – Advanced Security
On the ‘Permissions’ tab, we can see the list of permission entries. Each entry shows whether the permission is denied or allowed, the user or group, the actual permission, where the permission is inheriting from, and what it’s applied to. In our case, the parent object is the E drive. Administrators have full control because they need to manage the drive and its contents. The ‘Creator Owner’ group also has full control so that users can manage their own files (they need to manage the files that they create). The ‘System’ group also has full control so that the operating system can access files as necessary. The ‘Users’ group has ‘Read and Execute’ permission. Users with ‘Special’ permission have advanced permissions that don’t show up on a regular list. By default all files and folders are configured to inherit permissions from the parent object. If we want to change the inherited permissions we need to clear the ‘Inherit from parent the permission entries that apply to child objects‘ option. When we do that, we are given a choice.
Image 248.6 – Editing Inheritance
We can either copy the existing permissions or we can completely remove them. If we want to make minor changes to the inherited permissions, ‘Copy’ is the best solution. ‘Copy’ copies the existing permissions, but it removes inheritance. After the copy is finished, we can change the existing permissions. If the existing permissions are completely wrong, we could just remove them and build our own permissions from scratch. In our case, we want to make some minor changes, so we will select the ‘Copy’ option, and click OK.
Image 248.7 – Users Group Selected
Notice that we have the same permissions list as we had before. But this time we can edit the permissions. Now we can delete the ‘Users’ group from the list.
Remember, if we want to edit permissions for particular file or folder, we have to clear the ‘Inherit from parent the permission entries that apply to child objects’ in ‘Advanced Security Settings’. Otherwise the permissions will be inherited from the parent. When we add new user or group to the ACL, we can assign the permissions for that user or group of users as we desire. For example, if we check the ‘Modify’ permission, the system will automatically check ‘Read & Execute’, ‘List Folder Options’, ‘Read’, and ‘Write’ permission. If we check ‘Read & Execute’ the system will automatically check ‘List Folder Options’, and ‘Read’ permission. On every permission we have an ‘Allow’ column and a ‘Deny’ column. We use the ‘Deny’ column to explicitly deny access to a particular user. Our users can belong to more than one group, so this option comes in handy in that case. Let’s say that we have one user that belongs to several groups. Let’s say that this user is a member of ‘Accounting’ group, and also member of the ‘Development’ group. Let’s say that the ‘Accounting’ group has the ‘Read & Execute’ permission, and Development’ group has the ‘Write’ permission on particular folder. In this case we will add the privileges up. The effective permissions for this user will consist of the ‘Read & Execute’ from one group, and ‘Write’ from another group.
Now, let’s say that the ‘Accounting’ has the ‘Modify’ permission, and the ‘Development’ has the denied ‘Write’ permission. The ‘Modify’ will give users the ability to read and execute files, but the denied ‘Write’ permission from ‘Development’ will deny writing from the ‘Modify’ permission set for the ‘Accounting’ group. If the user belongs to both groups, the effective permission is ‘Read & Execute’ in this case.
We can see the effective permissions if we go to the ‘Advanced’, and then to the ‘Effective Permissions’ tab. We have to select the user or a group. The effective permissions will appear for that user or a group of users. Let’s see an example. We have a folder named ‘Databases’ on our E drive. We want members of the ‘Accounting’ local group to be able to add and remove files in the folder. To work with NTFS permissions we have to be sure that the ‘Use simple file sharing’ setting is unchecked. Go to ‘Tools’, ‘Folder Options’, ‘View’ tab, and scroll down. Then clear ‘Use simple file sharing’ and click OK.
Image 248.8 – Simple File Sharing
Now, we’ll modify the Access Control List for the ‘Databases’ folder. In other words, we are going to modify the NTFS permissions. Open the properties of the ‘Databases’ folder, and go to the ‘Security’ tab.
Image 248.9 – Database Folder Properties
Notice that each of the entries have inherited the permissions from the parent drive. We want to have more restricted permissions, so we need to modify the inherited permissions. Let’s click ‘Advanced’, clear the ‘Inheritance’ check box, and select ‘Copy’ to copy existing permissions.
Image 248.10 – Advanced Settings
Image 248.11 – Inheritance Unchecked
Image 248.12 – Permissions Copied
Click OK to close the advanced dialog box. Now we can modify our existing permissions. We are going to keep the ‘Administrators’ group with full control so that they can continue to manage the folder.
Image 248.13 – Administrators Group
We will keep the ‘CREATOR OWNER’ group, because this allows users full control over their own files. This group has ‘Special Permissions’.
Image 248.14 – Creator Owner Group
We will remove the ‘Users’ group. We don’t want any individual user to have access to this folder, so we will also remove the ‘Administrator’ account from the list too. Finally, we will add the ‘Accounting’ group to the ACL. We will click ‘Add’, type in ‘Accounting’, and click ‘Check Names’. Click ‘OK’ to add the group to the ACL.
Image 248.15 – Adding a Group
Image 248.16 – Accounting Group Added
The ‘Accounting’ group was added with default permissions of ‘Read & Execute’, and ‘List Folder Contents’. We will also check ‘Modify’ permission, so that our users from the ‘Accounting’ group can modify the content of the folder.
Image 248.17 – Modify Permission Added
However, we don’t want them to have full control. Giving them ‘Full Control’ permission would allow them to modify the ACL. In other words, they could change permissions on this folder. We only want the ‘Administrators’ group, and the ‘Creator Owner’ group to have full control. Let’s click ‘OK’ to finish our permissions assignment. Every folder and file has several permissions that we can set to control access. Let’s take a look at the permissions on the ‘Manuals’ folder.
Image 248.18 – Kim Verson Permissions
Notice that Kim Verson has three permissions allowed. These are ‘Read & Execute’, ‘List Folder Content’, and ‘Read’. However, many of the standard permissions are really a combination of more advanced permissions. To see advanced permissions click the ‘Advanced’ button.
Image 248.19 – Advanced Permissions
Here we can see all permission entries. Let’s select Kim Verson and click on the ‘Edit’ button.
Image 248.20 – Advanced Permissions for Kim
Notice that Kim Verson now has five permissions instead of three. We will modify the permissions for this user by granting her the ‘Take Ownership’ permission. Click ‘OK’ twice.
Image 248.21 – Kim Verson Special Permission
Notice that now Kim Verson has ‘Special Permission’ checked. That’s because the ‘Take Ownership’ permission is not one of the normal permissions. In addition to granting special permissions, we can configure how those permissions apply to the folder and its files. Let’s go back to ‘Advanced’, select Kim Verson, and click ‘Edit’ again. Notice the ‘Apply onto’ list.
Image 248.22 – Apply Onto
As we can see, we have a number of different choices. In this example, let’s apply our changes to the files only, give ‘Full Control’ permission, and click OK.
Image 248.23 – Files Only
Image 248.24 – Special Permissions
Notice that Kim Verson has only ‘Special Permission’ selected. Even though we granted the ‘Full Control’ permission, in the ‘Security’ tab only ‘Special Permissions’ is checked. Other permissions are not shown, but are indicated by a check mark in the ‘Special Permissions’ box. Let’s go back to ‘Advanced’, select Kim Verson again, click ‘Edit’, and this time select ‘Apply onto: This folder, subfolders, and files’.
Image 248.25 – This folder subfolders and files
Click OK twice to confirm. Let’s look at the ‘Security’ tab. Notice that, for Kim Verson, the ‘Full Control’ permission has been granted and ‘Special Permission’ is no longer selected.
Image 248.26 – Full Control
Let’s add the ‘Accounting’ group to the ACL for the ‘Manuals’ folder, with default permissions. Note that Kim Verson is the member of the ‘Accounting’ group. When we have several groups of users in ACL it is good to check the ‘Effective Permissions’ for individual users. While we could calculate this ourself, we can let Windows show us the effective permissions. To do that, go to the ‘Advanced’, and go to the ‘Effective Permissions’ tab. We need to select some user account. We will click on the ‘Select’ button, type in ‘Kim Verson’, click ‘Check Names’, and then click ‘OK’.
Image 248.27 – Kim Verson Effective Permissions
Notice that Kim Verson has all possible permissions, while other users that belong to the ‘Accounting’ group only have default permissions. This is because we have added Kim Verson individually to the ACL and edited her’s permissions. In addition to NTFS permissions, files and folders on an NTFS partition identify the file owner. Ownership is important because some actions can only be performed by the owner. In other cases, we can take ownership of the file to modify the permissions on a file when we would otherwise not be able to. In our example, we have a file in the ‘Manuals’ folder called ‘Keeway Cruiser 250’. Kim Verson created this file and she removed all other users and groups from the ACL.
Image 248.28 – Keeway Security Properties
Now, let’s log on with an Administrator account and try to change the NTFS permissions for the ‘Keeway Cruiser 250’ file. Notice the Warning.
Image 248.29 – Security Warning
Image 248.30 – Security Tab
We can not view, let alone modify the access control list. However, we can take ownership of the file. To take ownership, we have to be logged on as user who is a member of the ‘Administrators’ group. We are currently logged on as an Administrator, who is a member of the ‘Administrators’ group. We’ll click ‘Advanced’, and then click the ‘Owner’ tab.
Image 248.31 – Owner Tab
Now, we want to select a user who is going to take ownership of this file. We will select Administrator, and click ‘Apply’.
Image 248.32 – Owner Changed
Notice that the owner is changed to the ‘Administrator’ account. Let’s click OK to save our changes, and click OK again. Now, as the file owner, if we open the file properties and go to the ‘Security’ tab, we can view and modify the NTFS permissions for the file.
Image 248.33 – File Properties
If we want to edit current permissions for particular file or folder, we have to clear the ‘Inherit from parent the permission entries that apply to child objects’ option in ‘Advanced Security Settings’. When we add new user or group to the ACL, we can assign the permissions for that users as we desire. We use the ‘Deny’ column to explicitly deny access to a particular user since users can belong to more than one group. We can see the effective permissions if we go to the ‘Advanced’, and then to the ‘Effective Permissions’ tab. Giving users ‘Full Control’ permission allows them to modify the ACL. In addition to NTFS permissions, files and folders on an NTFS partition identify the file owner. Ownership is important because some actions can only be performed by the owner. We can take ownership of the file to modify the permissions on a file when we would otherwise not be able to.