The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, sometimes the standard NTFS permissions don't provide the specific level of access that you might want to assign to users. To create a specific level of access, you assign NTFS special access permissions.
After this lesson, you will be able to
Estimated lesson time: 5 minutes
There are 14 special access permissions. Two of them are particularly useful for controlling access to resources. These are Change Permissions and Take Ownership.
When you assign special access permissions to folders, you can choose where to apply the permissions down the tree to subfolders and files.
You can enable other administrators and users to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user can't delete or write to the file or folder but can assign permissions to the file or folder.
To enable administrators to change permissions, assign Change Permissions to the Administrators group for the file or folder.
You can transfer ownership of files and folders from one user account or group to another user account or group. You enable someone to take ownership and, as an administrator, you can take ownership of a file or folder.
The following rules apply for taking ownership of a file or folder:
For example, if an employee leaves the company, an administrator can take ownership of the employee's files, assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.
NOTE
You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder, as explained later in this chapter.
Follow these steps to assign special access permissions to enable users to change permissions and take ownership of files and folders:
Figure 3.4 The Permission Entry dialog box
The options in the Permissions Entry dialog box are described in Table 3.6.
Table 3.6 Options in the Permissions Entry Dialog Box
Option | Description |
---|---|
Name | The user account or group name. To select a different user account or group, click Change. |
Apply Onto | The level of the folder hierarchy at which the special NTFS permissions are inherited. The default is This Folder, Subfolders And Files. |
Permissions | The special access permissions. To allow the Change Permissions permission or Take Ownership permission, select the Allow check box. |
Apply These Permissions To Objects And/Or Containers Within This Container Only | Specify whether subfolders and files within a folder inherit the special access permissions from the folder. Select this check box to propagate the special access permissions to files and subfolders. Clear this check box to prevent permissions inheritance. |
Clear All | Click this button to clear all selected permissions. |
NOTE
You can view the permissions that are applied to the file or folder, the owner, and where the permissions apply in the Access Control Settings dialog box, on the Permissions tab. When special access permissions have been assigned, Windows 2000 displays Special under Permissions.
Follow these steps to take ownership of a file or folder. The user or a group member with Take Ownership permission must explicitly take ownership of the file or folder.
In this lesson, you learned that there are 14 special access permissions, and two of them are especially useful. These are Change Permissions and Take Ownership. You can enable administrators and other users to change permissions for a file or folder without giving them the Full Control permission over the file or folder. This prevents the administrator or user from deleting or writing to the file or folder, but it still allows them to assign permissions to the file or folder.
You also learned that you can transfer ownership of files and folders from one user account or group to another user account or group. The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or a member of the group to take ownership. An administrator can take ownership of a folder or file, regardless of assigned permissions. When an administrator takes ownership of a file or folder, the Administrators group becomes the owner, and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.