Understanding Windows Server 2008 File and Folder Ownership and Permissions
One of the key advantages offered by NTFS over the older FAT file system type is the concept of file and folder permissions and ownership. Through careful implementation and management, file and folder permissions on NTFS based file systems significantly increases the security of data stored on a Windows Server system. In addition, file and folder permissions augment the shared permissions discussed in previous chapters to provide finer grained control over access to shared files and folders.
This chapter of Windows Server 2008 Essentials will provide a detailed overview of file and folder permissions and ownership in the context of Windows Server 2008, including topics such as transfer of ownership and permission inheritance.
Ownership of Files and Folders
The owner of a file or folder is the user who has complete and full control over that file or folder in terms of being able to grant access to the resource, and also allow other users to take over the ownership of a file or folder. This is often, but not always, the creator of the file or folder and is governed by the location of where the file or folder is first created. Typically, the creator of the file or folder is, by default, initially designated as the owner. Ownership of a file or folder may be taken by either an administrator, any user with Take ownership permission on the object in question or any user with the right to Restore Files and Directories which by default includes members of the Backup Operators group.
Taking and Transferring Windows Server 2008 File and Folder Ownership
Ownership may be taken, when permitted, using the properties dialog of the file or folder in question. This can be accessed by right clicking on the file or folder in Windows Explorer, selecting Properties from the menu and then clicking on the Security tab. On the Security page of the properties dialog, click on the Advanced button to access the Advanced Security Settings dialog and then select the Ownership tab to display the following dialog:
As illustrated in the preceding figure, the file's current owner is bill and the option is available for user nas to take over ownership of the file. To take ownership, click on the Edit button to display the following dialog box where ownership may be changed:
To take ownership, select your user name from the list and click on Apply. To transfer ownership to a different user, either select the name from the list, or search for the user by clicking on the Other users or groups... button. Select the required user and click on Apply to commit the transfer.
File and Folder Permission Inheritance
Another part of understanding file and folder permissions involves the concept of inheritance. When a file or sub-folder is created in an existing folder (referred to as the parent folder) it inherits, by default, all of the permissions of the parent folder. Similarly, when the permissions on a parent folder are changed, those changes are automatically inherited by all child files and folders contained within that parent folder.
To turn off inheritance for a child file or folder, right click the object in Windows Explorer, select Properties and then click on the Security tab of the properties dialog. On the Security properties panel, click on the Advanced button to display the Advanced Security Settings dialog, followed by Edit... to display the editable permission settings. In this dialog, unset the check box next to Include inheritable permissions from parent object. Once selected, a warning dialog will appear providing the choice to retain the current inherited permissions, or to remove any inherited permissions keeping only permissions which have been explicitly set on the selected object:
Occasionally, the converse situation exists, whereby a parent folder contains files and folders which have explicitly set permissions, rather than just the inherited permissions from the parent folder. In order to reset a folder and its children such that it only has inherited permissions, display the Security tab of the Properties dialog as outlined above, click on Advanced... and then Edit... and set the check box next to Replace all existing inheritable permissions on all descendants with inheritable permissions from this object. A dialog will subsequently appear warning that any explicitly defined permissions on all descendant files and folders will be removed and replaced by inheritable permissions. Click Yes to commit the change.