Permissions
Permissions are different than rights: A right governs an action that can be performed on the computer, but a permission is a user's level of access to a resource. For example, you can give a user permission to read or modify a file.
Permissions can be configured only on a partition formatted for NTFS. To obtain an NTFS partition, you can format the partition for NTFS (but lose all existing data), or you can convert the drive to NTFS by using the convert driveletter: /fs:ntfs command. When you convert, the existing data on the drive is preserved.
Here are the available permissions:
- Read permissions: What I call the read permission is a combination of the three default permissions - Read, Read and Execute, and List Folder Contents. I personally classify all three as the "read" permission because, at a minimum, this is typically what users need in order to read the file. The Read permission allows you read the contents of a file, the Read and Execute permission allows you to read the contents of the file and execute a program, and the List Folder Contents permission allows you to see the file when you look in the folder.
- Modify: The Modify permission allows a user to read, modify, and delete a file. When given the Modify permission to a folder, a user can also create new files or folders in that folder.
- Full Control: The Full Control permission allows a user to do everything that the Modify permission allows, but the user can also change permissions on the resource or take ownership of the resource. Remember that if someone can take ownership of the resource, that person can change the permissions. The Full Control permission should be used sparingly so that not everyone has the permission to change permissions on you.
- Write: The Write permission is used by the Modify permission to allow users to write to the file or folder. When you choose the Modify permission you will notice that the Write permission is automatically selected.
You will notice that a number of existing permissions have gray check boxes next to them. The gray check box means that you are not allowed to change the permission because the permission is being inherited from a parent level. Permission inheritance is a feature of Windows that is designed to minimize how much permission management you need to do. With permission inheritance, when you set permission on a folder, that permission applies to all subfolders and files; you don't need to go to subfolders and files to set the same permission.
When you go to modify the permissions on a folder, however, you need to understand that the existing permissions are being inherited from the parent folder; in order to change the permissions, you need to break the permission inheritance feature on the folder by going to the properties of the folder, clicking the Security tab, and clicking the Advanced button. Clicking the Advanced button takes you into the Advanced Security Settings dialog box for the folder, where you can turn off the Inherit from Parent . . . option.
After you turn off the inheritance option and choose OK to close that screen, you are presented with a dialog box asking whether you want to remove the existing permissions or copy the permission down from the parent folder so that you do not have to set all permissions again. Typically, I choose Remove and then add whomever needs to have access to the folder.
When you have removed the existing permissions, you can add new users or groups to the permission list on the Security tab by clicking the Add button. You can type the name of the account or group you want to assign the permission to and then click the Check Names button. After you have added all the users and groups to the permission list, you then choose which permission you want assigned to each user by selecting the user in the permission list and then choosing the permission. For example, notice that the Accountants group has the Modify permission.