NTFS and Share Permissions Management in Vista

Before you start

Objectives: Learn where and how to manage NTFS and Share permissions in Windows Vista.

Prerequisites: you have to know what are NTFS and Share permissions.

Key terms: access, advanced, data, effective, permissions, folder, owner, NTFS, user, share, role


 NTFS Permissions Management

To manage NTFS permissions we can simply use Windows Explorer. In our example, we have created a “Demo” folder on our Desktop. We will use it to check and manage NTFS and Share permissions. To check the permissions we have to go to the properties of the folder or file. Once in Properties window, we will open the Security tab and this is where we work with NTFS permissions.

 Security Tab

Security Tab

By default, all permissions are inherited from parent object (parent folder). This is why we will always see some default permissions on our folders and files, even if they are newly created. As we see in our case, certain users and groups are already in the list. Also, notice that we can’t change inherited permissions by default (they are grayed out). The inheritance can be turned off, and in that case we will be able to change all permissions.

To change current permissions we can click the Edit button. A new window will pop up, and here we we will be able to add new users or groups of users to the list, or change permissions for current users or groups.

 Edit Permissions

Edit Permissions

To add new users or groups, we can click the Add button. New windows will pop up, and here we have to select the object which will be added to the list. In our case we will add the “Users” user group.

 Add Users

Add Users

Now that the Users group is in the list, we can change its permissions on the current folder (and subfolders if inheritence is left turned on). In our case we will only allow the Read permission for the Users group.

 Users Group Permissions

Users Group Permissions

To turn inheritance on or off, we have to click the Advanced button which is located on the Security tab. New window will pop up.

 Advanced Permissions

Advanced Permissions

Notice that in this list we can see from which objects are our permissions inherited from. In our case our “Demo” folder which is located on the Desktop inherits permissions from the C:\Users\Admin\ object. To change inheritance settings we can click the Edit button. New window will pop up. To turn off inheritance we have to uncheck the “Include inheritable permissions from the object’s parent” option. When we do that we will get the following warning.

 Inheritance Warning

Inheritance Warning

We have to select if we want to leave all existing entries (the Copy option), or remove them. If we leave existing entries we will be able to change them. If we remove them, we will be able to set brand new permissions. In our case will select the Remove option. When we do that, we will see that the only permissions that are left are those that we manually set previously (we have added the Users group to the list).

 Inheritance Removed

Inheritance Removed

Even if we remove all users from this list, the owner of the object will always be able to access it and set permissions on it. The owner of the object is the user who created it, but we can also change the owner. To do that we can go to the Owner tab in the advanced Security settings.

 Owner Tab

Owner Tab

To change the owner of the object we can click the Edit button. In our case the Admin is the owner of the “Demo” folder, and because of that it can still manage that folder (even though we have previously deleted that user from the list). The ownership of the file or folder is a very powerful feature, especially if we have administrative rights on the computer. For example, if we have administrative rights we can take ownership of the file from some user and by editing the NTFS permissions forbid him to ever access that file again.

When thinking about permissions always bare in mind that they are accumulative. That means that if we belong to multiple user groups, permissions will add up. To see the effective permissions on some object we can always go to the Effective Permissions tab in the advanced options. In this window we first have to select the user or group of users for which we want to see the effective permissions. In our case we have selected the Users group, so we can see effective permissions below.

 Effective Permissions

Effective Permissions

Effective Permissions tab is great when we need to determine permissions for users which belong to multiple groups. Another interesting feature is the Auditing tab. Here we can set events which will be tracked on the current folder. Events will then be visible in the Event Viewer console.

Sharing Permissions

We share folders on our computer to allow users to access our data over the network. To get to the Share options and permissions, we can right-click certain folder and select the “Share” option, or we can go to the Properties of the folder and select the Sharing tab. First let’s check the Sharing tab.

 Sharing Tab

Sharing Tab

Notice that our “Demo” folder is not shared currently. Let’s click the Advanced Sharing button. New window will pop up.

 Share Name

Share Name

In this window we can select to share this folder and enter the share name. Notice that the share name doesn’t have to be the same as the folder name. To set Share permissions we can click the Permissions button. New window will pop up.

 Share Permissions

Share Permissions

The default permission for Shares is the Everyone group with Read permission. This means that everyone will be able to read the content from our shared folder, so we should be careful when dealing with the Everyone group. We may or we may not want that group in the list. As with NTFS permissions, here we can add additional users or groups of users to this list.

When thinking about effective permissions on shared folders, we have to keep in mind that both NTFS and Share permissions are applied to shared folders. So, the cumulative NTFS permissions and cumulative Share permissions are combined, and then the more restrictive permission is applied. For example, if we have Full Control NTFS permission, but we have Read Share permission, the effective permission will be Read (when we access the folder over the network). Also, if we have the Full Control Share permission, and we have the Read NTFS permission, the effective permission will be Read. So, as you can see  when combining NTFS and Share permission, the effective permission will be the more restrictive one. Remember that the NTFS and Share permissions are only combined when we access folder over the network. If we access folder locally, only NTFS permissions are applied.

To check for some general sharing settings we can go to the Network and Sharing Center in the Control Panel.

 Network and Sharing Center

Sharing Center

Notice that the File Sharing setting is currently turned on. This happens automatically when we share some folder on our computer. Even if we turn off this option in the Network and Sharing Center, shared folders that we previously configured manually will still be available over the network. So, we should be careful when looking this option in the Network and Sharing Center. In fact, if we want to turn sharing off, we should do that manually on every single shared folder.

Now, let’s also check the new sharing procedure intended for end users. Let’s right click our Demo folder and select the Share option. Our folder is already shared, so we will get the following window.

 New Sharing Features

Sharing for End Users 1

Here we will choose to change sharing permissions. On the next screen we can set additional options.

 New Sharing Features 2

Sharing for End Users 2

Note that we don’t see the standard sharing options and permissions. Here we can also add or remove users and groups, and we can give them specific permission levels or roles. The roles are Reader, Contributor and Co-owner. Reader role has read access, Contributor role has read and change permissions, and Co-owner has full control. This new interface is intended to make sharing easier for end users.

In Network and Sharing Center we also have an option for Public folder sharing. The public folder is a single folder on the computer which can be used by all users to share their files. Local users will always have access to the public folder, but for network users we have to enable this option.

 Public Folder Sharing

Public Folder Network Sharing

We have an option to allow users to only read files, or to allow them to also change and create files. Public folder is located in C:\Users\Public. Public folder is also here to make it easier for end users to share their files with all users.

Computer administrators should be familiar with the Administrative Tools MMC console where all the shared folders can be listed. To open Computer Management we can go to Control Panel, or we can run it from the Search menu by entering the compmgmt.msc. Once in Computer Management we can go to the Shared Folders to see the list of all shared folders on our computer.

 Computer Management

Folder Sharing Console

Notice that we can see our “Demo Share” folder, and we can also see some other shares which end in “$”. Those shares are automatically created and users with administrative rights can always use those shares to access data on computer over the network.