Before you start
Objectives: Learn how to properly manage NTFS permissions and their inheritance, how to configure special (advanced) permissions, and how to check effective permissions in Windows 7.
Prerequisites: you have to know what are NTFS permissions.
Key terms: NTFS, permissions, files and folders, Windows 7, special permissions, effective permissions, permission configuration
For this demonstration we have created an “NTFS demo” folder on our C partition. Inside of that folder we have three subfolders: “Admins”, “Kim Verson”, and “Marko”.
Subfolders in “NTFS demo” folder
In our case, we want to allow access to certain folders only for specific users. For example, only computer administrators should have access to the “Admins” folder. Only administrators and Kim Verson should have access to the “Kim Verson” folder, and only administrators and user Marko should have access to the “Marko” folder.
As you should already know, child objects (files and folders) inherit permissions from their parent, by default. So, in our case, by default, “NTFS demo” folder will inherit permissions from the C drive. Let’s check this out. We will right click the “NTFS demo” folder and go to its properties, then open the Security tab, and then click on the Advanced button.
Inherited From Column
Notice that the option “Inherit inheritable permissions from this object’s parent” is checked by default. Also, notice that permissions are inherited from “C:\”. The next thing we should do on the “NTFS demo” folder is remove inheritance. This way, our new permissions won’t be affected by the permissions set on the C drive. To remove inheritance, we can click on the “Change Permissions…” button on the Advanced window, and then uncheck the box for “Include inheritable permissions from this object’s parent” option. When we do that, the Windows Security window will appear.
At this point we have to options. We can keep all current permissions on that folder and then work with them, or we can remove all current permissions and set new ones from the beginning. The recommended thing to do is to Add current permissions, which will make all current permissions explicit. This way we know which permissions were previously set on the object. When we do that, notice the “Inherited From” column. It changed from “C:\” to “<not inherited>”, which is what we want for “NTFS demo” folder.
Now we can manually make changes to permissions on “NTFS demo” folder, and permissions on C drive won’t affect them. But, what about subfolders in “NTFS demo” folder. Let’s check the Security tab for “NTFS demo” folder, and for one subfolder, for example, “Admins”.
Explicit and Inherited Permissions
Notice that the Allow column for “NTFS folder” has black check marks, while “Admins” folder has check marks which are grayed out. This means that permissions for the “Admins” folder are inherited. Let’s click on the Advanced button on on the Security tab for the “Admins” folder.
Admins Folder Inheritance
Notice that subfolders in “NTFS demo” folder now inherit permissions from the “NTFS folder” itself.
Now we have one problem which considers inheritance. All subfolders in “NTFS demo” folder have the same permissions as “NTFS demo” folder. This is a problem because if we check permissions on the “NTFS demo” folder, we will see that all users have access to that folder, and since subfolders will inherit those permissions, all users will have access to all subfolders in “NTFS demo” folder, which is not what we want. Because of that fact, we have to modify permissions on the “NTFS demo” folder. First, we will remove all permissions except for the Administrators group, which can have full control. Our permissions on the “NTFS demo” folder now look like this.
If we only leave it like this, only administrators will have access to “NTFS folder” and its subfolders. Since all users have to go to “NTFS demo” first to get to their own folder, we also have to ensure that other users can list “NTFS demo” folder content. Beware that we also have to ensure that they don’t have access to all subfolders in “NTFS folder”, but only their specific subfolder. For this to happen, we will add permissions for “Authenticated Users” group again and give it the “Read & Execute” permission. Authenticated Users group contains all users which log on to the machine. We should always use Authenticated Users group instead of Everyone group, since users have to at least authenticate to get access. Everyone group will enable access for anonymous users as well.
Authenticated Users Group Added Back
If we leave it like this, this permission will again be propagated to all child objects in “NTFS demo” folder. We have to change that. We have to set this permission only for “NTFS demo” folder. For this we have to click on the Advanced button on the Security tab, and check the Apply To column. Notice that now permissions will be applied to this folder, subfolders and files.
Apply To Column
To change this we will click on the “Change Permissions…” button, and double click on the permission for “Authenticated User”. On the “Permission Entry for NTFS demo”, we will change the “Apply to” option to “This folder only”.
Apply To Propagation Option
When we do that, permission for Authenticated Users group will only be applied for “NTFS demo” folder, and not its subfolders. This way we ensure that all users can access “NTFS demo” folder, but don’t have access to specific subfolders.
So, the next thing to do is give explicit permissions to specific user for certain subfolder in “NTFS demo” folder. For example, we will give the Modify permission to user Kim Verson for subfolder “Kim Verson”. Remember that maximum permission we should give to ordinary users is the Modify permission. The difference between “Full control” and “Modify” permission is that users with “Modify” won’t be able to take ownership of the object or change its permissions.
Kim Verson Explicit Permissions
To conclude, we have enabled access for all users to “NTFS demo” folder by using Authenticated Users group which is not propagated to subfolders. Administrators have full control on “NTFS demo” folder, and this permission is propagated to all child objects (files and folders) in “NTFS demo” folder. We have set explicit permissions for specific users so that they can access their own subfolder (additional, explicit permissions, can be added even when inheritance is enabled).
As you should know, the 6 standard NTFS permissions are actually collections of more granular, special NTFS permissions. For most situations, standard permissions provide enough control. In some situations we might need more specific NTFS permissions. In fact, we already used special permissions when we set the propagation level of permission in previous example. Propagation level is configured using the “Apply to” option in advanced permission configuration. We have several options here like “This folder only”, “Subfolders and files only”, “Files only”, etc.
We can also configure special permissions for users in a way that they can only create new objects, but can’t delete them (or vice versa 😉 ). For example, let’s add a special permission for user Marko for the subfolder “Marko”, so that he can only add new files and folders, but can’t delete them. For that we will go to the Security tab and add user Marko with “Read & Execute” permission. Next, we will click the Advanced button, and then click on the “Change Permissions…” button, and click on Edit button for Marko entry. Here, we will see that some special permissions will already be selected because we gave Read & Execute permission previously. So, for user to be able to add new objects, we also have to select permissions “Create files / write data”, “Create folders / append data”, “Write attributes”, and “Write extended attributes”. Since we don’t want to allow user to delete files and folders, we won’t select permissions “Delete subfolders and files”, and “Delete”.
Special Permissions Example
To check the effective permissions for specific user or group, we can go to Effective Permissions tab in Advanced section. For example, let’s check what permissions has the Users group on the “Marko” folder.
Effective Permissions Example
In our case, the Users group doesn’t have any permissions on the “Marko” folder, and this is what we want. Effective permissions can be very useful when we want to check permissions for users which belong to multiple groups, because it also takes into account the inheritance and propagation levels. This way we don’t have to manually calculate the final permissions.