File Permissions
The owner of a file is simply who owns the file, but without permissions, the owner is fairly meaningless other than for quota purposes. Who gains access to a file is determined by the security on files and folders, not ownership. Security on files and folders is viewed and managed via the Security tab of the file Properties. This is most easily accessed via Explorer. The Security tab displays a dialog listing any users or groups with explicit permissions both allowing and denying access.
The Security tab displays the users who have permissions on a file. In this
case, Achilles has explicit deny read access, which takes precedence over any allow permissions.
A number of basic permissions are available for each user or group:
- Full control: Users can modify, add, move, and delete files and their associated properties and directories. In addition, users can change permission settings for all files and subdirectories, including ownership.
- Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.
- Read and execute: Users can run executable files, including scripts.
- Read: Users can view files and file properties.
- Write: Users can write to a file.
Folders have an additional List Folder Contents permission that allows the objects' names in the folder to be traversed.
One important item to remember is that a deny always takes precedence over an allow. If a user is a member of a group that has permissions to read a file but is also a member of a group that has deny read permission, the user is able to read the file. Apart from denies, permissions are cumulative. If a user is a member of a group that has read permissions and of another group that has modify permissions, the user has both read and modify access.
Special permissions allow more complex combinations of access and control inherited permissions. Inheritance means that permissions on a folder are automatically applied to any new object (file or folder) created within. Additional permissions beyond those inherited can be set on an object. This brings an exception to the "a deny always takes precedence over an allow" rule. Inherited permissions have a different order of precedence. Permissions are checked in the following order and when a match for the user is found, the user is either granted or denied access:
- An explicit deny
- An explicit allow
- An inherited deny
- An inherited allow
This order means that an explicit allow on a file would override a deny that was inherited. For example, if a folder had deny set for a group and a file within the folder had explicit allow for the group, the members of that group would have access to the file.
To access special permissions, click the Advanced button on the Security tab and then select the Effective Permissions tab of the Advanced Security Settings dialog. Each permission on the object is displayed, along with whether the permission is explicitly defined on the object or inherited from the parent.
If the Edit button in the Advanced Security Settings dialog is selected, new permissions can be added and existing permissions can be modified and removed. A larger number of options are available if you change permissions via this advanced view. The advanced permission screen is shown. The additional advanced permissions are the following:
- Traverse folder/execute file: Users can navigate through folders to reach other files or folders, even if they have no permissions for the traversed files or folders. By default this is not required because the Bypass Traverse Checking user right is assigned via group policy to everyone.
- List folder/read data: Users can view a list of a folder's contents and data files.
- Read attributes: Users can view the attributes, such as read-only and hidden, of a file or folder.
- Read extended attributes: Users can view the extended attributes of a file or folder.
- Create files/write data: The Create Files permission applies to folders and allows users to create files within the folder. The Write Data permission applies to files and allows users to make changes to the specified file and overwrite existing content.
- Create folders/append data: The Create Folders permission allows users to create folders within a folder. The Append Data permission applies to files only and allows users to make changes to the end of the file, but it does not grant change, delete, or overwrite permissions for the existing data.
- Write attributes: Users can change the attributes, such as readonly or hidden, of a file or folder.
- Write extended attributes: Users can change the extended attributes of a file or folder.
- Delete: Users can delete the file or folder.
- Read permissions: Users have read permissions on the file or folder.
- Change permissions: Users have change permissions on the file or folder.
- Take ownership: Users can take ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
Along with the various security options on an object, you can stop permissions inheritance from an object's parent by unselecting the Include Inheritable Permissions from this Object's Parent check box. If this is unchecked, a dialog box is displayed that gives the option to copy or remove the permissions that have been inherited or to cancel the operation altogether.
The final issue with basic permissions is how they work when copying or moving data. If you move a file, its explicit permissions remain. Any inherited permissions are replaced with those of the new parent folder. If you move a folder between volumes, this is a copy-and-delete operation. Any explicit permissions are lost, and the permissions are those inherited from the new parent folder.
If you want to copy a file and maintain its permissions and ownership information, use the XCOPY command with the /o switch.
Numerous commands query permissions from the command line. To list all files that a user has permissions defined on, use the icacls command. The icacls command has the capability to back up and restore Access Control Lists (ACLs) on entire directory structures to a file. It can also swap security identifiers (SIDs) in ACLs or just find all entries that contain a certain SID.
Full information on using the utility can be found by running icacls /?. This command also gives examples for using the various functions of the icacls command.
In this tutorial:
- Windows Server File System and Print Management
- File System Types and Management
- New Technology File System (NTFS)
- New NTFS Features in Windows Server 2008
- Formatting and Managing File Systems
- Converting File Systems
- File Management
- File Permissions
- Shares
- NTFS Quotas
- Encrypted File System (EFS)
- Shadow Copy Feature
- File Server Resource Manager
- File Server Resource Manager Options
- Reporting
- Quotas
- File Screening
- Exporting and Importing File Screens and Quotas
- Print Management
- Print Management MMC
- Printer Properties
- Listing a Printer in the Active Directory
- Connecting Users to Network Printers
- Deploying Printers
- Allowing Nonadministrators/Power Users to Install Printers
- Migrating a Printer
- Automatic Network Print Addition
- Print Server Configuration
- Customizing Views of Information