Lesson 1: Understanding and Applying NTFS Permissions

Lesson 1:?Understanding and Applying NTFS Permissions

You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user accesses the file or folder at the local computer or over the network.

The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.


After this lesson, you will be able to

  • Define the standard NTFS folder and file permissions
  • Describe the result when you combine user account and group permissions
  • Describe the result when folder permissions are different from those of the files in the folder

Estimated lesson time: 30 minutes


NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folders.

Table 8.1 lists the standard NTFS folder permissions that you can assign and the type of access that each provides.

Table 8.1??NTFS Folder Permissions

You can deny permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.

NTFS File Permissions

You assign file permissions to control the access that users have to files. Table 8.2 lists the standard NTFS file permissions that you can assign and the type of access that each provides.

Table 8.2??NTFS File Permissions

Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been assigned permissions for the file or folder, as well as the permissions that they have been assigned. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't access the resource.

Multiple NTFS Permissions

You can assign multiple permissions to a user account and to each group of which the user is a member. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and NTFS permissions inheritance.

Effective Permissions

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder.

Overriding Folder Permissions with File Permissions

NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you will be able to access the file if you have the Bypass Traverse Checking security permission, even if you don't have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides is invisible if you have no corresponding folder permission. In other words, if you don't have permission to access the folder containing the file you want to access, you must have the Bypass Traverse Checking security permission and you have to know the full path to the file to access it. Without permission to access the folder, you can't see the folder, so you can't browse for the file.

The Bypass Traverse Checking security permission is detailed further in Lesson 2 of this chapter.

Overriding Other Permissions with Deny

You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have (see Figure 8.1).

Figure 8.1??Multiple NTFS permissions

In Figure 8.1, User1 has Read permission for FolderA and is a member of Group A and Group B. Group B has Write permission for FolderA. Group A has been denied Write permission for File2.

The user can read and write to File1. The user can also read File2 but cannot write to File2 because she is a member of Group A, which has been denied Write permission for File2.

NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure 8.2.

Figure 8.2??Inheritance

Understanding Permissions Inheritance

Whatever permissions you assign to the parent folder also apply to subfolders and files contained within the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and subfolders, as well as for any new files and subfolders that are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.

The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. Which of the following statements correctly describe NTFS file and folder permissions? (Choose all answers that are correct.)
    1. NTFS security is effective only when a user gains access to the file or folder over the network.
    2. NTFS security is effective when a user gains access to the file or folder on the local computer.
    3. NTFS permissions specify which users and groups can gain access to files and folders and what they can do with the contents of the file or folder.
    4. NTFS permissions can be used on all file systems available with Windows XP Professional.
  2. Which of the following NTFS folder permissions allow you to delete the folder?
    1. Read
    2. Read & Execute
    3. Modify
    4. Administer
  3. Which of the NTFS file permissions should you assign to a file if you want to allow users to delete the file but do not want to allow users to take ownership of a file?
  4. What is an access control list (ACL) and what is the difference between an ACL and an access control entry (ACE)?
  5. What are a user's effective permissions for a resource?
  6. By default, what inherits the permissions that you assign to the parent folder?

Lesson Summary

  • NTFS permissions are available only on NTFS volumes and are used to specify which users and groups can access files and folders and what these users can do with the contents of those files or folders.
  • NTFS folder permissions are Read, Write, List Folder Contents, Read & Execute, Modify, and Full Control.
  • The NTFS file permissions are Read, Write, Read & Execute, Modify, and Full Control.
  • Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.
  • NTFS stores an ACL, which contains a list of all user accounts and groups that have been granted access to the file or folder, as well as the type of access that they have been granted, with every file and folder on an NTFS volume.
  • A user attempting to gain access to a resource must have permission for the type of access that is requested to gain access.
  • You can assign multiple permissions to a user account by assigning permissions to his or her individual user account and to each group of which the user is a member.
  • NTFS file permissions take priority over NTFS folder permissions.
  • A user's effective permissions for a resource are based on the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs.