Troubleshooting Permissions Problems
NTFS permissions are straightforward and uncomplicated when the Simple File Sharing interface is enabled. In this configuration, users do not have the ability to manipulate file and folder access controls directly. You can select one or more folders within your user profile and make those locations private, but no other security settings are available for customization. With Simple File Sharing enabled, when you move or copy files or folders from a folder you've made private into any other location on an NTFS volume, the moved or copied objects take on the security attributes of the destination folder-in most cases, that means they're freely available to all other users. When you drag a file out of your private My Documents folder and drop it into the Shared Documents folder, for instance, that file is accessible by all other users of the local computer. Conversely, when you move a file from the Shared Documents folder into your private My Documents folder, it becomes a private file accessible only to you.
But if you disable Simple File Sharing and work directly with NTFS permissions, ordinary file management tasks can have unintended and confusing consequences. In fact, even when a user has been granted Full Control permissions for a given folder, he or she may encounter an "access denied" error message when trying to open, rename, delete, or copy a file or folder.
To understand why this problem occurs, you need to understand what happens when you move or copy files or folders from one location to another. During the move, the permissions for the files or folders may change. With Simple File Sharing disabled, Windows XP follows a strict set of rules when applying permissions during a move or copy operation. Note the different results that apply depending on whether you're moving or copying the object and whether the destination is on the same drive or on a different drive:
- When you copy a file or folder to an NTFS drive. . . The newly created folder or file takes on the permissions of the destination folder, and the original object retains its permissions. This is true regardless of whether the destination is on the same NTFS drive as the original file or on a separate NTFS drive. You become the Creator Owner of the new file or folder, which means you can change its permissions.
- When you move a file or folder within a single NTFS drive. . . The moved folder or file retains its original permissions and you become the Creator Owner.
- When you move a file or folder from one NTFS drive to another. . . The moved folder or file picks up the permissions of the destination folder and you become the Creator Owner.
- When you copy or move a file or folder from a FAT32 drive to an NTFS drive. . . The newly created folder or file picks up the permissions of the destination folder and you become the Creator Owner.
- When you copy or move a file or folder from an NTFS drive to a FAT32 drive. . . The moved or copied folder or file in the new destination loses all permission settings, because the FAT32 file system is incapable of storing these details.
When Simple File Sharing is disabled, you may discover, after dragging a file from your My Documents folder into the Shared Documents folder, that other users are unable to access that file. This result will occur if the following conditions apply:
- The drive that contains the Documents And Settings folder is formatted using the NTFS file system.
- You've made your entire user profile private (as you were prompted to do when you added a password to your account).
- You've created a group of files (or a subfolder) in your My Documents, My Music, or My Pictures folder, and you want to share those files with other users by dragging them to the Shared Documents folder.
Because both locations are on the same NTFS-formatted drive, dragging any file or folder from your user profile to the Shared Documents folder moves the selected object without making any changes to its access control list. As a result, other users can see the icon for the file or folder but are greeted with an "access denied" error message when they double-click it. Frustrating, isn't it? The solution to this dilemma is simple. If you've disabled Simple File Sharing, never move a file from your personal profile to a shared location. Instead, get in the habit of copying the file. The new copy inherits the permissions from the destination folder (Shared Documents), and is therefore available to every user. After copying the file or folder, you can safely delete the original from your private folder.
Another common cause of permission problems has an equally simple solution. After you add a user account to a group that has been assigned permissions for a file or folder, the user must log off and log back on to have access to the files.
Tip: Don't overlook inherited permissions
When trying to sort out why a user is having problems accessing a given file or folder, look first in the Advanced Security Settings dialog box. Pay particular attention to the Inherited From column in the Permission Entries list. The data here will often show you the exact source of an unexpected permission problem.
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems