Logo

Advanced NTFS Permissions

This video will look at the advanced permissions available in NTFS. Advanced permissions give the administrator more control over how files and folders can be accessed.

<a class="wp-block-button__link"Download PDF handout
Show lesson content
Advanced/Special Permissions
In older versions of Windows, advanced permissions were referred to as special permissions. There are 14 permissions in total. Depending on whether the permissions are applied at the file or folder level, what effect they have may change. For example, the first permission “List folder/Read Data” when applied at the folder level will allow files to be viewed in the folder, however when applied to a file, will allow the file to be read.

The 6 basic permissions map directly to the 14 advanced permissions. In some cases only one advanced permission maps to one basic permission, in other cases, more than one advanced permission maps to one basic permission. When you select a basic permission, this is essentially selecting the required advanced permissions, however you can press to choose individual advanced permissions if you want.

Example
1) Create a folder on the d drive called Docs

2) Right click the Docs folder, select properties and then select the security tab.

3) To disable inheritance, press the button advanced at the bottom of the security tab and then press the button at the bottom of the Window “Disable inheritance”.

4) When prompted select the option “Remove all inherited permissions from this object”. This will allow us to start with no permissions. An explicit entry will be created which gives all administrators full control

5) To make changes to permissions, select the permission that you want to change and then press the edit button.

6) By default only the basic permissions will be shown, to show the advanced permissions, select the option “Show advanced permissions”.

7) If you select basic permissions, the advanced permissions will automatically change as required. Essentially the Windows interface shows the basic permissions based on what advanced permissions it has enabled.

8) Once the advanced permissions have been selected press o.k. to go back to the previous screen.

9) It is important to notice that when permissions have been added, there will be a column on the far left that says “applies to”. This will indicate which files and folders the permission will affect.

10) To add a new permission, press the add button. When you add a new permission you will need to select the option “Select a principal”. This is the object that the permission will apply to. For example you could select a user or group here.

11) On the screen is also an option, “Only apply these permissions to objects and/or containers within this container”. If this option is ticked, the permission will only be applied to objects in that folder.

12) When permissions are added or removed, Windows will display the permissions based on what is configured. For example, you may add or remove permissions, however the number of lines of permissions shown may not change, but some of the information that is shown may change.

Advanced permissions
List folder/Read Data: If this is applied to a folder, it allows the user to see a list of files and folders in that folder even if the user does not have any permissions to those files or folders. If the permission is applied to a file, this permission gives the user the ability to read the data in that file.

Read attributes: This includes the basic attributes like read-only, hidden, system and archive. If the user does not have this permission, when they open the properties of a file or folder they will not be able to see the data on the general tab.

Read extended attributes: Extended attributes are attributes that are added using software. This is usually done in alternative operating systems and is rare on Windows operating systems.

Read permissions: This allows the user to read permissions that have been assigned to that file or folder. This essentially allows the user to read the information displayed on the security tab. If the user does not have this permission they will not have access to this tab.

Traverse folder/execute file: If this permission is applied to a file, it allows the user to run that file as an executable. If the permission is applied to a folder it allows the user to go through this folder in order to access other folders and files. This permission does not give the user the ability to read or see any data. If this is the only permission applied to a folder, in order for the user to access files or folders they have permission to under this, they need to know the exact path to that file or folder and enter it in manually.
Create files/Write data: This permission, when applied to a folder, allows the user to create files under that folder. If the permission is applied to a file, it gives the user the ability to write to a file.

Write extended attributes: This allows software to create custom attributes. This is a feature that is not used that often in Windows.

Delete: If applied to a file or folder, this allows the user to delete the file or folder.

Delete subfolders and files: This permission can only be applied to folders. This allows the user to delete files and subfolders under that folder. The delete permission is not required in order for the user to delete files and subfolders.

Change permissions: This allows the user to change permissions that are shown on the security tab. If the user has this permission they can essentially give themselves all the other permissions if they wanted to.

Take ownership: This permission allows the user to change the owner of a file or folder. If the user were to change the owner to themselves, Windows allows the owner to change any permission that they want so the user could then change the permissions to anything they wanted once they are the owner of the file.
Full control: This permission gives the user all the other permissions. In other words, gives the user full access to the file or folder.

References
“Installing and Configuring Windows Server 2012 Exam Ref 70-410” pg 78
“NTFS Permissions, Part 2” http://technet.microsoft.com/en-us/magazine/2006.01.howitworksntfs.aspx

Credits

Lesson tags: 70-410-windows-server
Back to: 70-410 Installing and Configuring Windows Server 2012 > Windows File and Share Access

Installing and Configuring Windows Server 2012

Modules

DNS

Lessons