Editing NTFS Permissions in Windows 7

Before you start

Objectives: Learn how to properly manage NTFS permissions and their inheritance, how to configure special (advanced) permissions, and how to check effective permissions in Windows 7.

Prerequisites: you have to know what are NTFS permissions.

Key terms: NTFS, permissions, files and folders, Windows 7, special permissions, effective permissions, permission configuration


 Folders

For this demonstration we have created an “NTFS demo” folder on our C partition. Inside of that folder we have three subfolders: “Admins”, “Kim Verson”, and “Marko”.

 1 Folders

Subfolders in “NTFS demo” folder

In our case, we want to allow access to certain folders only for specific users. For example, only computer administrators should have access to the “Admins” folder. Only administrators and Kim Verson should have access to the “Kim Verson” folder, and only administrators and user Marko should have access to the “Marko” folder.

Inheritance

As you should already know, child objects (files and folders) inherit permissions from their parent, by default. So, in our case, by default, “NTFS demo” folder will inherit permissions from the C drive. Let’s check this out. We will right click the “NTFS demo” folder and go to its properties, then open the Security tab, and then click on the Advanced button.

 2 Advanced Options

Inherited From Column

Notice that the option “Inherit inheritable permissions from this object’s parent” is checked by default. Also, notice that permissions are inherited from “C:\”.  The next thing we should do on the “NTFS demo” folder is remove inheritance. This way, our new permissions won’t be affected by the permissions set on the C drive. To remove inheritance, we can click on the “Change Permissions…” button on the Advanced window, and then uncheck the box for “Include inheritable permissions from this object’s parent” option. When we do that, the Windows Security window will appear.

 3 Inheritance Removed

Inheritance Warning

At this point we have to options. We can keep all current permissions on that folder and then work with them, or we can remove all current permissions and set new ones from the beginning. The recommended thing to do is to Add current permissions, which will make all current permissions explicit. This way we know which permissions were previously set on the object. When we do that, notice the “Inherited From” column. It changed from “C:\” to “<not inherited>”, which is what we want for “NTFS demo” folder.

 4 Inheritance Removed 2

Inheritance Removed

Now we can manually make changes to permissions on “NTFS demo” folder, and permissions on C drive won’t affect them. But, what about subfolders in “NTFS demo” folder. Let’s check the Security tab for “NTFS demo” folder, and for one subfolder, for example, “Admins”.

 5 Security Tab

Explicit and Inherited Permissions

Notice that the Allow column for “NTFS folder” has black check marks, while “Admins” folder has check marks which are grayed out. This means that permissions for the “Admins” folder are inherited. Let’s click on the Advanced button on on the Security tab for the “Admins” folder.

 6 Admins Inheritance

Admins Folder Inheritance

Notice that subfolders in “NTFS demo” folder now inherit permissions from the “NTFS folder” itself.

Proper Inheritance

Now we have one problem which considers inheritance. All subfolders in “NTFS demo” folder have the same permissions as “NTFS demo” folder. This is a problem because if we check permissions on the “NTFS demo” folder, we will see that all users have access to that folder, and since subfolders will inherit those permissions, all users will have access to all subfolders in “NTFS demo” folder, which is not what we want. Because of that fact, we have to modify permissions on the “NTFS demo” folder. First, we will remove all permissions except for the Administrators group, which can have full control. Our permissions on the “NTFS demo” folder now look like this.

 7 Administrators Only

Administrators Only

If we only leave it like this, only administrators will have access to “NTFS folder” and its subfolders. Since all users have to go to “NTFS demo” first to get to their own folder, we also have to ensure that other users can list “NTFS demo” folder content. Beware that we also have to ensure that they don’t have access to all subfolders in “NTFS folder”, but only their specific subfolder. For this to happen, we will add permissions for “Authenticated Users” group again and give it the “Read & Execute” permission. Authenticated Users group contains all users which log on to the machine. We should always use Authenticated Users group instead of Everyone group, since users have to at least authenticate to get access. Everyone group will enable access for anonymous users as well.

 9 Authenticated Users

Authenticated Users Group Added Back

If we leave it like this, this permission will again be propagated to all child objects in “NTFS demo” folder. We have to change that. We have to set this permission only for “NTFS demo” folder. For this we have to click on the Advanced button on the Security tab, and check the Apply To column. Notice that now permissions will be applied to this folder, subfolders and files.

10 Propagation

Apply To Column

To change this we will click on the “Change Permissions…” button, and double click on the permission for “Authenticated User”. On the “Permission Entry for NTFS demo”, we will change the “Apply to” option to “This folder only”.

 11 Apply To

Apply To Propagation Option

When we do that, permission for Authenticated Users group will only be applied for “NTFS demo” folder, and not its subfolders. This way we ensure that all users can access “NTFS demo” folder, but don’t have access to specific subfolders.

So, the next thing to do is give explicit permissions to specific user for certain subfolder in “NTFS demo” folder. For example, we will give the Modify permission to user Kim Verson for subfolder “Kim Verson”.  Remember that maximum permission we should give to ordinary users is the Modify permission. The difference between “Full control” and “Modify” permission is that users with “Modify” won’t be able to take ownership of the object or change its permissions.

 8 Kim Verson Permissions

Kim Verson Explicit Permissions

To conclude, we have enabled access for all users to “NTFS demo” folder by using Authenticated Users group which is not propagated to subfolders. Administrators have full control on “NTFS demo” folder, and this permission is propagated to all child objects (files and folders) in “NTFS demo” folder. We have set explicit permissions for specific users so that they can access their own subfolder (additional, explicit permissions, can be added even when inheritance is enabled).

Special Permissions

As you should know, the 6 standard NTFS permissions are actually collections of more granular, special NTFS permissions. For most situations, standard permissions provide enough control. In some situations we might need more specific NTFS permissions. In fact, we already used special permissions when we set the propagation level of permission in previous example. Propagation level is configured using the “Apply to” option in advanced permission configuration. We have several options here like “This folder only”, “Subfolders and files only”, “Files only”, etc.

We can also configure special permissions for users in a way that they can only create new objects, but can’t delete them (or vice versa 😉 ). For example, let’s add a special permission for user Marko for the subfolder “Marko”, so that he can only add new files and folders, but can’t delete them. For that we will go to the Security tab and add user Marko with “Read & Execute” permission. Next, we will click the Advanced button, and then click on the “Change Permissions…” button, and click on Edit button for Marko entry. Here, we will see that some special permissions will already be selected because we gave Read & Execute permission previously. So, for user to be able to add new objects, we also have to select permissions “Create files / write data”, “Create folders / append data”, “Write attributes”, and “Write extended attributes”. Since we don’t want to allow user to delete files and folders, we won’t select permissions “Delete subfolders and files”, and “Delete”.

 12 Special Permissions

Special Permissions Example

Effective Permissions

To check the effective permissions for specific user or group, we can go to Effective Permissions tab in Advanced section. For example, let’s check what permissions has the Users group on the “Marko” folder.

 13 Effective Permissions

Effective Permissions Example

In our case, the Users group doesn’t have any permissions on the “Marko” folder, and this is what we want. Effective permissions can be very useful when we want to check permissions for users which belong to multiple groups, because it also takes into account the inheritance and propagation levels. This way we don’t have to manually calculate the final permissions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Giveaway: EaseUS Data Recovery Pro licence ($89.95 worth). Read more
+
%d bloggers like this: