Data Centers

Setting basic NTFS permissions in Windows Server 2012

Scott Lowe reviews the basics of setting NTFS permissions in Windows Server 2012.

If you're an old hand when it comes to NTFS permissions, you'll find that not too much has changed with regard to permissions themselves in Windows Server 2012. However, with a new interface comes slightly different ways to accomplish familiar tasks. In this post, I'll describe the ins and outs of NTFS permissions in Windows Server 2012.

If you're new to NTFS permissions, this article will be of use to you, too. You'll learn about the tricks that make NTFS permissions work the way they do.

First, let's take a look at the Security tab of a folder on my lab server. To get to this page, simply right-click a folder and, from the shortcut menu, choose Properties. Next, choose the Security tab and you will see a screen like the one shown in Figure A.

Figure A

The Security tab

On this tab, you can see that there are a number of different permissions available for the selected user. Any changes you make will apply only to the selected user. If you want to make changes to multiple users, either add the user to a group and then apply permissions to the group or individually apply permissions to individual users one by one.

Permissions explained

I'll start with an explanation for what each permission means. Bear in mind that permissions can be set at both the folder and the file level. The table below outlines what each permission does for both folders and files.

Permission name Description (folder) Description (file)
Full control The user has full control to the folder and can add, change, move and delete items. The user can also add and remove permissions on the folder as well as for any subfolders. The italicized sentence is very important to keep in mind.  This permission level can be dangerous in the wrong hands. The user has full control to the file and can change, move or delete it. The user can also add and remove permissions on the file.
Modify A combination of Read and Write permissions. A user also has the ability to delete files within a folder that has the Modify permission. She can also view the contents of subfolders. A user is able to modify the contents of the selected file.
Read & execute Users are allowed to read the contents of files in the folder or execute programs inside the folder. Users are allowed to read the contents of the file or execute the program.
List folder contents Allows the user to view the contents of the selected folder.  The user is not allowed to read a file's contents or execute a file. This permission is not available at the file level
Read The user can read the contents of a folder. The user can read the contents of a file.
Write A user can create files and folders.  This does not grant a user with the ability to read any existing information. A user can create a file.

You will note that the permissions screen has both Allow and Deny columns. You are able to allow a user a particular set of rights or deny a user access rights to a particular file or folder.

As you create groups for permissions reasons, understand that the permissions that you assign are cumulative. So, perhaps you grant a user's account rights to read/execute the contents of a folder and you grant a group to which the user belongs the ability to write to a folder. The user will get all of those permissions because NTFS rights are cumulative.

When Deny permissions are involved, they always override Allow permissions. It's not considered a best practice to use Deny permissions a whole lot. Doing so can create administrative nightmares that are difficult to solve. That said, Deny can be useful when group permissions have been applied to a folder, but you still want a user in that group to be denied access to the folder.

Summary

Basic NTFS permissions are relatively easy to understand. It's once you start combining them with other permission sets that things start to get tricky.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

3 comments
react66
react66

So Microsoft consultants are totally dazzled by the new colour scheme that they actually thing the NTFS permission settings have changed? It looks exactly the same as Windows NT4 and in truth it still isn't much different. even if you cover the interface with squares. OK you MS lovers attack LOL

pethers
pethers

This seems to be exactly the same as previous versions of Windows Server - I was expecting something new or different to warrant an article.

Scott Lowe
Scott Lowe

I realize that some of these articles are basic for people who know older versions of Windows and that some of the information has not drastically changed since previous versions. However, new people enter the world of IT every day and, for many, Windows Server 2012 will be the very first Windows server they every see. They, too, need information and guidance just as the rest of us did when Windows NT first came on the scene.

Editor's Picks