NTFS Permissions
Use NTFS permissions to specify which users and groups can gain access to files and folders, and what they can do with the contents of the file or folder. NTFS permissions are only available on NTFS volumes. The permissions you assign for folders are different from the permissions you assign for files.
You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folder.
The table below lists the standard NTFS folder and file permissions that you can assign and the type of access that each provides.
NTFS Folder Permissions
NTFS Folder Permission
Allows the User To
Full Control
Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions
Modify
Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission
Read & Execute
Move through folders to reach other files and folders, even if the users do not have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission
List Folder Contents
See the names of files and subfolders in the folder
Read
See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-only, Hidden, Archive, and System)
Write
Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
NTFS File Permissions
NTFS File Permission
Allows the User To
Full Control
Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions
Modify
Modify and delete the file plus perform the actions permitted by the Write permission and the Read & Execute permission
Read & Execute
Run applications plus perform the actions permitted by the Read permission
Read
Read the file, and view file attributes, ownership, and permissions
Write
Overwrite the file, change file attributes, and view file ownership and permissions
Multiple NTFS Permissions
You can assign multiple permissions to a user account by assigning permissions for a resource to an individual user account and to each group of which the user is a member.
Permissions Are Cumulative
A user”s effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for that folder.
NTFS Permissions Inheritance
By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder.
Understanding Permissions Inheritance
Files and subfolders can inherit permissions from their parent folder. Whatever permissions you assign to the parent folder can also apply to subfolders and files that are contained within the parent folder, depending on the inheritance option set for a given object. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and sub folders, as well as any new files and subfolders that are created in the folder.
Preventing Permissions Inheritance
You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder by setting an inheritance option set for a given object. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.
If you prevent permissions inheritance for a folder, that folder becomes the top parent folder. Permissions assigned to this folder will be inherited by the subfolders and files that it contains.
Examples
When users request NT style group area, it will be created on FS1. You can access that machine by browsing through Network Neighborhood, or go to Start, Run and type \\fs1
When Computer Center create a NT style group area, only person who can access that directory is the person who requested it. For instance, if user BANGDM requested a NT style area called cctest, then initially, BANGDM is only person who can access that area. You can view that permission settings from Windows 2000/XP, but not with Windows NT. The following example was done on FS2 instead of FS1 but same concept.
Property shown by NT 4.0 Property shown by Windows 2000/XP
As you expected, user ”bangdm” is only one who can access this directory. If some other user tried to access this directory, following is expected:
The owner of this directory, bangdm, need to add other group members into access control list (ACL). We added JLAB\CCC group and gave following access. Then click Advanced… button and check ”Reset permission on all child objects and enable propagation of inheritable permissions.” (WARNING: Without this check box, members of CCC can not read subdirectory of \\fs2\cctest.)
Those permissions you created on previous step is called, root or parent permission. From now on, every directories or files you create gets the same permission you set from parent. From following drawing, you can see that directory “f1” inherited permission from parent, cctest.
You can, however, manually change child”s permission and become new parent of that directory. You need to Uncheck Allow inheritable permissions from parent to propagate to this object. You will get following security note. click remove if you want to set different permissions.
Now you just became a new parent directory. You can set new permissions that will be propagate to child objects.
IMPORTANT!!
On above step, only people you can add is Group CCC or users who are in CCC, because on the Root directory, only users we listed was Group CCC and user bangdm. If you want different user to be able to access the directory f2, then you need to list him on the root directory with minimal of Read. For example, if you want user name, myung (who is not in the CCC group, to be able to read files in \\fs2\cctest\f4\t1 directory only, permission tree might look like this.