You can think of file and folder permissions as the base-level permissions—the permissions that are applied no matter what. For NTFS volumes, you use file and folder permissions and ownership to further constrain actions within the share as well as share permissions. For FAT volumes, share permissions provide the only access controls. The reason for this is that FAT volumes have no file and folder permission capabilities.
File and folder permissions are much more complex than share permissions, and to really understand how they can be used and applied, you must understand ownership and inheritance as well as the permissions that are available.
Inside Out: Changes to basic file and folder attributes are sometimes necessary
As administrators, we often forget about the basic file and folder attributes that can be assigned. However, basic file and folder attributes can affect access, so let's look at these attributes first and then at the file and folder permissions you can apply to NTFS volumes. All files and folders have basic attributes regardless of whether you are working with FAT or NTFS. These attributes can be examined in Windows Explorer by right-clicking the file or folder icon and then selecting Properties. Folder and file attributes include Hidden and Read-Only. Hidden determines whether the file is displayed in file listings. You can override this by telling Windows Explorer to display hidden files. On NTFS, the Read-Only attribute for folders is initially shown as unavailable. Here, this means the attribute is in a mixed state regardless of the current state of files in the folder. If you override the mixed state by selecting Read-Only for a folder, all files in the folder will be read-only. If you override the mixed state and clear Read-Only for a folder, all files in the folder will be writable.
Before working with file and folder permissions, you should understand the concept of ownership as it applies to files and folders. In Windows Server 2003, the file or folder owner isn't necessarily the file or folder's creator. Instead, the file or folder owner is the person who has direct control over the file or folder. File or folder owners can grant access permissions and give other users permission to take ownership of a file or folder.
The way ownership is assigned initially depends on where the file or folder is being created. By default, the user who created the file or folder is listed as the current owner. Ownership can be taken or transferred in several ways. Any administrator can take ownership. Any user or group with the Take Ownership permission can take ownership. Any user who has the right to Restore Files And Directories, such as a member of the Backup Operators group, can take ownership as well. Any current owner can transfer ownership to another user as well.
You can take ownership using a file or folder's Properties dialog box. Right-click the file or folder, and then select Properties. In the Security tab of the Properties dialog box, display the Access Security Settings dialog box by clicking Advanced. Next, select the Owner tab, as shown in Figure 21-16. In the Change Owner To list box, select the new owner. If you're taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects option. Click OK twice when you are finished.
If you are an administrator or a current owner of a file or folder, you can transfer ownership to another user by using a file or folder's Properties dialog box. In Windows Explorer, rightclick the file or folder, and then select Properties. In the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by clicking the Advanced button. Next, select the Owner tab, as shown in Figure 21-16.
Click Other Users Or Groups to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you, and you can click OK to close the Select User, Computer, Or Group dialog box. Under Change Owner To in the Owner tab of the Advanced Security Settings dialog box, the user you added is listed and selected. When you click OK, ownership is transferred to this user.
By default, when you add a folder or file to an existing folder, the folder or file inherits the permissions of the existing folder. For example, if the Domain Users group has access to a folder and you add a file to this folder, members of the Domain Users group will be able to access the file. Inherited permissions are automatically assigned when files and folders are created.
When you assign new permissions to a folder, the permissions propagate down and are inherited by all subfolders and files in the folder and supplement or replace existing permissions. If you add permissions on a folder to allow a new group to access a folder, these permissions are applied to all subfolders and files in the folder, meaning the additional group is granted access. On the other hand, if you were to change the permissions on the folder so that, for instance, only members of the Engineering group could access the folder, these permissions would be applied to all subfolders and files in the folder, meaning only members of the Engineering group would have access to the folder, its subfolders, and its files.
Inheritance is automatic. If you do not want the permissions of subfolders and files within folders to supplement or replace existing permissions, you must override inheritance starting with the top-level folder from which the permissions are inherited. A top-level folder is referred to as a parent folder. Files and folders below the parent folder are referred to as child files and folders. This is identical to the parent/child structure of objects in Active Directory.
If a permission you want to change is shaded, the file or folder is inheriting the permission from a parent folder. To change the permission, you must do one of the following:
Access the parent folder and make the desired changes. These changes will then be inherited by child folders and files.
Select the opposite permission to override the inherited permission if possible. In most cases, Deny overrides Allow, so if you explicitly deny permission to a user or group for a child folder or file, this permission should be denied to that user or group of users.
Stop inheriting permissions from the parent folder and then copy or remove existing permissions as appropriate.
To stop inheriting permissions from a parent folder, right-click the file or folder in Windows Explorer, and then select Properties. In the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box shown in Figure 21-17.
Clear Allow Inheritable Permissions From The Parent To Propagate To This Object. As shown in Figure 21-18, you now have the opportunity to copy over the permissions that were previously applied or remove the inherited permission and only apply the permissions that you explicitly set on the folder or file. Click Copy or Remove as appropriate.
Another way to manage permissions is to reset the permissions of subfolders and files within a folder, replacing their permissions with the current permissions assigned to the folder you are working with. In this way, subfolders and files get all inheritable permissions from the parent folder and all other explicitly defined permissions on the individual subfolders and files are removed.
To reset permissions for subfolders and files of a folder, right-click the file or folder in Windows Explorer, and then select Properties. In the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box shown previously in Figure 21-17.
Select Replace Permission Entries On All Child Objects With Entries Shown Here, and click OK. As shown in Figure 21-19, you will see a prompt explaining that this action will remove all explicitly defined permissions and enable propagation of inheritable permissions. Click Yes.
On NTFS volumes, you can assign access permissions to files and folders. These permissions grant or deny access to users and groups.
In Windows Explorer you can view basic permissions by right-clicking the file or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 21-20. The Group Or User Names list shows groups and users with assigned permissions. If you select a group or user in this list, the applicable permissions are shown in the Permissions For list. If permissions are unavailable, it means the permissions are inherited from a parent folder as discussed previously.
The basic permissions you can assign to folders and files are shown in Table 21-1 and Table 21-2. These permissions are made up of multiple special permissions.
Table 21-1. Basic Folder Permissions
Permission | Description |
|---|---|
Full Control | This permission permits reading, writing, changing, and deleting files and subfolders. If a user has Full Control over a folder, she can delete files in the folder regardless of the permission on the files. |
Modify | This permission permits reading and writing of files and subfolders; allows deletion of the folder. |
List Folder Contents | This permission permits viewing and listing files and subfolders as well as executing files; inherited by folders only. |
Read & Execute | This permission permits viewing and listing files and subfolders as well as executing files; inherited by files and folders. |
Write | This permission permits adding files and subfolders. |
Read | This permission permits viewing and listing files and subfolders. |
Table 21-2. Basic File Permissions
Permission | Description |
|---|---|
Full Control | This permission permits reading, writing, changing, and deleting the file. |
Modify | This permission permits reading and writing of the file; allows deletion of the file. |
Read & Execute | This permission permits viewing and accessing the file's contents as well as executing the file. |
Write | This permission permits writing to a file. Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. |
Read | This permission permits viewing or accessing the file's contents. Read is the only permission needed to run scripts. Read access is required to access a shortcut and its target. |
You can set basic permissions for files and folders by following these steps:
In Windows Explorer, right-click the file or folder you want to work with, and select Properties. In the Properties dialog box select the Security tab, shown previously in Figure 21-20.
Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by selecting the user or group you want to change and using the Permissions list box to grant or deny access permissions.
The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.
Type the name of a user or group account in the selected or default domain, and then click Check Names. The options available depend on the number of matches found as follows:
When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
When no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location.
If multiple matches are found, select the name(s) you want to use, and then click OK.
To add additional users or groups, type a semicolon (;), and then repeat this process.
When you click OK, the users and groups are added to the Name list for the share. Configure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the permission in the Allow column. If a user or group should be denied access permissions, select the permission in the Deny column.
When you're finished, click OK.
In Windows Explorer you can view special permissions by right-clicking the file or folder you want to work with and selecting Properties on the shortcut menu. In the Properties dialog box, select the Security tab, and then click Advanced to display the Advanced Security Settings dialog box, as shown in Figure 21-21.
Figure 21-21. The Advanced Security Settings dialog box can be used to access the special permissions assigned to each user or group.
The special permissions available are as follows:
Traverse Folder/Execute File Traverse Folder lets you directly access a folder even if you don't have explicit access to read the data it contains. Execute File lets you run an executable file.
List Folder/Read Data List Folder lets you view file and folder names. Read Data lets you view the contents of a file.
Read Attributes Lets you read the basic attributes of a file or folder. These attributes include Read-Only, Hidden, System, and Archive.
Read Extended Attributes Lets you view the extended attributes (named data streams) associated with a file. As discussed in Chapter 20, these include Summary fields, such as Title, Subject, and Author, as well as other types of data.
Create Files/Write Data Create Files lets you put new files in a folder. Write Data allows you to overwrite existing data in a file (but not add new data to an existing file because this is covered by Append Data).
Create Folders/Append Data Create Folders lets you create subfolders within folders. Append Data allows you to add data to the end of an existing file (but not to overwrite existing data because this is covered by Write Data).
Write Attributes Lets you change the basic attributes of a file or folder. These attributes include Read-Only, Hidden, System, and Archive.
Write Extended Attributes Lets you change the extended attributes (named data streams) associated with a file. As discussed in Chapter 20, these include Summary fields, such as Title, Subject, and Author, as well as other types of data.
Delete Subfolders and Files Lets you delete the contents of a folder. If you have this permission, you can delete the subfolders and files in a folder even if you don't specifically have Delete permission on the subfolder or file.
Delete Lets you delete a file or folder. If a folder isn't empty and you don't have Delete permission for one of its files or subfolders, you won't be able to delete it. You can do this only if you have Delete Subfolders and Files permission.
Read Permissions Lets you read all basic and special permissions assigned to a file or folder.
Change Permissions Lets you change basic and special permissions assigned to a file or folder.
Take Ownership Lets you take ownership of a file or folder. By default administrators can always take ownership of a file or folder and can also grant this permission to others.
Table 21-3 and Table 21-4 show how special permissions are combined to make the basic permissions for files and folders. Because special permissions are combined to make the basic permissions, they are also referred to as atomic permissions.
Table 21-3. Special Permissions for Folders
Special Permissions | Full Control | Modify | Read & Execute | List Folder Contents | Read | Write |
|---|---|---|---|---|---|---|
Traverse Folder/ Execute File | X | X | X | X | ||
List Folder/Read Data | X | X | X | X | X | |
Read Attributes | X | X | X | X | X | |
Read Extended Attributes | X | X | X | X | X | |
Create Files/Write Data | X | X | X | |||
Create Folders/ Append Data | X | X | X | |||
Write Attributes | X | X | X | |||
Write Extended Attributes | X | X | X | |||
Delete Subfolders And Files | X | |||||
Delete | X | X | ||||
Read Permissions | X | X | X | X | X | X |
Change Permissions | X | |||||
Take Ownership | X |
Table 21-4. Special Permissions for Files
Special Permissions | Full Control | Modify | Read & Execute | Read | Write |
|---|---|---|---|---|---|
Traverse Folder/ Execute File | X | X | X | – | – |
List Folder/Read Data | X | X | X | X | – |
Read Attributes | X | X | X | X | – |
Read Extended Attributes | X | X | X | X | – |
Create Files/Write Data | X | X | – | – | X |
Create Folders/ Append Data | X | X | X | ||
Write Attributes | X | X | X | ||
Write Extended Attributes | X | X | X | ||
Delete Subfolders and Files | X | ||||
Delete | X | X | |||
Read Permissions | X | X | X | X | X |
Change Permissions | X | ||||
Take Ownership | X |
You can set special permissions for files and folders in Windows Explorer. Right-click the file or folder you want to work with, and then select Properties. In the Properties dialog box, select the Security tab, and then click Advanced. This displays the dialog box shown previously in Figure 21-21. You now have the following options:
Add Adds a user or group. Click Add to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you. When you click OK, the Permissions Entry For dialog box shown in Figure 21-22 is displayed.
Edit Edits an existing user or group entry. Select the user or group whose permissions you want to modify, and then click Edit. The Permissions Entry For dialog box shown in Figure 21-22 is displayed.
Remove Removes an existing user or group entry. Select the user or group whose permissions you want to remove, and then click Remove.
If you are adding or editing entries for users or groups, you use the Permission Entry For dialog box to grant or deny special permissions. Select Allow or Deny for each permission as appropriate. When finished, use the Apply Onto options shown in Table 21-5 to determine how and where these permissions are applied. If you want to prevent subfolders and files from inheriting these permissions, select Apply These Permissions To Objects And/Or Containers Within This Container Only. When you do this, all the related entries in Table 21-5 are No. This means the settings no longer apply onto subsequent subfolders or to files in subsequent subfolders.
Table 21-5. Special Permissions Apply Onto Options
Apply Onto | Applies to Current Folder | Applies to Subfolders in the Current Folder | Applies to File in the Current Folder | Applies to Subsequent Subfolders | Applies to Files in Subsequent Subfolders |
|---|---|---|---|---|---|
This folder only | Yes | No | No | No | No |
This folder, subfolders, and files | Yes | Yes | Yes | Yes | Yes |
This folder and subfolders | Yes | Yes | No | Yes | No |
This folder and files | Yes | No | Yes | No | Yes |
Subfolders and files only | No | Yes | Yes | Yes | Yes |
Subfolders only | No | Yes | No | Yes | No |
Files only | No | No | Yes | No | Yes |
Note
When Apply These Permissions To Objects And/Or Containers Within This Container Only is selected, all the values under Applies To Subsequent Subfolders and Applies To Files In Subsequent Subfolders are No. The settings no longer apply onto subsequent subfolders or to files in subsequent subfolders.
Navigating the complex maze of permissions can be daunting even for the best administrators. Sometimes it won't be clear how a particular permission set will be applied to a particular user or group. If you ever want to know exactly how the current permissions will be applied to a particular user or group, you can use a handy tool called Effective Permissions.
Effective Permissions applies only to file and folder permissions—not share permissions— and is an option of the Advanced Security Settings dialog box. To get to it from Windows Explorer, right-click the file or folder you want to work with, and select Properties. In the Properties dialog box, select the Security tab, and then click Advanced. To see how permissions will be applied to a user or group, click the Effective Permissions tab, click Select, type the name of the user or group, and then click OK. The Effective Permissions for the selected user or group are displayed as shown in Figure 21-23.
Figure 21-23. Use Effective Permissions to help you determine how permissions will be applied to a specific user or group.
Effective Permissions does have the following limitations:
You need the proper access permissions to view the effective permissions of a user or group. That goes without saying, pretty much. But it is important to point out.
You cannot determine permissions for global or universal security groups that are nested in domain local groups. For example, by default Users has access to most folders, and one of its members is Domain Users, which is a global security group. If you try to determine the effective permissions for Domain Users, no permissions are displayed.
You cannot determine the effective permissions for implicit groups or special identities, such as Everyone, Interactive, Domain Controllers, Local Service, or Network Service.