PermissionsTasks |
NTFS permissions are the primary means of controlling access to filesystem resources on WS2003. To assign or modify NTFS permissions on a file or folder, you must either:
Be the owner (creator) of the file or folder
Have Full Control permission on the file or folder
Be a member of the Administrators group
To assign NTFS permissions, you can use Windows Explorer or My Computer. The following procedures assume you have already selected the file or folder whose permissions you want to assign or modify.
|
Right-click on file Properties Security Add select domain select user or group Add allow or deny standard permissions
Unless you explicitly allow different permissions, when you assign NTFS standard file permissions to a user or group, the default permissions assigned are Allow Read & Execute.
When you try to allow or deny different combinations of NTFS standard permissions, you will discover that not all combinations are allowed. For example, if you try to allow Full Control, then all five checkboxes under Allow automatically become checked. Table 4-41 shows the permissible combinations of NTFS standard permissions that can be assigned using the Security tab.
Selecting | Automatically selects | ||||
---|---|---|---|---|---|
Full Control | Modify | Read & Execute | Read | Write | |
Full Control | Yes | Yes | Yes | Yes | Yes |
Modify | Yes | Yes | Yes | ||
Read & Execute | Yes | Yes | |||
Read | Yes | ||||
Write | Yes |
Unfortunately, Table 4-41 doesn't tell the whole story and works only if you are allowing standard permissions and not denying them. If you both allow and deny permissions, other combinations are possible, while many aren't. Furthermore, the Security tab doesn't always show the whole picture. For example, if you first allow Full Control permission, which causes all five checkboxes under Allow to be checked and then deselect the checkbox for Modify, the result is a configuration not displayed in Table 4-41namely, the combination of allowed Read & Execute, Read, and Write permissions. A message then appears beside the Advanced button saying, "Additional permissions are present but not viewable here. Press Advanced to see them." Finally, when special permissions (described later in this section) are assigned to a file or folder, this same message appears on the Security tab while the standard permissions for that user or group are displayed as unassigned . The moral of the story may be that the GUI here is simply too smart for its own good, and unless you have a good grasp of the 18 underlying NTFS special permissions, it's easy to get confused by what's going on.
If the checkboxes for standard permissions are checked but filled (grayed out), these permissions are inherited from the parent folder (or the volume if the file is in the root directory). When you create a file or save a document in a folder, it automatically inherits the permissions of its parent folder. When you assign new permissions to a file for a user or group, however, these permissions are never grayed out since they are assigned, not inherited.
If you deselect the checkbox labeled "Allow inheritable permissions from parent to propagate to this object" before clicking Apply or OK, a warning will appear saying that you are preventing permissions being inherited to the file from its parent folder. You are given two options:
This copies the permissions of the parent folder to your file but breaks the chain of permissions inheritance from the parent to the child. If the child were a folder instead of a file, it would become the root of a new chain of inherited permissions.
This removes the permissions of the parent folder from your file and breaks the chain of permissions inheritance. Again, if the child were a folder instead of a file, it would become the root of a new chain of inherited permissions.
Right-click on folder Properties Security Add select domain select user or group Add allow or deny standard permissions
Unless you allow or deny different permissions, when you assign NTFS standard folder permissions to a user or group, the default permissions assigned are Allow Read & Execute. Otherwise, the behavior here is similar to that in Assign Standard Permissions to a File earlier in this section, except that there are six standard folder permissions instead of only five standard file permissions (the sixth folder permission is List Folder Contents).
Right-click on file Properties Security Advanced Add select domain select user or group allow or deny special permissions
Unlike assigning standard permissions where selecting one checkbox may cause others to magically become selected or deselected as well, assigning special permissions is more straightforward: you can assign any combination of these 13 special file permissions, the only caveat being that you can't allow and deny a permission at the same time.
Clearing the checkbox "Allow inheritable permissions from parent to propagate to this object" will break the chain of permissions inheritance from the parent folder to the selected file.
Right-click on folder Properties Security Advanced Add select domain select user or group allow or deny special permissions
The behavior here is similar to that in Assign Standard Permissions to a File earlier in this section, except that with folders you have two additional options:
Lets you apply your special permissions to either:
This folder, subfolders , and files (the default)
This folder only
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only
You have to select this checkbox if you want your selection in the "Apply onto" listbox to actually work. This is an "Are you sure?" kind of checkbox.
As in Assign Standard Permissions to a File earlier in this section, clearing the checkbox "Allow inheritable permissions from parent to propagate to this object" breaks the chain of permissions inheritance from the parent folder to the selected folder.
An additional option for folders appears here: "Reset permissions on all child objects and enable propagation of inheritable permissions." Selecting this checkbox removes all explicitly defined permissions on all child objects (the tree of files and subfolders within your folder) and turns on inheritance between the selected folder and the child objects within it. Only inherited permissions propagated downward from your folder will be in effect. After you confirm the action, the checkbox automatically clears itself in case you need to apply it again later.
Right-click on file or folder Properties Security select name allow or deny standard permissions
For more information, see the earlier Assign Standard Permissions to a File .
Right-click on file or folder Properties Security Advanced select name View/Edit
For more information, see the earlier Assign Standard Permissions to a File .
Windows Explorer right-click on a drive, file, or folder Properties Security Advanced Owner Other Users and Groups choose a new owner
The only users listed on the Owner tab are the currently logged-on user and the Administrators group. You must have Take Ownership permission on the file or folder to be able to take ownership of it. When you take ownership of a folder, you can optionally take ownership of all subdirectories and their files.
New to WS2003 is a feature that allows you to view the effective NTFS permissions on a resource for a specified user or group:
Windows Explorer right-click on a drive, file, or folder Properties Security Advanced Effective Permissions Select specify user or group view effective permissions
This feature is useful for viewing the effective permissions when users belong to several groups and these groups are assigned different permissions on a resource.
To assign shared-folder permissions, you must first be able to access the icon of the shared folder. The following procedures assume you have already used Windows Explorer or some other tool to select the shared folder with the permissions you want to assign or modify.
Right-click on shared folder Sharing Permissions Add select domain select user or group Add allow or deny shared-folder permissions
Unless you allow or deny different permissions, when you assign shared-folder permissions to a user or group, the default permission that is assigned is Allow Read.
When you try to allow or deny different combinations of shared-folder permissions, you will discover that not all combinations are allowed. For example, if you try to allow Full Control, then all three checkboxes under Allow automatically become checked. Table 4-42 shows the permissible combinations of shared-folder permissions that can be assigned using the Sharing tab. These combinations work only if you are allowing permissions; if you both allow and deny permissions, other combinations are possible.
Selecting | Automatically selects | ||
---|---|---|---|
Full Control | Change | Read | |
Full Control | Yes | Yes | Yes |
Change | Yes | ||
Read | Yes |
Right-click on shared folder Sharing Permissions select name allow or deny shared-folder permissions