As I mentioned in my previous Daily Drill Down on using permissions in Windows 2000 (“File-sharing permissions in Windows 2000“), setting folder and file permissions gives you some network security, but it doesn’t secure your PC desktop. When you use the NT file system (NTFS) in Windows 2000, however, you can set file permissions at the local PC level in addition to the file-sharing permissions of the network environment.

In this Daily Drill Down, I will cover NTFS permissions in Windows 2000. Finally, you can read a series of articles that permits you to understand permissions. I’ll cap off the series with a Daily Feature that covers the confusing issue of “Combining sharing and NTFS permissions in Windows 2000.” When you finish the series, you should be able to troubleshoot permission issues more quickly as they occur on your network and clients.

NTFS permissions overview
As I mentioned earlier, NTFS permissions can be set only on drives partitioned with NTFS. NTFS permissions, like sharing permissions, specify who can access a particular resource, but they work at the local level. That means a user sitting down at a PC is bound by NTFS permissions too, not just a user accessing the resource across a network.

NTFS permissions can be assigned to drives and folders, just like sharing permissions, but they also can be assigned to individual files. Unlike sharing permissions, in which the default setting for a resource is Not Shared, NTFS permissions are set to allow access by default.

Don’t miss part 1

To learn how Windows 2000 sharing works, read “File-sharing permissions in Windows 2000.”

Folder and drive permissions
NTFS offers many more types of permission than the simple Read, Change, and Full Control of sharing permissions. For folders and drives, you can assign these permissions:

  • List Folder Contents: View folder contents
  • Read: View folder contents, open files, and view file and folder attributes
  • Read & Execute: Same as Read, plus the ability to move through folders to reach other files and folders, even if no permission is granted for those folders
  • Write: Same as Read, plus the ability to create and edit files and subfolders and change attributes
  • Modify: Combination of Read & Execute and Write, plus the ability to delete the folder
  • Full Control: Same as Modify, plus the ability to change permissions, take ownership, and delete subfolders and files

File level permissions
The permissions for individual files are the same types, except there is no List Folder Contents permission. For files, you can assign these permissions:

  • Read: Open the file, view its attributes, ownership, and permissions
  • Read & Execute: Same as Read, plus the ability to run applications
  • Write: Same as Read, plus the ability to change file content and attributes
  • Modify: Same as Write and Read & Execute combined, plus the ability to delete the file
  • Full Control: Same as Modify, plus the ability to change permissions and take ownership

Just like sharing permissions, NTFS permissions can be set to allow or not, depending on whether the Allow check box is marked. Permissions are cumulative and can be inherited from parent folders or drives. NTFS permissions can also be set to Deny, but for the same reasons I stated earlier, use Deny very sparingly.

To set NTFS permissions, you use the Security tab on the Data Properties page for a drive, folder, or file. The controls will seem familiar, as they’re almost the same as the ones for setting sharing permissions. See Figure A.

Figure A
Set NTFS permissions on the Security tab on the Data Properties box.

Inheriting permissions
Notice the check box at the bottom of Figure A. When it is turned on, the folder or file will inherit the permissions of the parent object (that is, the drive or folder in which it resides). The gray check boxes in Figure A indicate that those permissions are inherited rather than specific to this folder.

If you deselect the Allow Inheritable Permissions check box, a dialog box appears asking what you want to do about those inherited settings. (You won’t see this on drives, because they have nothing to inherit from, being at the top level already.) You can choose to copy them or to remove them. If you remove them, all permissions and all users that were inherited are stripped out, leaving you a clean slate with which to create new NTFS permissions for the object. Any permissions that were specifically set for this resource beforehand remain. If you copy the settings, all the settings remain the same, but the gray goes away from the check boxes, indicating that these settings are now independent settings for this folder or file only.

Special access permissions
But wait—there’s more. In addition to the normal NTFS permissions, there are 14 “special access” permissions. These let you fine-tune the permissions granted for a particular object. These are not actually separate permissions from the standard ones, but rather refinements of them. For example, the standard Read permission actually involves four separate permissions rolled into one. The special permissions break them down into four separate settings: Read Data, Read Attributes, Read Permissions, and Read Extended Attributes. By default, the special access permissions are set according to the standard permission settings you have specified, but you can change them as desired.

To view the special permission settings, click the Advanced button on the Security tab. This opens the Access Control Settings For Data dialog box, shown in Figure B.

Figure B
Control access for a resource more precisely from the Access Control Settings For Data dialog box.

From here, double-click one of the listed users or groups to display the settings for the 14 extra permissions. Figure C shows the Permission Entry For Data dialog box that opens.

Figure C
You can set more specific permissions here than are possible with the normal NTFS permissions.

Most of these special permissions are useful only in odd circumstances. For example, suppose you have granted a group Modify access to a particular folder, but you want to make it impossible for them to delete a certain file in that folder. You could set one of the special access permissions—Delete—to Deny for that file.

There are two special access permissions you might use more frequently: Take Ownership and Change Permissions. Change Permissions is a permission that normally comes only with Full Access, but you can specifically grant it for a resource here. Take Ownership allows a user to transfer the ownership of the file or folder to himself or herself. There can be only one “owner” for a file or folder at a time, and that user is the only member of the CREATOR OWNER group for that object. You can assign certain rights to that group, just as you can assign permissions to any other group. The Take Ownership permission enables someone to usurp the title of Owner from another for that resource.

Note that having permission to take ownership of a resource does not automatically take the ownership. If a user has the permission to take ownership, the Owner tab appears in the Access Control Settings dialog box for the resource. Click the Owner tab and then choose yourself on the list of users. (You cannot choose anyone else; you must choose the user name with which you are logged on.) If you also want to take ownership of all subordinate folders and files, mark the Replace Owner On Subcontainers And Objects check box.

Here are some more tips for using NTFS permissions:

  • Try to assign NTFS permissions to folders rather than individual files, and make sure that the files are set to inherit their permission from the folder. (That’s the default setting, so you don’t have to check every single file.)
  • Create folders according to access requirements—for example, a folder for files that Marketing needs, another for files that Engineering needs, and so on, and assign NTFS permissions to those folders for the people who need them.
  • To prevent users from accidentally deleting important applications or data, remove the Everyone permission and assign the Read & Execute permission to the Users group and the Administrators group for the folder.
  • As with sharing permissions, give users only the access level that they require. In most cases, Full Control should reside only with the CREATOR OWNER group.

Don’t use Deny except when it is necessary because it can create administrative headaches later.

What happens to permissions when you move or copy?
When you copy a folder that has specifically been shared (rather than just inheriting sharing from its parent), the original remains shared, but the copy is reset to Not Shared. However, if you copy the folder to a drive or folder that is shared, it will inherit the sharing setting of its new parent location. The same goes for moving a folder. Any specific sharing permissions it has are removed, but it is free to inherit sharing from the new location.

When you copy or move a file or folder from an NTFS drive to a FAT or FAT32 drive, all NTFS permission settings are removed, leaving it wide-open for anyone to access.

When you copy to another NTFS drive, or within the same drive, any old NTFS permissions assigned specifically to the original are stripped away, and it inherits NTFS permissions from the new location. In order to copy, you must have Write permission for the destination. The user doing the copying becomes the CREATOR OWNER of the copy.

When you move a file or folder to another NTFS drive, the permissions work just like copying. Any old permissions are removed, and the file or folder inherits permissions from the new location. You must have Modify permission for the file or folder being moved and Write permission for the destination drive or folder. The user doing the moving becomes the CREATOR OWNER of the file.

When you move a file or folder to a different location on the same NTFS drive, however, permissions work a little differently. The moved file or folder does inherit permissions from the new location, but if there were any permissions set specifically for that object, they are retained and they override the new inheritances. You must have Modify permission for the file or folder being moved and Write permission for the destination drive or folder. The CREATOR OWNER does not change.

In this Daily Drill Down, I’ve continued my series on using permissions in Windows 2000. You learned to create folder and file permissions for groups and individuals using the NTFS file system. You learned how NTFS permissions are inherited and what happens when you move or copy folders and files. In the next piece in this series, I’ll show you how sharing and NTFS permissions interact.