NTFS Permissions

March 1, 2009

In the NT/2000/XP world, every folder and file on an NTFS partition has a list that contains two sets of data. First, the list details every user and group that has access to that file or folder. Second, the list specifies the level of access that each user or group has to that file and folder. The level of access is defined by a set of restrictions called “Permissions.”

Permissions – These define exactly what a particular account can or cannot do to the file or folder and are thus quite detailed and powerful. You can make it possible, for example, for a person to edit a file but not delete it. You can create a folder and not allow other people to make subfolders.

Ownership – When you create a new file or folder on an NTFS partition, you become the owner of that file or folder. A newly-created file or folder by default gives full permission for everyone to access, delete and otherwise manipulate that file or folder. Owners can do anything they want to the files or folders they own, including changing the permissions to prevent others from accessing them.

Take Ownership – One special permission, however, called Take Ownership, enables anyone with that permission to do just that – seize control of a file or folder. Administrator accounts have Take Ownership permission for everything.

Change Permissions – An account with this permission can take away permissions for other accounts.

Folder Permissions – In Windows NT/2000/XP, every folder in an NTFS partition has a Security tab. Every Security tab contains two main areas. The top area shows the list of accounts that have permissions for that resource: the lower area shows exactly what permissions have been assigned to that account.

Windows permissions are quite powerful and complex. The list of permissions shown in the permission area, for example, is not really permissions, but rather preset combinations of permissions that cover the most common types of access. Click the Advanced button, and then click View/Edit to see the real NTFS permissions; Microsoft calls them special permissions. Even the most advanced NT/2000/XP support people rarely need to access these.

File Permissions – File permissions are quite similar to folder permissions. Permissions are cumulative, and the accumulate according to inheritance. There is an inheritance relationship between a folder and the files or subfolders that it contains. Permissions that are configured on a folder are passed down, or inherited, to the contents of that folder by default. This means that if you have Full Control on a folder, you get Full Control on the files in that folder. If you look at the bottom of the Security tab, you will see a little check box that says, “Allow inheritable permissions from parent to propagate to this object.” In other words, any files or subfolders created in this folder get the same permissions for the same user/groups that the folder has. This enables you to stop a user from getting a specific permission via inheritance. Windows 2000 and XP (unlike Windows NT) provide explicit Deny functions to each option.

%d bloggers like this: