Lesson 3:Solving Permissions Problems | 70-270: MCSE Guide to Microsoft Windows XP Professional (MCSE/MCSA Guides)

When you assign or modify NTFS permissions to files and folders, problems might arise. When you copy or move files and folders, the permissions you set on the files or folders might change. Specific rules control how and when permissions change. Understanding these rules helps you solve permissions problems. Troubleshooting these problems is important to keep resources available for the appropriate users and protected from unauthorized users.

After this lesson, you will be able to

Describe the effect on NTFS file and folder permissions when files and folders are copied
Describe the effect on NTFS file and folder permissions when files and folders are moved
Troubleshoot resource access problems

Estimated lesson time: 50 minutes

Copying Files and Folders

When you copy files or folders from one folder to another or from one volume to another, permissions change, as shown in Figure 8.7.

Figure 8.7 Copying files or folders between folders or volumes

When you copy a file within a single NTFS volume or between NTFS volumes, note the following:

Windows XP Professional treats it as a new file. As a new file, it takes on the permissions of the destination folder.
You must have Write permission for the destination folder to copy files and folders.
You become the creator and owner.

When you copy files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

Moving Files and Folders

When you move a file or folder, permissions might or might not change, depending on where you move the file or folder (see Figure 8.8).

Figure 8.8 Moving files or folders between folders or volumes

Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume, note the following:

The file or folder retains the original permissions.
You must have the Write permission for the destination folder to move files and folders into it.
You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows 2000 deletes the file or folder from the source folder after it is copied to the destination folder.
You become the creator and owner.

Moving Between NTFS Volumes

When you move a file or folder between NTFS volumes, note the following:

The file or folder inherits the permissions of the destination folder.
You must have the Write permission for the destination folder to move files and folders into it.
You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows XP Professional deletes the file or folder from the source folder after it is copied to the destination folder.
You become the creator and owner.

When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

Troubleshooting Permissions Problems

Table 8.7 describes some common permissions problems that you might encounter and provides solutions that you can use to try to resolve these problems.

Table 8.7 Permissions Problems and Troubleshooting Solutions


Problem	Solution
A user can't gain access to a file or folder.	If the file or folder was copied moved to or another NTFS volume, the permissions might have changed.
	Check the permissions that are assigned to the user account and to groups to which the user belongs. The user might not have permission or might be denied access either individually or as a member of a group.
You add a user account to a group to give that user access to a file or folder, but the user still can't gain access.	For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again or close all network connections to the computer on which the file or folder resides and then make new connections.
A user with Full Control permission to a folder deletes a file in the folder, although that user doesn't have permission to delete the file, itself. You want to stop the user it from being able to delete more files.	You have to clear the special access permission, the Delete Subfolders And Files check box for that folder to prevent users with Full Control of the folder from being able to delete files in.

Windows XP Professional supports Portable Operating System Interface for UNIX (POSIX) applications that are designed to run on UNIX. On UNIX systems, Full Control permission allows you to delete files in a folder. In Windows 2000, the Full Control permission includes the Delete Subfolders and Files special access permission, allowing you the same ability to delete files in that folder regardless of the permissions that you have for those files.

Avoiding Permissions Problems

The following list provides best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems.

Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.
Assign all permissions at the folder level, not at the file level. Group files in a separate folder for which you want to restrict user access, and then assign restricted access to that folder.
For all application-executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group. Damage to application files is usually a result of accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions.
Assign Full Control to CREATOR OWNER for public data folders so that users can delete and modify files and folders that they create. Doing so gives the user who creates the file or folder full access to only the files or folders that he or she creates in the public data folder.
For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Everyone group. This gives users full access to the files that they create, but members of the Everyone group can only read files in the folder and add files to the folder.
Use long, descriptive names if the resource will be accessed only at the computer. If a folder will eventually be shared, use folder names and filenames that are accessible by all client computers.
Allow permissions rather than denying permissions. If you don't want a user or group to access a particular folder or file, don't assign permissions. Denying permissions should be an exception, not a common practice.

Practice: Managing NTFS Permissions

In this practice, you will observe the effects of taking ownership of a file. Then you will determine the effects of permission and ownership when you copy or move files. Finally, you will determine what happens when a user with Full Control permission to a folder has been denied all access to a file in that folder but attempts to delete the file.

To successfully complete this practice, you must have completed "Practice: Planning and Assigning NTFS Permissions" in Lesson 2 of this chapter.

Exercise 1: Taking Ownership of a File

In this exercise, you observe the effects of taking ownership of a file. To do this, you must determine permissions for a file, assign the Take Ownership permission to a user account, and then take ownership as that user.

To determine the permissions for a file

Log on as Fred or with a user account that is a member of the Administrators group, and then start Windows Explorer.
In the Public folder, create a text document named OWNER.
Right-click OWNER, and then click Properties.
Microsoft Windows XP Professional displays the Owner Properties dialog box with the General tab active.
Click the Security tab to display the permissions for the OWNER file.
Click Advanced.
Windows XP Professional displays the Advanced Security Settings For Owner dialog box with the Permissions tab active.
Click the Owner tab.
Who is the current owner of the OWNER file?

To assign permission to a user to take ownership

In the Advanced Security Settings For Owner dialog box, click the Permissions tab.
Click Add.
Windows XP Professional displays the Select User Or Group dialog box.
In the From This Location text box at the top of the dialog box, ensure that your computer (PRO1) is selected.
In the Enter The Object Names To Select text box, type User81, and then click Check Name.
PRO1\User81 should now appear in the Enter The Object Names To Select text box indicating that Windows XP Professional located User81 on PRO1 and it is a valid user account.
Click OK.
Windows XP Professional displays the Permission Entry For Owner dialog box. Notice that all of the permission entries for User81 are blank.
Under Permissions, select the Allow check box next to Take Ownership.
Click OK.
Windows XP Professional displays the Advanced Security Settings For Owner dialog box with the Permissions tab selected.
Click OK to return to the Owner Properties dialog box.
Click OK to apply your changes and close the Owner Properties dialog box.
Close Windows Explorer, and then log off Windows XP Professional.

To take ownership of a file

Log on as User81, and then start Windows Explorer.
Expand the Public folder.
Right-click OWNER and then click Properties.
Windows XP Professional displays the Owner Properties dialog box with the General tab active.
Click the Security tab to display the permissions for OWNER.
Windows XP Professional displays the Owner Properties dialog box with the Security tab active.
Click Advanced to display the Advanced Security Settings For Owner dialog box, and then click the Owner tab.
Under Change Owner To, select User81, and then click Apply.
Who is now the owner of the OWNER file?
Click OK to close the Advanced Security Settings For Owner dialog box.
Click OK to close the Owner Properties dialog box.

To test permissions for a file as the owner

While you are logged on as User81, assign User81 the Full Control permission for the OWNER text document and click Apply.
Click Advanced and clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box.
In the Security dialog box, click Remove.
Click OK to close the Advanced Security Settings For Owner dialog box.
Click OK to close the Owner Properties dialog box.
Delete the OWNER text document.

Exercise 2: Copying and Moving Folders

In this exercise, you see the effects of permissions and ownership when you copy and move folders.

To create a folder while logged on as a user

While you are logged on as User81, in Windows Explorer, in the root folder of drive C, create a folder named Temp1.
What are the permissions that are assigned to the folder?

User or group Permissions

Who is the owner? Why?
Close all applications, and then log off Windows XP Professional.

To create a folder while logged on as a member of the Administrators group

Log on as Administrator, or as a user account that is a member of the Administrators group, and then start Windows Explorer.
In the root folder of drive C, create the folders Temp2 and Temp3.
What are the permissions for the Temp2 and Temp3 folders that you just created?

User or group Permissions

Who is the owner of the Temp2 and Temp3 folders? Why?
Assign the following permissions to the Temp2 and Temp3 folders. Clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. When prompted, click Remove to remove all permissions except those explicitly set.


Folder	Assign these permissions
Temp2	Administrators: Full Control Users: Read & Execute
Temp3	Administrators: Full Control Backup Operators: Read & Execute Users: Full Control

To copy a folder to another folder within a Windows XP Professional NTFS volume

While logged on with an account that is a member of the Administrators group, in Windows Explorer, copy C:\Temp2 to C:\Temp1 by selecting C:\Temp2, holding down Ctrl, and then dragging C:\Temp2 to C:\Temp1.
Because this is a copy, C:\Temp2 and C:\Temp1\Temp2 should both exist.
Select C:\Temp1\Temp2, and then compare the permissions and ownership with C:\Temp2.
Who is the owner of C:\Temp1\Temp2 and what are the permissions? Why?

To move a folder within the same NTFS volume

Log on as User81.
In Windows Explorer, select C:\Temp3, and then move it to C:\Temp1.
What happens to the permissions and ownership for C:\Temp1\Temp3? Why?
Close all windows and log off.

Exercise 3: Deleting a File with All Permissions Denied

In this exercise, you use the Temp3 folder for which the Users group has been given Full Control permission. You create a file in the Temp3 folder but deny all permissions to that file. You then observe what happens when a user attempts to delete that file.

To create a file and deny access to it

Log on with a user account that is a member of the Administrators group.
In the C:\Temp1\Temp3 folder, create a text document named NOACCESS.

Deny the Users group the Full Control permission for the NOACCESS text document.

Windows XP Professional displays a Security dialog box with the following message:

 You are setting a deny permissions entry. Deny entries take 
precedence over allow entries. This means that if a user is a member 
of two groups, one that is allowed a permission, and another that is 
denied the same permission, the user is denied that permission. 
Do you want to continue?

Click Yes to apply your changes and close the Security dialog box.
Click OK to close the NoAccess Properties dialog box.

To view the result of the Full Control permission being denied for a folder

In Windows Explorer, double-click the NOACCESS text document in the Temp3 folder to open it.
Were you successful? Why or why not?
Click Start and then click Run.
Windows XP Professional displays the Run dialog box.
Type cmd in the Open text box and click OK.
Change to C:\Temp1\Temp3.
Type Del NOACCESS.TXT and press Enter.
Were you successful? Why or why not?

How would you prevent users with Full Control permission for a folder from deleting a file in that folder for which they have been denied the Full Control permission?

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."

Which of the following statements about copying a file or folder are correct? (Choose all answers that are correct.)
1. When you copy a file from one folder to another folder on the same volume, the permissions on the file do not change.
2. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change.
3. When you copy a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder.
4. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions are lost.
Which of the following statements about moving a file or folder are correct? (Choose all answers that are correct.)
1. When you move a file from one folder to another folder on the same volume, the permissions on the file do not change.
2. When you move a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change.
3. When you move a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder.
4. When you move a file from a folder on an NTFS volume to a folder on the same volume, the permissions on the file match those of the destination folder.
When you assign NTFS permissions you should assign the _____________________ (least/most) restrictive permissions.
If you don't want a user or group to gain access to a particular folder or file, should you deny access permissions to that folder or file?

Lesson Summary

When you copy or move files and folders, the permissions you set on the files or folders might change.
When you copy files or folders from one folder to another or from one volume to another, Windows XP Professional treats the copied file or folder as a new file or folder. Therefore, it takes on the permissions of the destination folder.
You must have Write permission for the destination folder to copy files and folders.
When you copy a file, you become the creator and owner of the file.
When you move a file or folder within a single NTFS volume, the file or folder retains its original permissions.
When you move a file or folder between NTFS volumes, the file or folder inherits the permissions of the destination folder.
You should assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.
You should assign permissions at the folder level, not the file level.
You should assign Full Control to CREATOR OWNER for public folders and Read and Write to the Everyone group.
Allow permissions rather than deny permissions.