On NTFS volumes , you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. You can view security permissions for files and folders by completing the following steps: -
In Windows Explorer, right-click the file or folder you want to work with. -
From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab. -
In the Name list box, select the user , computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object. Understanding File and Folder Permissions The basic permissions you can assign to files and folders are summarized in Table 14-3. File permissions include Full Control, Modify, Read & Execute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Table 14-3. File and Folder Permissions Used by Windows Server 2003 Permission | Meaning for Folders | Meaning for Files | Read | Permits viewing and listing files and subfolders | Permits viewing or accessing the file's contents | Write | Permits adding files and subfolders | Permits writing to a file | Read & Execute | Permits viewing and listing files and subfolders as well as executing files; inherited by files and folders | Permits viewing and accessing the file's contents as well as executing the file | List Folder Contents | Permits viewing and listing files and subfolders as well as executing files; inherited by folders only | N/A | Modify | Permits reading and writing of files and subfolders; allows deletion of the folder | Permits reading and writing of the file; allows deletion of the file | Full Control | Permits reading, writing, changing, and deleting files and subfolders | Permits reading, writing, changing and deleting the file | Anytime you work with file and folder permissions, you should keep the following in mind: -
Read is the only permission needed to run scripts. Execute permission doesn't matter. -
Read access is required to access a shortcut and its target. -
Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. A user can still delete the contents. -
If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files. The basic permissions are created by combining special permissions in logical groups. Table 14-4 shows special permissions used to create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind: -
If no access is specifically granted or denied, the user is denied access. -
Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups the user is a member of. For example, if the user GeorgeJ has Read access and is a member of the group Techies that has Change access, GeorgeJ will have Change access. If Techies is in turn a member of Administrators, which has Full Control, GeorgeJ will have complete control over the file. Table 14-4. Special Permissions for Files Special Permissions | Basic Permissions | | Full Control | Modify | Read & Execute | Read | Write | Traverse Folder/ Execute File | Yes | Yes | Yes | | | List Folder/Read Data | Yes | Yes | Yes | Yes | | Read Attributes | Yes | Yes | Yes | Yes | | Read Extended Attributes | Yes | Yes | Yes | Yes | | Create Files/Write Data | Yes | Yes | | | Yes | Create Folders/ Append Data | Yes | Yes | | | Yes | Write Attributes | Yes | Yes | | | Yes | Write Extended Attributes | Yes | Yes | | | Yes | Delete Subfolders and Files | Yes | | | | | Delete | Yes | Yes | | | | Read Permissions | Yes | Yes | Yes | Yes | Yes | Change Permissions | Yes | | | | | Take Ownership | Yes | | | | | Table 14-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep the following in mind: -
When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. You do this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions. -
When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the default file permissions. Table 14-5. Special Permissions for Folders Special Permissions | Basic Permissions | | Full Control | Modify | Read & Execute | List Folder Contents | Read | Write | Traverse Folder/ Execute File | Yes | Yes | Yes | Yes | | | List Folder/Read Data | Yes | Yes | Yes | Yes | Yes | | Read Attributes | Yes | Yes | Yes | Yes | Yes | | Read Extended Attributes | Yes | Yes | Yes | Yes | Yes | | Create Files/Write Data | Yes | Yes | | | | Yes | Create Folders/ Append Data | Yes | Yes | | | | Yes | Write Attributes | Yes | Yes | | | | Yes | Write Extended Attributes | Yes | Yes | | | | Yes | Delete Subfolders And Files | Yes | | | | | | Delete | Yes | Yes | | | | | Read Permissions | Yes | Yes | Yes | Yes | Yes | Yes | Change Permissions | Yes | | | | | | Take Ownership | Yes | | | | | | Setting File and Folder Permissions To set permissions for files and folders, follow these steps: -
In Windows Explorer, right-click the file or folder you want to work with. -
From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab, shown in Figure 14-10. -
Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following: Tip Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission. Figure 14-10. Use the Security tab to configure basic permissions for the file or folder. -
To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 14-11. Figure 14-11. Select users, computers, and groups that should be granted or denied access using this dialog box. -
Type the name of a user, computer, or group in the current domain and then click Check Names . -
If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined . -
If no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location. -
If multiple matches are found, select the name(s) you want to use and then click OK. To add additional users, computers, or groups, type a semicolon ( ; ), and then repeat this step. Note The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest. -
In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups. -
Click OK when you're finished. |