Configure File System permissions
Most users are familiar with using the File Explorer tool to view and manage files and folders. When administrating shared files and folders over a network, this is still the primary tool to configure file- and folder-level permissions. Although permissions have been part of NTFS and earlier versions of Windows, ensure that you are familiar with the changes offered in Windows 10.
Use File Explorer to manage files and folders
The most common tool used is File Explorer, which is located on the taskbar and the Start screen. Typical functions provided through File Explorer include:
- Creating new folders and files.
- Viewing and accessing files and folders.
- Searching for files and information contained in files.
- Managing properties of files and folders.
- Previewing contents or thumbnails of files and folders.
The quick access area is new in Windows 10 and appears at the uppermost left area of the File Explorer navigation pane; it includes pinned shorts for the Desktop, Downloads, Documents, Pictures, and Music. As you browse and access files in other folders on your computer, folder shortcuts for these items appear in the right navigation pane under Frequent Folders or Recent Files. You can modify the behavior of Quick Access by right-clicking Quick Access and selecting Options.
On a shared computer, you might want to clear the check boxes for Show Recently Used Files In Quick Access and Show Frequently Used Folders In Quick Access.
Set file and folder permissions
Volumes formatted using either NTFS or the newer ReFS enable you to configure file and folder permissions. NTFS is robust, reliable, and effective and enables you to configure granular permissions on both files and folders that determine how individual users and groups can use the objects.
The creator of the resource, such as a file or folder, is automatically assigned the special status of creator-owner, and they can grant or deny permissions to it. Administrators and anyone given the Full Control permission also can modify permissions for that file or folder.
To modify permissions to a file or folder, access the Security tab in the object's properties.
If a user leaves the organization or the account is deleted, an Administrator can take ownership of the files and folders to modify permissions by changing the Owner principal in the Advanced settings in Properties.
If you have the permission to modify the security settings in the access control list (ACL), you can add or remove users or groups and then grant or deny a specific permission level. In organizations, you assign permissions to groups rather than to multiple users because this minimizes administrative effort.
Review the acronyms relating to objects that you might use when applying security permissions, as shown in Table.
Name Acronym Description Access control list ACL A list of users and groups with permissions on the object Access control entry ACE Identifies specific permissions granted to a user or group Discretionary acccess DACL Specifies which user has access control list to the object System access control SACL Specifies which operations can be list performed by specific users
When assigning permissions to several groups, remember that the security settings have a cumulative effect; you should review the effective permissions obtained for the user by following these steps.
- Open Windows Explorer.
- Navigate to the file or folder whose effective permissions you want to view.
- Right-click the file or folder, click Properties, and click the Security tab.
- Click Advanced and then click the Effective Access tab.
- Next to the User/Group, click Select A User.
- On the Select User Or Group dialog box, click in the Enter The Object Name To Select (Examples) box, enter the name of a user or group, and then click OK.
- Click View Effective Access.
You should now see the detailed effective permissions of the user or group for that file or folder.
When configuring permissions for files and folders, you can configure basic or advanced permissions. Unless you are seeking a very fine degree of control to a resource, you typically work with basic permissions and assign them to groups and users, as shown in Table below.
File permission Description Full Control Complete authority and control of all file or folder permissions. Modify Ability to read a file, write change to it, and modify permissions. Read & Ability to see folder content, read files and Execute attributes, and start programs. Read Ability to read a file but not make any changes to it. Write Ability to change folder or file content and create new files. Special Indication of whether additional advanced Permissions permissions have been configured for the file or folder.
Note: Basic and Advanced Permissions
If you are familiar with older versions of Windows, you might notice that Windows 10 uses the modern naming for permissions as follows: Standard Permissions has been changed to Basic Permissions, and Special Permissions has been changed to Advanced Permissions.
Basic permissions are easier to manage and document. Under the hood, a basic permission is made from a combination of individual advanced special permissions. Consider that permissions for folders can have a different effect on files, as described in Table below.
Basic Description: When Applied Description: When Applied Permission to a folder to a file Full Control Permits reading, writing Permits reading, writing changing, and deletion of changing, and deletion of files and fubfolders. Allows the file. Allows modification the modification of of permissions on files. permissions on folders. Modify Permits reading, writing, Permits reading, writing, changing, and deletion of changing, and deletion of files and subfolders. Does the file. Does not allow not allow changes to changes to the permissions permissions on folders. on files. Read & Allows the content of the Allows the file to be accessed and Execute folder to be accessed and executed (run). executed. List Folder Allows the contents of the Does not apply to files. Contents folder to be viewed. Read Allows content to be read. Allows access to the contents. Does not allows files to be executed. Write Allows addition of files and Allows a user to modify but not subfolders to the folder. delete a file.
Behind the basic permissions is a matrix of 13 advanced permissions that can also be applied to files and folders. Each basic permission is a collection of one or more advanced permissions, as shown in Table below.
Advanced Full Modify Read & List Folder Read Write Permission Control Execute Contents Traverse Folder X X X X /Execute File List Folder/ X X X X X Read Data Read X X X X X Attributes Read Extended X X X X X Attributes Create Files/ X X X Write Data Create Files/ X X X Append Data Write X X X Attributes Write Extended X X X Attributes Delete X Subfolders and Files Delete X X Read X X X X X X Permission Change X Permissions Take X Ownership
It is recommended to use basic permissions unless there is a clear requirement for setting advanced permissions; otherwise, they can become complex and difficult to troubleshoot. If you do use the advanced permissions, it is best practice to document any modifications so that you can review the configuration and, if necessary, reverse the settings.
Many inexperienced users who configure NTFS permissions can complicate the settings on files by setting advanced permissions, frequently using deny permissions, and setting for individual users instead of for groups. There is a strict canonical order or hierarchy of how Deny and Allow permissions can interoperate, and the general rule is that a Deny setting prevents an Allow setting.
Remember the principle of least administration when applying NTFS or ReFS permissions. If you want to prevent a user or group from having any access to a resource, you could set no permissions. If neither Allow nor Deny permission is explicitly configured or inherited on a resource, users are prevented from accessing the file or folder.
Table below to understand the relationship between Deny and Allow settings and how the behavior changes, depending on how the setting is applied.
Permission Description Check box Type Status Explicit The user is denied the permission on Check box is Deny the file or folder. selected. Explicit The user is allowed the permission on Check box is Allow the file or folder. selected. Inerited Deny permission is applied to the file Check box is Deny or fubfolders by virtue of permission dimmed but given to the parent folder. selected. Not When no permissions are assigned, the Check box is Configured user has no permission to access the cleared. file or folder. Inherited Allow permission is applied to the file Check box is Allow or subfolder by virtue of permissions dimmed but given to the parent folder. selected.
Note: When Allow Overrides Deny
When applying permissions to groups and allowing inheritance, sometimes one group has an explicit Allow setting, and another group has an inherited Deny setting. If a user is a member of both groups, the Allow setting will override the implicit Deny.
Although the majority of administrators will use File Explorer to set individual ACLs for files and folders, you can also use Windows PowerShell or the ICACLS command-line utility.
Windows PowerShell offers two cmdlets that you can use to manage file and folder permissions: Get-Acl and Set-Acl. For additional information and examples of how to use these cmdlets, type Get-Help Get-Acl, or Get-Help Set-Acl.
ICACLS enables you to configure and view permissions on files and folders on a local computer. Some of the most common ICACLS parameters and permission masks are shown in Table below.
Parameter/ Description Permission Mask /grant Grants specific user access rights. Permissions replace previously granted explicit permissions. /deny Explicityly denies specified user access rights. An explicit Deny ACE is added for the stated permissions, and the same permissions in any explicit grant are removed. /reset Replaces ACLs with default inherited ACLs for all matching files. F Full access. M Modify access. RX Read and execute access. R Read-only access. W Write-only access. (OI) Object inherit. (NP) Do not propagate inherit.
To grant a permission, use the /grant switch, as the following example on an existing folder named C:\Temp\Working Folder shows.
- Open File Explorer.
- Navigate to the folder on which you want to set permissions.
- Click File and then click Open Command Prompt.
- Type the following command.
Icacls.exe "C:\Temp\Working Folder"\ /grant Demo:(OI)M
- Type Icacls.exe "C:\Temp\Working Folder"\ to view the permissions.
Understand NTFS inheritance
Setting NTFS permissions on hundreds of files and folders would take a long time, especially if each setting were configured manually. Fortunately, you don't need to because by default NTFS and ReFS security permissions are inherited from their parent folder.
You can review the inheritance status of a file or folder in File Explorer by following these steps.
- Open File Explorer.
- Navigate to the folder whose inheritance settings you want to review.
- Right-click the file or folder, choose Properties, and click Advanced.
- On the Permissions tab, review the permission entries and notice the Inherited From column.
Disable Inheritance button. If you select this button, you are presented with the following choices.
- Convert Inherited Permissions Into Explicit Permissions On This Object
- Remove All Inherited Permissions From This Object
The option to convert inherited permissions to explicit permissions on this object stops inheritance from flowing from the parent folders and changes the permissions on all child items from implicit permissions to explicit permissions. You can then modify the permissions.
If you choose the second option, Remove All Inherited Permissions From This Object, you completely remove all permissions. This provides you with a folder structure with no permissions at all.
Both of these options are powerful. Best practice recommends employing inheritance wherever possible, to ease administration. You should also document and test your outline folder structure before it becomes too large. A big change on a small structure is simple to put in place, whereas modifying a large, established file structure could be cumbersome.