|< Day Day Up >|| |
As you’ve seen, Administrators and members of a few other select groups are the only ones who can grant and change permissions. The exception is when a user is the owner of the folder or file in question. Every object on an NTFS partition has an owner, and the owner is the person who created the file or folder. The owner controls access to the file or folder and can keep out anyone he or she chooses.
For example, Wally (a user) creates a folder on his computer called My Private Stuff. After creating the folder, he right-clicks the folder, chooses Properties, and then clicks the Security tab (Figure 10-10).
Figure 10-10: Viewing the NTFS permissions for a new folder.
Wally sees that the Administrators group has full access to his folder, but because he is the owner of the folder, he can change the permissions so that he has the folder all to himself. He clicks Advanced to open the Advanced Security Settings dialog box and clears the Inherit From Parent check box (Figure 10-11).
Figure 10-11: Removing inheritance from a permission entry.
When the Security dialog box appears, Wally clicks Remove to remove the permission entries that were previously applied from the parent. After clicking Remove and accepting the security warning, Wally clicks OK and a Security warning appears indicating that everyone has been denied access to the folder. Wally clicks Yes to continue and returns to the Properties dialog box. He clicks the Add button and adds his user account with Full Control. After this is done, even the administrator receives an Access Denied message when trying to open the folder.
Of course, nothing on the network can be completely beyond the reach of administrators, so an administrator can change the ownership by following these steps:
Right-click the My Private Stuff folder and choose Properties from the shortcut menu to open the Properties dialog box. Select the Security tab. A Security warning appears indicating that you don’t have permissions to the folder but can take ownership. As shown in Figure 10-12, no changes can be made on the Security tab and only the Advanced button is enabled.
Figure 10-12: The administrator viewing permissions for a folder owned by a user.
Click Advanced to open the Advanced Security Settings dialog box and then click the Owner tab (Figure 10-13).
Figure 10-13: Changing the ownership of a folder.
No matter what the status of the folder is, the administrator can take ownership. Select the new owner and click OK.
Close the Properties dialog box. Then right-click the folder again and select Properties and then the Security tab. The Properties dialog box now reveals Wally as the only user with permission to use the folder.
Click Advanced and on the Permissions tab, select the check box for Inherit From Parent The Permission Entries That Apply To Child Objects. Click Apply (Figure 10-14), and all the previously removed permissions are reinstated.
Figure 10-14: Reinstating the default inherited permissions.
Click OK twice to close the dialog boxes.
When Wally logs on the next time, he still has access to My Private Stuff. If he opens the Properties dialog box, clicks the Security tab, clicks Advanced and then clicks the Owner tab, he sees that he’s no longer the only user with Full Control. Changing the ownership of the folder doesn’t automatically give administrators access to the contents of the folder, but ownership does grant the ability to read and change permissions. With that, an administrator can change permissions and attain access to the folder contents.
The owner of a file or folder can also grant the Take Ownership special permission to others, allowing those users to take ownership at any time.
Windows Small Business Server goes to considerable lengths and offers many tools to simplify the running of a network. However, there are several different ways to turn administration into a tangled mess, and one of them is to get too deeply into setting lots of specific permissions.
Always try to operate with the simplest possible permissions. Set as few restrictions as possible. Assign permissions to groups, not individuals. Don’t set file-by-file permissions unless it is unavoidable. Managing the minutiae of permissions can quickly soak up all your time and much of your life’s blood as well, unless you guard against it.
|< Day Day Up >|| |