If you're an old hand when it comes to NTFS permissions, you'll find that not too much has changed with regard to permissions themselves in Windows Server 2012. However, with a new interface comes slightly different ways to accomplish familiar tasks. In this post, I'll describe the ins and outs of NTFS permissions in Windows Server 2012.
If you're new to NTFS permissions, this article will be of use to you, too. You'll learn about the tricks that make NTFS permissions work the way they do.First, let's take a look at the Security tab of a folder on my lab server. To get to this page, simply right-click a folder and, from the shortcut menu, choose Properties. Next, choose the Security tab and you will see a screen like the one shown in Figure A.
The Security tab
On this tab, you can see that there are a number of different permissions available for the selected user. Any changes you make will apply only to the selected user. If you want to make changes to multiple users, either add the user to a group and then apply permissions to the group or individually apply permissions to individual users one by one.
I'll start with an explanation for what each permission means. Bear in mind that permissions can be set at both the folder and the file level. The table below outlines what each permission does for both folders and files.
|Permission name||Description (folder)||Description (file)|
|Full control||The user has full control to the folder and can add, change, move and delete items. The user can also add and remove permissions on the folder as well as for any subfolders. The italicized sentence is very important to keep in mind. This permission level can be dangerous in the wrong hands.||The user has full control to the file and can change, move or delete it. The user can also add and remove permissions on the file.|
|Modify||A combination of Read and Write permissions. A user also has the ability to delete files within a folder that has the Modify permission. She can also view the contents of subfolders.||A user is able to modify the contents of the selected file.|
|Read & execute||Users are allowed to read the contents of files in the folder or execute programs inside the folder.||Users are allowed to read the contents of the file or execute the program.|
|List folder contents||Allows the user to view the contents of the selected folder. The user is not allowed to read a file's contents or execute a file.||This permission is not available at the file level|
|Read||The user can read the contents of a folder.||The user can read the contents of a file.|
|Write||A user can create files and folders. This does not grant a user with the ability to read any existing information.||A user can create a file.|
You will note that the permissions screen has both Allow and Deny columns. You are able to allow a user a particular set of rights or deny a user access rights to a particular file or folder.
As you create groups for permissions reasons, understand that the permissions that you assign are cumulative. So, perhaps you grant a user's account rights to read/execute the contents of a folder and you grant a group to which the user belongs the ability to write to a folder. The user will get all of those permissions because NTFS rights are cumulative.
When Deny permissions are involved, they always override Allow permissions. It's not considered a best practice to use Deny permissions a whole lot. Doing so can create administrative nightmares that are difficult to solve. That said, Deny can be useful when group permissions have been applied to a folder, but you still want a user in that group to be denied access to the folder.
Basic NTFS permissions are relatively easy to understand. It's once you start combining them with other permission sets that things start to get tricky.
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at firstname.lastname@example.org.