Windows 10

Configure File System permissions

Most users are familiar with using the File Explorer tool to view and manage files and folders. When administrating shared files and folders over a network, this is still the primary tool to configure file- and folder-level permissions. Although permissions have been part of NTFS and earlier versions of Windows, ensure that you are familiar with the changes offered in Windows 10.

Use File Explorer to manage files and folders

The most common tool used is File Explorer, which is located on the taskbar and the Start screen. Typical functions provided through File Explorer include:

  • Creating new folders and files.
  • Viewing and accessing files and folders.
  • Searching for files and information contained in files.
  • Managing properties of files and folders.
  • Previewing contents or thumbnails of files and folders.

The quick access area is new in Windows 10 and appears at the uppermost left area of the File Explorer navigation pane; it includes pinned shorts for the Desktop, Downloads, Documents, Pictures, and Music. As you browse and access files in other folders on your computer, folder shortcuts for these items appear in the right navigation pane under Frequent Folders or Recent Files. You can modify the behavior of Quick Access by right-clicking Quick Access and selecting Options.

On a shared computer, you might want to clear the check boxes for Show Recently Used Files In Quick Access and Show Frequently Used Folders In Quick Access.

Set file and folder permissions

Volumes formatted using either NTFS or the newer ReFS enable you to configure file and folder permissions. NTFS is robust, reliable, and effective and enables you to configure granular permissions on both files and folders that determine how individual users and groups can use the objects.

The creator of the resource, such as a file or folder, is automatically assigned the special status of creator-owner, and they can grant or deny permissions to it. Administrators and anyone given the Full Control permission also can modify permissions for that file or folder.

To modify permissions to a file or folder, access the Security tab in the object's properties.

If a user leaves the organization or the account is deleted, an Administrator can take ownership of the files and folders to modify permissions by changing the Owner principal in the Advanced settings in Properties.

If you have the permission to modify the security settings in the access control list (ACL), you can add or remove users or groups and then grant or deny a specific permission level. In organizations, you assign permissions to groups rather than to multiple users because this minimizes administrative effort.

Review the acronyms relating to objects that you might use when applying security permissions, as shown in Table.

Name			Acronym	    Description
Access control list	  ACL	    A list of users and groups with
				    permissions on the object

Access control entry	  ACE	    Identifies specific permissions
				    granted to a user or group

Discretionary acccess	  DACL	    Specifies which user has access
control list			    to the object

System access control	  SACL	    Specifies which operations can be
list				    performed by specific users

When assigning permissions to several groups, remember that the security settings have a cumulative effect; you should review the effective permissions obtained for the user by following these steps.

  1. Open Windows Explorer.
  2. Navigate to the file or folder whose effective permissions you want to view.
  3. Right-click the file or folder, click Properties, and click the Security tab.
  4. Click Advanced and then click the Effective Access tab.
  5. Next to the User/Group, click Select A User.
  6. On the Select User Or Group dialog box, click in the Enter The Object Name To Select (Examples) box, enter the name of a user or group, and then click OK.
  7. Click View Effective Access.

You should now see the detailed effective permissions of the user or group for that file or folder.

When configuring permissions for files and folders, you can configure basic or advanced permissions. Unless you are seeking a very fine degree of control to a resource, you typically work with basic permissions and assign them to groups and users, as shown in Table below.

File permission	         Description
Full Control		Complete authority and control of all file or
			folder permissions.

Modify			Ability to read a file, write change to it,
			and modify permissions.

Read &			Ability to see folder content, read files and
Execute			attributes, and start programs.

Read			Ability to read a file but not make any
			changes to it.

Write			Ability to change folder or file content
			and create new files.

Special 		Indication of whether additional advanced
Permissions		permissions have been configured for the 
			file or folder.
Note: Basic and Advanced Permissions
If you are familiar with older versions of Windows, you might notice that Windows 10 uses the modern naming for permissions as follows: Standard Permissions has been changed to Basic Permissions, and Special Permissions has been changed to Advanced Permissions.

Basic permissions are easier to manage and document. Under the hood, a basic permission is made from a combination of individual advanced special permissions. Consider that permissions for folders can have a different effect on files, as described in Table below.


Basic 		Description: When Applied	Description: When Applied
Permission	to a folder			to a file

Full Control	Permits reading, writing	Permits reading, writing
		changing, and deletion of	changing, and deletion of
		files and fubfolders. Allows	the file. Allows modification
		the modification of 		of permissions on files.
		permissions on folders.

Modify		Permits reading, writing,	Permits reading, writing,
		changing, and deletion of 	changing, and deletion of
		files and subfolders. Does	the file. Does not allow
		not allow changes to 		changes to the permissions
		permissions on folders.		on files.

Read &		Allows the content of the	Allows the file to be accessed and
Execute		folder to be accessed and	executed (run).
		executed.

List Folder	Allows the contents of the	Does not apply to files.
Contents	folder to be viewed.

Read		Allows content to be read.	Allows access to the contents.
						Does not allows files to be
						executed.

Write		Allows addition of files and	Allows a user to modify but not
		subfolders to the folder.	delete a file.

Behind the basic permissions is a matrix of 13 advanced permissions that can also be applied to files and folders. Each basic permission is a collection of one or more advanced permissions, as shown in Table below.


Advanced	Full	    Modify    Read &    List Folder    Read    Write
Permission	Control		      Execute	  Contents

Traverse Folder	X	    X	      X		    X		   
/Execute File

List Folder/	X	    X	      X		    X		X
Read Data

Read 		X	    X	      X		    X		X
Attributes

Read Extended	X	    X	      X		    X		X
Attributes

Create Files/	X	    X					 	 X
Write Data

Create Files/	X	    X						 X
Append Data

Write		X	    X						 X
Attributes

Write Extended	X	    X						 X
Attributes

Delete		X	    
Subfolders
and Files

Delete		X	    X						 

Read		X	    X	      X		    X		X	 X
Permission

Change		X
Permissions

Take		X
Ownership

It is recommended to use basic permissions unless there is a clear requirement for setting advanced permissions; otherwise, they can become complex and difficult to troubleshoot. If you do use the advanced permissions, it is best practice to document any modifications so that you can review the configuration and, if necessary, reverse the settings.

Many inexperienced users who configure NTFS permissions can complicate the settings on files by setting advanced permissions, frequently using deny permissions, and setting for individual users instead of for groups. There is a strict canonical order or hierarchy of how Deny and Allow permissions can interoperate, and the general rule is that a Deny setting prevents an Allow setting.

Tip:
Remember the principle of least administration when applying NTFS or ReFS permissions. If you want to prevent a user or group from having any access to a resource, you could set no permissions. If neither Allow nor Deny permission is explicitly configured or inherited on a resource, users are prevented from accessing the file or folder.

Table below to understand the relationship between Deny and Allow settings and how the behavior changes, depending on how the setting is applied.


Permission	Description				Check box
Type						  	Status

Explicit	The user is denied the permission on	Check box is
Deny		the file or folder.			selected.

Explicit 	The user is allowed the permission on	Check box is
Allow		the file or folder.			selected.

Inerited	Deny permission is applied to the file	Check box is
Deny		or fubfolders by virtue of permission	dimmed but
		given to the parent folder.		selected.

Not 		When no permissions are assigned, the	Check box is
Configured	user has no permission to access the	cleared.
		file or folder.

Inherited	Allow permission is applied to the file	Check box is
Allow		or subfolder by virtue of permissions	dimmed but
		given to the parent folder.		selected.
Note: When Allow Overrides Deny
When applying permissions to groups and allowing inheritance, sometimes one group has an explicit Allow setting, and another group has an inherited Deny setting. If a user is a member of both groups, the Allow setting will override the implicit Deny.

Although the majority of administrators will use File Explorer to set individual ACLs for files and folders, you can also use Windows PowerShell or the ICACLS command-line utility.

Windows PowerShell offers two cmdlets that you can use to manage file and folder permissions: Get-Acl and Set-Acl. For additional information and examples of how to use these cmdlets, type Get-Help Get-Acl, or Get-Help Set-Acl.

ICACLS enables you to configure and view permissions on files and folders on a local computer. Some of the most common ICACLS parameters and permission masks are shown in Table below.


Parameter/	    Description
Permission Mask

/grant		    Grants specific user access rights. Permissions replace
		    previously granted explicit permissions.

/deny		    Explicityly denies specified user access rights. An
		    explicit Deny ACE is added for the stated permissions,
		    and the same permissions in any explicit grant are removed.

/reset		    Replaces ACLs with default inherited ACLs for all matching
		    files.

F		    Full access.

M		    Modify access.

RX		    Read and execute access.

R		    Read-only access.

W		    Write-only access.

(OI)		    Object inherit.

(NP)		    Do not propagate inherit.

To grant a permission, use the /grant switch, as the following example on an existing folder named C:\Temp\Working Folder shows.

  1. Open File Explorer.
  2. Navigate to the folder on which you want to set permissions.
  3. Click File and then click Open Command Prompt.
  4. Type the following command.
    Icacls.exe "C:\Temp\Working Folder"\ /grant Demo:(OI)M
  5. Type Icacls.exe "C:\Temp\Working Folder"\ to view the permissions.

Understand NTFS inheritance

Setting NTFS permissions on hundreds of files and folders would take a long time, especially if each setting were configured manually. Fortunately, you don't need to because by default NTFS and ReFS security permissions are inherited from their parent folder.

You can review the inheritance status of a file or folder in File Explorer by following these steps.

  1. Open File Explorer.
  2. Navigate to the folder whose inheritance settings you want to review.
  3. Right-click the file or folder, choose Properties, and click Advanced.
  4. On the Permissions tab, review the permission entries and notice the Inherited From column.
    Disable Inheritance button. If you select this button, you are presented with the following choices.
    • Convert Inherited Permissions Into Explicit Permissions On This Object
    • Remove All Inherited Permissions From This Object

The option to convert inherited permissions to explicit permissions on this object stops inheritance from flowing from the parent folders and changes the permissions on all child items from implicit permissions to explicit permissions. You can then modify the permissions.

If you choose the second option, Remove All Inherited Permissions From This Object, you completely remove all permissions. This provides you with a folder structure with no permissions at all.

Both of these options are powerful. Best practice recommends employing inheritance wherever possible, to ease administration. You should also document and test your outline folder structure before it becomes too large. A big change on a small structure is simple to put in place, whereas modifying a large, established file structure could be cumbersome.

[Previous] [Content] [Next]

In this tutorial:

  1. Configure Windows 10 Data Access and Usage
  2. Configure HomeGroup connections
  3. Configure folder shares
  4. Configure OneDrive
  5. Configure File System permissions
  6. Configure OneDrive usage
  7. Troubleshoot data access and usage