Understanding Windows Server 2008 File and Folder Ownership and Permissions

From Techotopia
Revision as of 18:53, 19 August 2008 by Neil (Talk | contribs)

Jump to: navigation, search

One of the key advantages offered by NTFS over the older FAT file system type is the concept of file and folder permissions and ownership. Through careful implementation and management, file and folder permissions on NTFS based file systems significantly increases the security of data stored on a Windows Server system. In addition, file and folder permissions augment the shared permissions discussed in previous chapters to provide finer grained control over access to shared files and folders.

This chapter of Windows Server 2008 Essentials will provide a detailed overview of file and folder permissions and ownership in the context of Windows Server 2008, including topics such as transfer of ownership and permission inheritance.


Contents


Ownership of Files and Folders

The owner of a file or folder is the user who has complete and full control over that file or folder in terms of being able to grant access to the resource, and also allow other users to take over the ownership of a file or folder. This is often, but not always, the creator of the file or folder and is governed by the location of where the file or folder is first created. Typically, the creator of the file or folder is, by default, initially designated as the owner. Ownership of a file or folder may be taken by either an administrator, any user with Take ownership permission on the object in question or any user with the right to Restore Files and Directories which by default includes members of the Backup Operators group.

Taking and Transferring Windows Server 2008 File and Folder Ownership

Ownership may be taken, when permitted, using the properties dialog of the file or folder in question. This can be accessed by right clicking on the file or folder in Windows Explorer, selecting Properties from the menu and then clicking on the Security tab. On the Security page of the properties dialog, click on the Advanced button to access the Advanced Security Settings dialog and then select the Ownership tab to display the following dialog:


Taking ownership of a file or folder


As illustrated in the preceding figure, the file's current owner is bill and the option is available for user nas to take over ownership of the file. To take ownership, click on the Edit button to display the following dialog box where ownership may be changed:


Taking or transferring file ownership


To take ownership, select your user name from the list and click on Apply. To transfer ownership to a different user, either select the name from the list, or search for the user by clicking on the Other users or groups... button. Select the required user and click on Apply to commit the transfer.


File and Folder Permission Inheritance

Another part of understanding file and folder permissions involves the concept of inheritance. When a file or sub-folder is created in an existing folder (referred to as the parent folder) it inherits, by default, all of the permissions of the parent folder. Similarly, when the permissions on a parent folder are changed, those changes are automatically inherited by all child files and folders contained within that parent folder.

To turn off inheritance for a child file or folder, right click the object in Windows Explorer, select Properties and then click on the Security tab of the properties dialog. On the Security properties panel, click on the Advanced button to display the Advanced Security Settings dialog, followed by Edit... to display the editable permission settings. In this dialog, unset the check box next to Include inheritable permissions from parent object. Once selected, a warning dialog will appear providing the choice to retain the current inherited permissions, or to remove any inherited permissions keeping only permissions which have been explicitly set on the selected object:


Choose to keep or remove the inherited permissions of a file or folder


Occasionally, the converse situation exists, whereby a parent folder contains files and folders which have explicitly set permissions, rather than just the inherited permissions from the parent folder. In order to reset a folder and its children such that it only has inherited permissions, display the Security tab of the Properties dialog as outlined above, click on Advanced... and then Edit... and set the check box next to Replace all existing inheritable permissions on all descendants with inheritable permissions from this object. A dialog will subsequently appear warning that any explicitly defined permissions on all descendant files and folders will be removed and replaced by inheritable permissions. Click Yes to commit the change.

Basic File and Folder Permissions

NTFS provides two levels of file and folder permissions which can be used to control user and group access. These are basic permissions and special permissions. In essence, basic permissions are nothing more than pre-configured sets of special permissions. This section will look at basic permissions and the next will focus on special permissions and how they are used to create basic permissions.

The current basic permissions for a file or folder may be viewed by right clicking on the object in Windows Explorer, selecting Properties and then choosing the Security tab. At the top of the security properties panel is a list of users and groups for which permissions have been configured on the selected file or folder. Selecting a group or user from the list causes the basic permissions for that user to be displayed in the lower half of the dialog. Any permissions which are grayed out in the permission list are inherited from the parent folder.

The basic permission settings available differ slightly between files and folders. The following table lists the basic folder permissions supported by Windows Server 2008 on NTFS volumes:

Permission to read and write to files in the folder, and to delete current folder.</td> <tr> <td>List Folder Contents</td><td>Permission to obtain listing of files and folders and to execute files.</td> </tr> <tr bgcolor="#e9e9e6"> <td>Read and Execute</td><td>Permission to list files and folders and to execute files.</td> </tr> <tr> <td>Write</td><td>Permission to create new files and folders within selected folder.</td> </tr> <tr bgcolor="#e9e9e6"> <td>Read</td><td>Permission to list files and folders.</td> </tr> </table>
 
Permission Description
Full ControlPermission to read, write, change and delete files and sub-folders.
Modify