Windows XP / Beginners

Applying Advanced Security Settings

To view and edit NTFS permissions for a file or folder, right-click its icon, choose Properties, and then click the Security tab. This dialog box lists all the groups and users with permissions set for the selected object. As the example, you can assign different permissions to each user-in this case, Katy can read and play (Execute) files in the Music Downloads folder but is forbidden to change existing files (Modify) or create new ones (Write).

In Windows XP, the owner of a file or folder (typically the person who creates the file) has the right to allow or deny access to that resource. In addition, members of the Administrators group and other authorized users can grant or deny permissions. You can add individual users to the list of users and allow or deny specific types of file and folder actions. You can also assign permissions to built-in groups (Administrators, for instance) or create your own groups and assign permissions that way. As we'll explain later in this section, some permissions don't need to be explicitly defined but instead are inherited based on permissions from a parent folder. All permissions are stored in the file system as part of the access control list (ACL).

If the user or group whose permissions you want to edit is already listed at the top of the Security tab, you can select check boxes in the Allow column to add permissions, or clear boxes to remove permissions. Select check boxes in the Deny column only if you want to explicitly forbid certain users from exercising a specific permission. Deny access control entries take precedence over any other permission settings that apply to an account, such as those granted through membership in a group. If you want to completely lock out a specific user or group from access to a selected file or folder, select the Deny check box on the Full Control line.

Tip: Be careful with the Deny box
On the average home or small business computer, resist the temptation to select any of the check boxes in the Deny column on the Security tab. This option is typically used on large, complex networks where many groups of users are defined (individual departments, for example) and administrators want to exercise tight control over sensitive files in specific locations. Unraveling the interactions between Allow and Deny permissions can be a daunting task. On a machine with a handful of users, it's almost always simpler to define permissions by selecting and clearing check boxes in the Allow column.

In most cases, you can safely assign permissions by selecting a user or group name and then selecting one or more of the predefined groups of permissions listed at the bottom of the Security tab. Table below describes the basic function of each of these entries.

How Permissions Control File and Folder Access
PermissionHow It Controls Access to Files and Folders
Full ControlGives the designated user or group full control over the selected file or folder, as the name implies. Selecting this box selects all check boxes below it as well. Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.
ModifyAllows the user to read, change, create, and delete files, but not to change permissions or take ownership of files. Selecting this check box selects all the options listed below it.
Read & ExecuteAllows the user to view files and execute programs. Selecting this check box selects the List Folder Contents and Read boxes as well.
List Folder Contents (folders only)Provides the same individual permissions as Read & Execute and is available only on the Security tab for a folder. The only difference between the two permissions is in the way they are inherited.
ReadAllows the user to list the contents of a folder, view file attributes, read permissions, and synchronize files. This is the most basic permission of all.
WriteAllows the user to create files, write data, read attributes and permissions, and synchronize files.
Special PermissionsIf this permission is selected, the assigned permissions don't match any of the built-in templates shown here. Click the Advanced button to see details.

Note When the Read & Execute permission is applied to a folder, this permission is inherited by all files and subfolders within the folder. The List Folder Contents permission, on the other hand, though functionally identical, is inherited by subfolders but not by files within the folder or subfolders.

To set permissions for a group or user who isn't listed in the Group Or User Names box, follow these steps:

  1. Open the properties dialog box for the file or folder, and click the Security tab.
  2. Click Add.
  3. Type the name in the Select User Or Group dialog box shown here; when entering multiple names, separate them with semicolons. (Note that you must type the user name, which may be different from the full name that appears on the Welcome screen.)
  4. Click Check Names to confirm that you entered the names correctly.
  5. Click OK to return to the Security tab and set permissions for the newly added user(s).

When adding or removing permissions, follow these basic principles:

  • Start from the top and work down. By default, permissions you set on a folder apply to all files and subfolders within that folder.Managing file access is much easier when you have a consistent set of permissions for all files in a location, with exceptions only where needed.
  • Organize shared data files in common locations. If shared data is scattered over multiple drives and folders, it's too easy to inadvertently let permissions get out of sync. Try to consolidate shared data files into a single group of folders. When data is all in one place, you'll find it easier to manage permissions and make proper backups.
  • Use groups whenever possible. This is especially important in a small business setting. Take advantage of the built-in Administrators, Power Users, and Users groups for basic permissions. If you need to define custom permissions so that several users can access files stored in multiple folders, use group-based permissions to simplify the process. Create a new local group and add the users who need access to the files in question. Open the properties dialog box for the first folder, click the Security tab, add the newly created group, and grant the appropriate permissions to that group. Repeat this process for each additional folder. Later, when one member of the group leaves and another one joins, you can change the group membership and automatically update the permissions for all folders without having to go through each folder's properties dialog box again.
  • Steer clear of special permissions. Unless you're a wizard at understanding the interplay of NTFS permissions, resist the temptation to tweak special permissions for individual files or folders. The built-in security settings (Full Control, Modify, Read & Execute) cover most needs adequately.
  • Grant only the level of access that users require. If a specific user needs to read files stored in a certain location, but does not need to create new files or edit existing ones, grant that user only the Read permission. This precaution is especially important to prevent novices and untrained users from wiping out important data files accidentally.
[Previous] [Contents] [Next]