Applying Permissions to Subfolders Through Inheritance
Files and subfolders can inherit permissions from a parent folder. By default, any new permissions you assign to a folder are passed on to subfolders as well. Thus, when you create a new subfolder in your My Documents folder, it inherits the permissions you've set for your profile. If you made your user profile private, the new subfolder and any files you create or store within it will be private as well.
You can prevent permissions from being inherited by changing the inheritance options for a folder. You can specify that subfolders or files (or both) no longer inherit permissions that have been assigned to the parent folder containing them. Instead, only permissions you explicitly apply to files and subfolders will apply.
To see the inheritance options for a selected folder, right-click the folder icon, choose Properties, and then click the Security tab. Click Advanced to display the Advanced Security Settings dialog box. The Inherited From column in the Permission Entries list shows the parent folder from which a given set of permissions is inherited. For example, the Everyone group inherits Full Control permissions from the ACL on the root folder of drive E, whereas the other permissions, designated as <not inherited>, have been applied directly to this folder.
In this example, the inherited permissions are getting in the way of the tight security we want to apply to this folder. To remove the inherited permissions, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. You see the following dialog box, which warns you to specify how you want to reset the permissions on the selected folder.
Choose one of the following three options:
- Copy This option copies the permissions from the parent folder to the current file or folder and then breaks the inheritance link to the parent folder. After choosing this option, you can adjust the permissions to suit your security needs.
- Remove This option removes any permissions that were inherited, keeping only those permissions that you've explicitly assigned to the file or folder.
- Cancel This option closes the warning dialog box and leaves the inheritance options intact.
When you remove inherited permissions from a folder, it becomes a new top-level folder. By default, any permissions you assign to this folder ripple down the hierarchy of subfolders and to files within those subfolders as well.
For an excellent illustration of how these settings all work together, look at the permissions on your user profile after you choose the Simple File Sharing option to make the folder private. Using Simple File Sharing, click the Make This Folder Private option, and then turn off Simple File Sharing. When you click the Advanced button on the Security tab of the "private" folder, you'll see that the Inherit From Parent The Permission Entries That Apply To Child Objects check box has been cleared and that the permissions on the folder now include only the System account and your user account, both with Full Control permissions. The net effect is to block out every user except you.
In some cases, you may want to apply two or more sets of permissions to the same folder for the same group, with each set of permissions having different inheritance settings. For instance, say that you and several coworkers on a shared computer are working on a topsecret project. You've set up a shared folder called Project X Files for use by everyone who has an account on your computer. In the main folder, you've stored a handful of document templates that you want members of the team to use when creating new documents; you've also set up subfolders to hold files that are currently being worked on.
In this scenario, you might want the Everyone group to have Read & Execute access to files within a top-level folder, and Full Control over subfolders. Using this arrangement of permissions, you can allow users to open templates stored in the top-level folder, while protecting those templates from accidental changes or deletions. By using a different set of permissions on subfolders, you can allow users to create new files and modify previously saved documents. To apply permissions with this level of fine-grain control, follow these steps:
- Open the properties dialog box for the top-level folder you want to adjust (Project X Files, in this example), and click the Security tab. Then Click Add.
- In the Select Users Or Groups dialog box, enter Administrators and click OK.
- Choose Administrators from the Group Or User Names List at the top of the properties dialog box, and then select the Allow box to the right of the Full Control entry in the Permissions list. Click Add again.
- This time, enter Everyone in the Select Users Or Groups dialog box and click OK.
- Choose Everyone from the Group Or User Names List, and then select the Allow box to the right of the Read & Execute entry in the Permissions list.
- Click the Advanced button to open the Advanced Security Settings dialog box.
- If necessary, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box (and then select Copy when the security warning appears).
- Select the entry for Everyone, and click the Edit button to open the Permission Entry dialog box. Open the Apply Onto list, choose This Folder And Files, and click OK.
- From the Advanced Security Settings dialog box, click Add.
- In the Select User Or Group dialog box, enter Everyone and click OK.
- In the Permission Entry dialog box, check the Full Control box, choose Subfolders Only from the Apply Onto list, and then click OK.
With these settings, you and other members of the Administrators group can add and change files in the main folder; you can also add subfolders. All other users can view and open files in the main folder but can't create new files, change existing files, or delete files or subfolders. They can, however, save files in the subfolders you create.
What's the advantage of using inherited permissions in this fashion? Each time you create a subfolder, Windows automatically applies the proper permissions to it, using the inheritance settings you defined. Without these settings, you would be forced to define permissions from scratch for each new subfolder. That's a lot of needless work, with the potential for errors and inconsistencies. More important, if you decide to change the permissions later-for instance, changing the Full Control permission for subfolders from the Everyone group to a more limited group of users-you can make a single change and have the changes apply to all the child folders automatically.
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems