file and folder per missions

8/3/2019 File and Folder Per Missions

1/8

File and Folder Permissionsrom Chapter 13, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

On NTFS volumes, you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. Yan view security permissions for files and folders by completing the following steps:

1. In Windows Explorer, right-click the file or folder you want to work with.

2. From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab.

3. In the Name list box, select the user, contact, computer, or group whose permissions you want to view. If the permissions are

dimmed, it means the permissions are inherited from a parent object.

Understanding File and Folder Permissions

he basic permissions you can assign to files and folders are summarized in Table 13-3. File permissions include Full Control, Modify, Rea

xecute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

Anytime you work with file and folder permissions, you should keep the following in mind:

Read is the only permission needed to run scripts. Execute permission doesn't matter.

Read access is required to access a shortcut and its target.

Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. A user ca

still delete the contents.

If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.

Table 13-3 File and Folder Permissions Used by Windows 2000

Permission Meaning for Folders Meaning for Files

Read Permits viewing and listing of files and subfolders Permits viewing or accessing of the file's c

Write Permits adding of files and subfolders Permits writing to a file

Read & Execute Permits viewing and listing of files and subfolders as well asexecuting of files; inherited by files and folders

Permits viewing and accessing of the file'sas well as executing of the file

List FolderContents

Permits viewing and listing of files and subfolders as well asexecuting of files; inherited by folders only

N/A

Modify Permits reading and writing of files and subfolders; allows deletionof the folder

Permits reading and writing of the file; alldeletion of the file

Full Control Permits reading, writing, changing, and deleting of files andsubfolders

Permits reading, writing, changing and dethe file

The basic permissions are created by combining special permissions in logical groups. Table 13-4 shows special permissions used

create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually,

necessary. As you study the special permissions, keep the following in mind:

If no access is specifically granted or denied, the user is denied access.

Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups the user is

member of. For example, if the user GeorgeJ has Read access and is a member of the group Techies that has Change access,

GeorgeJ will have Change access. If Techies is in turn a member of Administrators, which has Full Control, GeorgeJ will have

complete control over the file.

Table 13-4 Special Permissions for Files

Control Full Modify Execute Read & Read Write Special Permission

Traverse Folder/Execute File X X X

List Folder/Read Data X X X X

Read Attributes X X X X

Read Extended Attributes X X X X

Create Files/Write Data X X X

Create Folders/Append Data X X X


2/8

Write Attributes X X X

Write Extended Attributes X X X

Delete Subfolders and Files X

Delete X X

Read Permissions X X X X X

Change Permissions X

Take Ownership X

Table 13-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, kee

the following in mind:

When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. Yo

this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions.

When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the defau

file permissions.

Table 13-5 Special Permissions for Folders

Full Modify Execute Read & Contents Folder Read List Write Special Permissions C

Traverse Folder / X X X X

Execute File

List Folder /Read Data X X X X X

Read Attributes X X X X X

Read Extended X X X X X

Attributes

Create Files / X X X

Write Data

Create Folders / X X X

Append Data

Write Attributes X X X

Write Extended X X X

Attributes

Delete Subfolders X

and Files

Delete X X

Read Permissions X X X X X X

Change Permissions X

Take Ownership X

Setting File and Folder Permissions

o set permissions for files and folders, follow these steps:

1. In Windows Explorer, right-click the file or folder you want to work with.

2. From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab, shown in Figure 13-12.

3. Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for the

users and groups by doing the following:

Select the user or group you want to change.

Use the Permissions list box to grant or deny access permissions.

Tip Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission.


3/8

4. To set access permissions for additional users, contacts, computers, or groups, click Add. This displays the Select Users, Comput

Or Groups dialog box shown in Figure 13-13.

Figure 13-12: Use the Security tab to configure basic permissions for the file or folder.

5. Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set acce

permissions. You can use the fields of this dialog box as follows:

Look In This drop-down list box allows you to access account names from other domains. Click Look In to see a list of

current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the accou

names in the folder.

Name This column shows the available accounts of the currently selected domain or resource.

Add This button adds selected names to the selection list.

Check Names This button validates the user, contact, and group names entered into the selection list. This is useful if

type names in manually and want to make sure they're available.

6. In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area

allow or deny permissions. Repeat for other users, computers, or groups.

7. Click OK when you're finished.

Figure 13-13: Select users, computers, and groups that should be granted or denied access.

Auditing System Resources

Auditing is the best way to track what's happening on your Windows 2000 systems. You can use auditing to collect information related toesource usage, such as file access, system logon, and system configuration changes. Anytime an action occurs that you've configured fouditing, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event View

Note: For most auditing changes, you'll need to be logged on using an account that is a member of the Administrators group or be granthe Manage Auditing And Security Log right in Group Policy.


4/8

Setting Auditing Policies

Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network sho

e configured with some type of security logging. You configure auditing policies with Group Policy. Through Group Policy, you can setuditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.

Once you access the Group Policy container you want to work with, you can set auditing policies by completing the following steps:

1. As shown in Figure 13-14, access the Audit Policy node by working your way down through the console tree. Expand Computer

Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

2. The auditing options are

Audit Account Logon Events Tracks events related to user logon and logoff.

Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events

generated anytime user, computer, or group accounts are created, modified, or deleted.

Audit Directory Service Access Tracks access to the Active Directory. Events are generated any time users or compu

access the directory.

Audit Logon Events Tracks events related to user logon, logoff, and remote connections to network systems.

Audit Object Access Tracks system resource usage for files, directories, shares, printers, and Active Directory objects

Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.

Audit Privilege Use Tracks the use of user rights and privileges, such as the right to back up files and directories.

Note: The Audit Privilege Use policy doesn't track system accessrelated events, such as the use of the right to log on

interactively or the right to access the computer from the network. These events are tracked with Logon and Logoff

auditing.

Audit Process Tracking Tracks system processes and the resources they use.

Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or t

security log.

3. To configure an auditing policy, double-click its entry or right-click and select Security. This opens a Properties dialog box for the

policy.

4. Select Define These Policy Settings, and then select either the Success check box or the Failure check box, or both. Success logs

successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

5. Click OK when you're finished.

Figure 13-14: Set auditing policies using the Audit Policy node in Group Policy.

Auditing Files and Folders


5/8

f you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. Tllows you to control precisely how folder and file usage is tracked. Auditing of this type is only available on NTFS volumes.

ou can configure file and folder auditing by completing the following steps:

1. In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu select Properties.

2. Choose the Security tab, and then click Advanced.

3. In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15.

4. If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries From Parent To Propa

To This Object is selected.

5. If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All Child Objects And Enab

Propagation Of Inheritable Auditing Entries.

Figure 13-15: Once you audit object access, you can use the Auditing tab to set auditing policies on individual files

folders.

6. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an accou

select the account in the Auditing Entries list box, and then click Remove.

7. To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an acco

name to add. When you click OK, you'll see the Auditing Entry For New Folder dialog box, shown in Figure 13-16.

Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or use

or both, that you want to audit.

8. As necessary, use the Apply Onto drop-down list box to specify where objects are audited.

9. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events,

such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the

special permissions listed in Table 13-5except you can't audit synchronizing of offline files and folders.

10. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.

Figure 13-16: Use the Auditing Entry For New Folder dialog box to set auditing entries for a user, contact, computer

group.


6/8

Auditing Active Directory Objects

f you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory

bjects. This allows you to control precisely how object usage is tracked.

o configure object auditing, follow these steps:

1. In Active Directory Users And Computers, access the container for the object.

2. Right-click the object to be audited, and then from the pop-up menu select Properties.

3. Choose the Security tab, and then click Advanced.

4. In the Access Control Settings dialog box, select the Auditing tab. To inherit auditing settings from a parent object, make sure th

Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.

5. Use the Auditing Entries list box to select the users, contacts, groups, or computers whose actions you want to audit. To remove

account, select the account in the Auditing Entries list box, and then click Remove.

6. To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an acco

name to add. When you click OK, the Auditing Entry For dialog box is displayed.

7. Use the Apply Onto drop-down list box to specify where objects are audited.

8. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events,

such as successful file reads. Failed logs failed events, such as failed file deletions.

9. Choose OK when you're finished. Repeat this process to audit other users, contacts, groups, or computers.

Permissionspdated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Permissions

ach type of object is controlled by an object manager. There is a different object manager for each type of object. The object types, thei

bject managers, and the tools you use to manage these objects are as follows:

Object Type Permission Descriptions Procedures

Files and folders Permissions for files and folders Set, view, change, or remove permissions on filesand foldersorSet, view, change, or remove special permissions

Shares Share permissions Set permissions on a shared resource

Registry keys Maintain Registry Security Add users or groups to the Permissions list

Services Services permissions Local computer security for file system, registry,system services

Printer Assigning printer permissions Set or remove permissions for a printer

Terminal ServicesConnections

Managing Permissions on ConnectionsorControllingconnection access

Manage Connection Permissions

WMI object Authorize WMI users and set permissions Modify permissions or delete authorized users

Active Directory objects Active Directory object permissions.Best practices for assigning permissions on ActiveDirectory objects.

Permissions for files and folderspdated: January 21, 2005


Permissions for files and folders

older permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. For information about theermissions, see File and folder permissions. Each of these permissions consists of a logical group of special permissions which are listed

efined below.
http://technet.microsoft.com/en-us/library/cc787794(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784499(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782175(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784039(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759789(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782435(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc773372(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738233(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738689(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784357(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784357(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc727939(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc727939(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787533(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782844(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782844(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc728117(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786285(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786285(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd349321(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787794(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784499(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782175(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784039(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759789(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782435(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc773372(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738233(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738689(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784357(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784357(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc727939(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787533(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782844(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc728117(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786285(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786285(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd349321(WS.10).aspx


7/8

Permission Description

TraverseFolder/Execute File

For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if theuser has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only whenthe group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By

default, the Everyone group is given the Bypass traverse checking user right.)For files: Execute File allows or denies running program files. (Applies to files only).Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on allfiles within that folder.

List Folder/ReadData

List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects thecontents of that folder and does not affect whether the folder you are setting the permission on will be listed.

(Applies to folders only.)Read Data allows or denies viewing data in files. (Applies to files only.)

Read Attributes Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined byNTFS.

Read ExtendedAttributes

Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programsand may vary by program.

Create Files/WriteData

Create Files allows or denies creating files within the folder. (Applies to folders only).Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.)

CreateFolders/Append

Data

Create Folders allows or denies creating folders within the folder. (Applies to folders only.)Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting

existing data. (Applies to files only.)

Write Attributes Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by

NTFS.The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permissionto make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, seeCreate Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

Write ExtendedAttributes

Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programsand may vary by program.The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes thepermission to make changes to the attributes of a file or folder. In order to allow (or deny) create or deleteoperations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, andDelete.

Delete Subfoldersand Files

Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfoldeor file. (Applies to folders.)

Delete Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can stilldelete it if you have been granted Delete Subfolders and Files on the parent folder.

Read Permissions Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.

ChangePermissions

Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.

Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissionon it, regardless of any existing permissions that protect the file or folder.

Synchronize Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread

that may signal it. This permission applies only to multithreaded, multiprocess programs.

or more information, see Set, view, change, or remove special permissions and Set, view, change, or remove permissions on files andolders.

Note

You will not be able to access an encrypted file without the Encrypting File System (EFS) key, even if you have the necessarypermissions. For information about EFS, seeEncrypting File System.

Permissions on a file serverpdated: January 21, 2005


Permissions on a file server

Access on a shared folder is determined through two sets of permission entries; the permissions set on the share (called share permission

nd the permissions set on the folder (called NTFS file and folder permissions). Share permissions are often used for managing computerwith FAT32 file systems, or other computers that don't use the NTFS file system.
http://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782901(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782901(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780121(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782901(WS.10).aspx


8/8

hare Permissions and NTFS Permissions are independent in the sense that neither changes the other. The final access permissions on ahared folder are determined by taking into consideration both the Share permission and the NTFS permission entries. The more restrictivermissions are then applied.

he following table suggests permissions that a security-conscious administrator could grant to the Users group for certain shared folderypes. The recommended permissions have been tested, and work correctly; but there are alternative approaches. For example, somexperienced administrators prefer always to set share permissions to Full Control for Everyone, and to rely entirely on NTFS permissions testrict access.

Folder type Share permissions NTFS permissions

Public folder. A folder that

can be accessed by everyone.

Grant Change

permission to theUsers group.

Grant Modify permission to the Users group.

Drop folder. A folder whereusers can drop confidentialeports or homework

assignments that only thegroup manager or instructorcan read.

Grant the Changepermission to theUsers group.

Grant the Full Controlpermission to thegroup manager.

Grant the Write permission for the users' group that is applied to This Folder only(This is an option available on the Advanced page.) For more information, seeSetview, change, or remove special permissions.

If each user needs to have certain permissions to the files that he or she dropped,you can create a permission entry for the Creator OwnerSecurity identifiers (SID)and apply it to Subfolder and files only. For example, you can grant the Read anWrite permission to the Creator Owner SID on the drop folder and apply it to allsubfolders and files. This grants the user who dropped or created the file (theCreator Owner) the ability to read and write to the file. The Creator Owner can theaccess the file through the Run command using\\ServerName\DropFolder\FileName.Grant the Full Control permission for the group manager.

Application folder. A foldercontaining applications thatcan be run over the network.

Grant Readpermission for theUsers group.

Grant Read, Read and Execute, and List Folder Content permissions to the Usersgroup.

Home folders. Individualolders for each user. Onlyhe user has access to theolder.

Grant the Full Controlpermission to eachuser on theirrespective folder.

Grant the Full Control permission to each user for their respective folder.

Notes

Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is

restricted in some other way. Be cautious in granting Full Control.

If you want to manage folder access by using NTFS permissions exclusively, set Share permissions to Full Control for Everyone.

frees you from having to think about Share permissions, but NTFS permissions are more complex than Share permissions, so us

NTFS permissions correctly requires deeper understanding on your part. For more information on NTFS permissions, search for t

term "NTFS permissions" on TechNet on theMicrosoft Web site.

NTFS permissions affect access both locally and remotely. NTFS permissions apply regardless of protocol. Share permissions, by

contrast, apply only to network shares. Share permissions do not restrict access to any local user, or to any terminal server user

the computer on which you have set Share permissions. Thus, Share permissions do not provide privacy between users on a

computer used by several users, nor on a terminal server accessed by several users.

By default, Everyone does not include Anonymous, so permissions applied to Everyone do not affect Anonymous. This default

behavior is new for the Windows Server 2003 family.
http://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780850(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780850(WS.10).aspxhttp://go.microsoft.com/fwlink/?LinkId=170http://go.microsoft.com/fwlink/?LinkId=170http://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786378(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780850(WS.10).aspxhttp://go.microsoft.com/fwlink/?LinkId=170

file and folder per missions

Documents