Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions

Permissions come in two varieties: share-level permissions and NTFS permissions. If you think about it, this makes perfect sense. When you create a folder in the file system, there is a default set of permissions that are assigned to the folder. The system itself, the user who created the folder, and the local Administrators group on the server where the folder was created all need some level of access to the folder, as shown in Figure 1.

NTFS permissions are assigned when the folder is created but can be edited at any time by a user or group member who has the permission to change permissions on the folder.

NTFS folder permissions come in two types called standard permissions and special permissions. Standard permissions come in the form of Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions can be either allowed or denied. Because you have the option to allow or deny permissions on a folder in an NTFS file system, you have incredible flexibility over the level of access on a given folder.

Figure 1. Default NTFS permissions

In addition to the standard permissions, there are also special permissions that can be set on each folder or file. Special permissions do more than simply provide access to the folder on which they are applied. They provide the basis for folder ownership as well as the ability to change permissions for a folder and the hierarchy that could exist beneath the folder in the file system.

1. Set Standard NTFS Permissions

Setting or changing standard NTFS permissions is a straightforward process. Follow these steps to get started:

At this point, you can select an existing user or group from the list of users and groups that have existing permissions, or you can click the Add button to add new users or groups to which permissions may be assigned.

You can add users and groups from the local accounts available on the physical machine or from the Active Directory database if the folder resides on a server that is part of an Active Directory forest. In the event that you are interested in removing permissions, you can simply select the user or group account from the list of users and groups and then click the Remove button, as illustrated in Figure 2.

Figure 2. Setting and removing standard NTFS permissions

Please keep in mind that not just anyone can add, change, or remove NTFS permissions on a folder. You need to have permissions to a folder in order to change its permissions. The permissions to change permissions or take ownership of a folder are special permissions.

2. Set Special NTFS Permissions

Like with standard permissions, adding or changing special permissions is a fairly straightforward process. Follow these steps to get started:

At this point, the Advanced Security Settings dialog box for this folder is displayed, as shown in Figure 3.

Figure 3. Advanced Security Settings dialog box

On the Permissions tab, you can click Change Permissions and add, edit, or remove the special permissions. Note the check boxes at the bottom of the window to include inheritable permissions from this object's parent and to replace all child object permissions with inheritable permissions from this object. NTFS file systems have a system of inheritance that is built in to the file system. This means that permissions added higher up in the file system hierarchy can flow down to the folders that are beneath them in the hierarchy. This is valuable when you want to assign permissions to users or groups to a section of the NTFS file system. It can also present some interesting challenges when you are trying to figure out exactly what permissions a given user or group has been granted on a given folder. To help with this issue, you can use the Effective Permissions tab in the Advanced Security Settings dialog box as shown in Figure 4.

Figure 4. Advanced Security Settings dialog box

3. View Effective NTFS Permissions

To view the effective NTFS permissions, follow these steps:

Figure 5. Effective Permissions tab

Notice in Figure 5 that on the Effective Permissions tab you can view both standard and special permissions for the user or group that you select. This can be a very valuable tool to aid you in determining the permissions on an NTFS folder.

4. Take Ownership of an NTFS Folder

By now you may have noticed that a set of default permissions is given to each folder created in an NTFS file system. There is a special set of permissions given to the creator of an NTFS folder. These permissions can be defined as "ownership" of the folder. The owner of the folder has full control of the folder and both its standard and special permissions. The Administrators group is also given special permissions, including the permission to take ownership of the folder. This means that at any given point in time anyone in the Administrators group might choose to take ownership of an NTFS folder and thus take control of its associated permissions. In order to take ownership of a folder, though, you need to have that special permission assigned to your user or group. If you do not have permissions to take ownership of a folder, you cannot simply "force" your way to ownership. By the same token, if you are the owner, you can deny the ability to take ownership to all parties with the exception of yourself. Now that's control!

If you have the permission to take ownership, the process works like this:

Figure 6. Taking ownership

Notice that when you click Edit, the current owner is displayed, and the users or groups that can take ownership are displayed in the Change Owner To box. It is also important to consider the Replace Owner On Subcontainers And Objects check box. If you take ownership of a folder, you also have the option to take ownership of the folders beneath it in the hierarchy. This may be desirable if your intent is to take control of a section of the file system.