Upgrading and Repairing Networks

NTFS Standard and Special Permissions

When a disk partition is formatted using NTFS, you can grant permissions that control which directories and files can be accessed by users, and what kind of actions the user can take on a file or directory. Whereas rights grant a user the capability to perform some function, permissions specify which users (or groups) can access a particular object, such as a file, directory, or printer, for example. Some rights, such as Backup of files and directories, can override permissions applied to files or directories. Without this capability, a user who is responsible for performing backups would have to be granted access to every file and directory. Don't worry, however. That right only allows the user to back up the files, not to read or access the files in any other way.

In the following example Using Windows 2003, the Windows Explorer utility (found under the Accessories folder) can be used to add or change permissions on files and directories. To view or modify the permissions on a directory using Windows Explorer, simply right-click on the file or directory and select Properties. From the File Properties sheet, select the Security tab and from this tab click the Permissions button. In Figure 39.5 you can see the Security tab selected for a directory.

In Figure 39.5 you can see that members of the Administrators group of the Zira domain are allowed full access to this directory. Note the Allow and Deny check boxes in the lower pane of this properties sheet.

Using the top pane, you can select other users or groups to see what access has been granted (or denied) them. To add a user or group, click on the Add button, and the Select Users, Computers, or Groups dialog box will allow you to enter one or more usernames or groups (see Figure 39.6). If you know the username, enter it. To see more information about that user (such as the person's entire name as stored in the Active Directory), click on Check Names after entering the username. In Figure 39.6 this has been done so that I can be sure I have the right person associated with the username I entered.

In Figure 39.6 you'll see that there is also an Advanced button. If you click on this button, you can search the Active Directory to find a username. This expanded dialog box is shown in Figure 39.7.

After you have selected the user for which you want to manage access to a file or folder, click the OK button on the Select Users, Computers, or Groups dialog box, and you will be returned to the Security tab of the object's properties sheets. The user you have added will appear in the top pane. Select the user by clicking on the name once. Then you can select which permissions to allow or deny. The basic permissions for a resource are the following:

• Full Control Gives the user full control over the object.

• Modify Enables the user to make changes to the object.

• Read & Execute Just what it says: lets the user read files and execute applications in the directory.

• List Folder Contents Lets the user see the files contained in the folder.

• Read Grants the user read access to the folder or file.

• Write Lets the user write to the file or folder.

• Special Permissions This last entry is scrolled off of the pane in Figure 39.5. This check box will be selected if you have granted the user any of the special permissions by using the Advanced button.

The Advanced button will let you further refine the permissions, auditing, and other features, including how permissions can be inherited by subfolders that are created under the folder you are currently managing. Although it is beyond the scope of this chapter to list all the possibilities that the Advanced button offers, Figure 39.8 shows the Advanced Security Settings for a folder, and the tabs that can be used to further customize permissions and other features applied to the folder.

One important thing you can see in this figure is the check box labeled Allow Inheritable Permissions from the Parent to Propagate to This Object and All Child Objects. If it's selected, then if you are modifying permissions for a subfolder, it will also inherit access controls from parent folders above it. Similarly, new subfolders created under this one will inherit the access controls you have just created. If you want to apply your access control modifications to existing subfolders, use the second check box, labeled Replace Permission Entries on All Child Objects with Entries Shown Here That Apply to Child Objects.

Is that complicated or what? Yet, this just shows that you can fine-tune permissions on objects (such as files, folders, and printers) that are in a domain that uses the Active Directory.

When you are finished making changes to the permissions (access controls) for a folder or file, click the Apply button and then the OK button shown back in Figure 39.8.

Whereas rights and privileges can be granted to users or groups, and enable them to perform certain actions on a computer, permissions are used to restrict which resources a user can access. The NTFS file system enables you to assign granular permissions to every file or directory on your computer, as well as other objects. You can override these permissions, as described previously. For example, the administrator's right to take ownership of a file or directory can override any permissions you place on a file or directory. Yet, for the majority of your users who do not possess this type of right, permissions on files or directories can serve as a valuable protection that can keep your data safe.

Windows Permissions Are Cumulative

When a user is a member of more than one group, the rights he holds are cumulative. In addition, permissions on a resource are also cumulative, with the exception of the No Access permission. Take, for example, a user who has been granted the Read permission to a directory because of his membership in a group (such as "world"). However, if the user is also a member of another group called "accountants," the user's permissions are calculated using permissions granted to that group as well. If the accountants user group has been granted the Change permission for the directory, the user has both the Read and Change permissions when he is evaluated for access to the directory.

The only exception to this rule is the No Access right. This right specifically denies all other access. Thus, if a user is a member of one group that has been granted Full Control over a directory, but is also a member of another group that has been granted the No Access permission for the directory, the user will not be able to access the directory. The No Access permission overrides other access permissions.

The capability to selectively deny access to specific users can be a useful tool when setting up or managing user accounts. It is easier to grant access to everyone in a large user group and then to deny access to a few select individuals who should not be allowed to use the resource. The alternative is to create a more finely tuned user group that eliminates those who do not need access and then grant access to this new group. This method, however, increases the number of user groups you have to manage and, thus, its use becomes less effective the more you use it.