PermissionsNotes

Previous page
Table of content
Next page

PermissionsNotes

NTFS Permissions

Always give users and groups just enough access to meet their needs. For example, don't assign Modify permission to a folder if you want users only to read files in the folder and not to change or delete them.

Never assign Full Control permission to folders used by ordinary users (except their home folder). Otherwise, a user might modify the permissions on the folder and cause difficulties for other users. Use Modify permission instead when you want to give the widest range of access to a folder for ordinary users. Modify will allow them to create, modify, and delete files and subfolders within the folder under consideration, which is pretty well all they will ever need to do.

If you want users to be able to do everything except delete files, assign Read & Execute and Write permissions to the folder instead of Modify.

By assigning Full Control to Creator Owner, users who create a subfolder or file within the given folder will have Full Control over that subfolder or file and will thus be able to delete it even if the Users group is assigned Read & Execute and Write permissions, as described earlier.

A suitable NTFS permission for a folder where applications will be stored is Read & Execute. Folders used to store data shared by different users should have Modify permission (or Read & Execute and Write, as described earlier). Home folders for users should be owned by users, and they should have Full Control.

Assign the Administrators group Full Control of all folders except users' home folders, to which they should have no access.

Assign permissions to groups, not users. To grant a user access to a resource, add the user to the group that has the suitable permissions.

When you copy a file or folder on an NTFS volume, you become the owner of the copy.

Denying a permission for a user takes precedence over any allowed permissions assigned to groups to which that user belongs.

You can deny all access for a user or group to a folder or file by denying Full Control permission for that user or group.

Always assign NTFS permissions to a folder first before sharing it. If you share the folder first, there is a chance someone might access the share before you have properly secured its contents.

You can also use the built-in system groups called Network and Interactive to control access to shared resources:

  • Any permissions you assign to the Network group apply to all users who try to access the resource from other machines over the network.

  • Any permissions you assign to the Interactive group apply to all users who try to access the resource from the local machine where the resource is located.

If a user or group has Full Control permission on a folder, the user or group can delete any files within the folder regardless of the permissions on that file.

For information on what happens to NTFS permissions on a file when you copy or move the file, see Files and Folders earlier in this chapter.

Don't assign special permissions unless absolutely necessary. Keep permissions simple to ease troubleshooting when things go wrong.

In the Access Control Settings dialog box, which appears when you click Advanced on the Security tab, users or groups for which some permissions are allowed while others are denied show up twice, once with a key icon (allowed permissions) and once with a lock icon ( denied permissions). Also, the permissions column either displays standard file or folder permissions or the word Special when special permissions have been assigned.

You can manage NTFS permissions on a remote computer as well. Either browse My Network Places for the file or folder (if shared) or map a drive to the hidden administrative share for the remote drive on which the file or folder whose permissions you want to manage is located. Once the file or folder icon is displayed, right-click on it and select Properties Security in the usual way.

Shared-Folder Permissions

To assign shared-folder permissions, the folder must of course be shared.

Unlike NTFS and print permissions, there are no advanced (special) shared-folder permissions you can configure.

To learn more about how to create and manage shared folders on the network, see Shared Folders later in this chapter.

If you do modify the default shared-folder permissions, make sure you understand how NTFS and shared-folder permissions combine.

See Also

Files and Folders , Shared Folders


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Java How to Program (6th Edition) (How to Program (Deitel))
Mastering Delphi 7
802.11 Wireless Networks: The Definitive Guide, Second Edition
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy