CIS 170F: Windows 7 Administration

Week 5

Managing File Systems
File and Folder Permissions
NTFS Standard Permissions

  • All versions of Windows 7 use the NTFS (NT File System) directory structure, including Home Basic and Home Premium. NTFS enables you to assign control of who is permitted to access files and folders on a per-user or per-group basis. NTFS permissions can be used to control access for either local folders or network shares.
  • With Windows 7 NTFS is mandatory for installation (and also restoration), and the security settings are available to see and modify on all versions of Windows 7. Therefore, all Windows 7 users should understand how NTFS file permissions work.
  • To display or modify NTFS permissions, select a file or folder in Computer or Windows Explorer, right-click Properties, and select the Security tab. You can use the NTFS Permissions dialog box to designate a folder to restrict access to both network and local users.
  • In the top part of the Security tab is the list of users or user groups with access to the file or folder. You can select any of the names in the list to view their associated permissions in the bottom half of the tab.
  • To add users to a file's or folder's permissions list, follow these steps:
    1. Right-click the file or folder in explorer and choose Properties, then open the Security tab.
    2. Under the Group or User Names list, click the Edit button. The Permissions dialog box opens to a new Security tab.
    3. Under the Group or User Names list, click the Add button. The Select Users or Groups dialog box appears.
    4. Enter the desired username(s) into the input box provided. You can check your names against the computer's user accounts by clicking the Check Names button.
    5. With the newly added user account(s) highlighted in the Group or User Names list, select the desired permissions. You can choose to allow or deny a variety of actions for a given user or group. Click Apply and then click OK.
    6. Click OK again to close the Properties dialog box. The permission properties can each be granted or revoked individually.

Permission How it's used Used with
Full Control Grants full control over the selected file or folder. Permits reading, writing, changing, and deleting files and subfolders. Also permits changing permissions, deleting files in the folder regardless of their permissions, and taking ownership of a folder or a file. Selecting this permission selects all the other permissions as well. Files and folders
Modify Permits reading, writing, changing, and deleting a file or folder. With folders, permits creating files and subfolders, but does not allow taking ownership of a file or folder. Selecting this permission selects all the permissions below it. Files and folders
Read & Execute Permits executing files. With folders, permits viewing and listing files and subfolders as well as executing files. If applied to a folder, this permission is inherited by all files and subfolders within the folder. Selecting this permission selects the List Folder Contents and Read permissions as well. Files and folders
List Folder Contents Permits viewing and listing files and subfolders as well as executing files. Inherited only by subfolders and not by files within the folder or its subfolders. Folders only
Read Permits viewing and listing the contents of a file or folder. Permits viewing file attributes, reading permissions, and synchronizing files. Read is the only permission needed to run scripts. Read access is required to access a shortcut and its target. Files and folders
Write Permits creating new files in folders and writing data to existing files. Permits viewing file attributes, reading permissions, and synchronizing files. Doesn't prevent deleting a folder or file's contents. Files and folders

  • Note that each permission has both Allow and Deny check boxes. To get access to a given resource, a user must be explicitly listed with Allow checked or must belong to a listed group that has Allow checked, and must not be listed with Deny access or belong to any group with Deny marked. Deny preempts Allow.
  • All these permissions are additive. In other words, Read and Write can both be checked to combine the properties of both. Full Control could be marked Allow but Write marked Deny to give all access rights except writing. (This permission would be strange but possible.)
  • The most productive use of NTFS file permissions is to assign most rights by group membership. One exception is with user home directories or profile directories, to which you usually grant access only to the Administrators group and the individual owner.
  • Editing NTFS file permissions is protected by UAC (unless you've disabled it). So, expect to see a lot of prompts to Continue (if you're an Administrator) or to provide an Administrator password (if you're a standard user) when you perform these operations.

Previous | File and Folder Permissions | Permissions and Rights | Default Folder Permissions | NTFS Standard Permissions | Individual NTFS Permissions | Permission Scope | Permission Inheritance | Effective Permission | Ownership | Auditing | Permission Changes When Content Is Copied or Moved | Permission Strategy Considerations | Next