File and Folder Permissions


On NTFS volumes , you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. You can view security permissions for files and folders by completing the following steps:

  1. In Windows Explorer, right-click the file or folder you want to work with.

  2. From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab.

  3. In the Name list box, select the user , computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.

Understanding File and Folder Permissions

The basic permissions you can assign to files and folders are summarized in Table 14-3. File permissions include Full Control, Modify, Read & Execute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

Table 14-3. File and Folder Permissions Used by Windows Server 2003

Permission

Meaning for Folders

Meaning for Files

Read

Permits viewing and listing files and subfolders

Permits viewing or accessing the file's contents

Write

Permits adding files and subfolders

Permits writing to a file

Read & Execute

Permits viewing and listing files and subfolders as well as executing files; inherited by files and folders

Permits viewing and accessing the file's contents as well as executing the file

List Folder Contents

Permits viewing and listing files and subfolders as well as executing files; inherited by folders only

N/A

Modify

Permits reading and writing of files and subfolders; allows deletion of the folder

Permits reading and writing of the file; allows deletion of the file

Full Control

Permits reading, writing, changing, and deleting files and subfolders

Permits reading, writing, changing and deleting the file

Anytime you work with file and folder permissions, you should keep the following in mind:

  • Read is the only permission needed to run scripts. Execute permission doesn't matter.

  • Read access is required to access a shortcut and its target.

  • Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. A user can still delete the contents.

  • If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.

The basic permissions are created by combining special permissions in logical groups. Table 14-4 shows special permissions used to create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind:

  • If no access is specifically granted or denied, the user is denied access.

  • Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups the user is a member of. For example, if the user GeorgeJ has Read access and is a member of the group Techies that has Change access, GeorgeJ will have Change access. If Techies is in turn a member of Administrators, which has Full Control, GeorgeJ will have complete control over the file.

Table 14-4. Special Permissions for Files

Special Permissions

Basic Permissions

Full Control

Modify

Read & Execute

Read

Write

Traverse Folder/ Execute File

Yes

Yes

Yes

List Folder/Read Data

Yes

Yes

Yes

Yes

Read Attributes

Yes

Yes

Yes

Yes

Read Extended Attributes

Yes

Yes

Yes

Yes

Create Files/Write Data

Yes

Yes

Yes

Create Folders/ Append Data

Yes

Yes

Yes

Write Attributes

Yes

Yes

Yes

Write Extended Attributes

Yes

Yes

Yes

Delete Subfolders and Files

Yes

Delete

Yes

Yes

Read Permissions

Yes

Yes

Yes

Yes

Yes

Change Permissions

Yes

Take Ownership

Yes

Table 14-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep the following in mind:

  • When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. You do this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions.

  • When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the default file permissions.

Table 14-5. Special Permissions for Folders

Special Permissions

Basic Permissions

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Traverse Folder/ Execute File

Yes

Yes

Yes

Yes

List Folder/Read Data

Yes

Yes

Yes

Yes

Yes

Read Attributes

Yes

Yes

Yes

Yes

Yes

Read Extended Attributes

Yes

Yes

Yes

Yes

Yes

Create Files/Write Data

Yes

Yes

Yes

Create Folders/ Append Data

Yes

Yes

Yes

Write Attributes

Yes

Yes

Yes

Write Extended Attributes

Yes

Yes

Yes

Delete Subfolders And Files

Yes

Delete

Yes

Yes

Read Permissions

Yes

Yes

Yes

Yes

Yes

Yes

Change Permissions

Yes

Take Ownership

Yes

Setting File and Folder Permissions

To set permissions for files and folders, follow these steps:

  1. In Windows Explorer, right-click the file or folder you want to work with.

  2. From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab, shown in Figure 14-10.

  3. Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Permissions list box to grant or deny access permissions.

    Tip

    Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission.


    Figure 14-10. Use the Security tab to configure basic permissions for the file or folder.

    graphics/f14ap10.jpg

  4. To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 14-11.

    Figure 14-11. Select users, computers, and groups that should be granted or denied access using this dialog box.

    graphics/f14ap11.jpg

  5. Type the name of a user, computer, or group in the current domain and then click Check Names .

    • If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined .

    • If no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location.

    • If multiple matches are found, select the name(s) you want to use and then click OK. To add additional users, computers, or groups, type a semicolon ( ; ), and then repeat this step.

    Note

    The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.


  6. In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.

  7. Click OK when you're finished.



Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net