Planning before implementing NTFS Permissions

If you’re a Windows Administrator, you’ve probably experienced the nightmares in managing folder permissions. This is common in large or even small environment where no proper planning is made before giving the permissions. Such negligence could lead to complication and exposes the environment to security risk. Below are some examples:

  • Users or groups having access to folders not intended for them (e.g., Sales Group can view Management’s folders)
  • Applications fail to run because of lack of permission (e.g., Backup Software unable to perform tasks on specific folders)
  • Or just too convoluted folder permission that Admins are better off doing them from scratch.

Why Planning is a Crucial Step Before Implementing NTFS Permissions

 

All above examples are all due to incorrect planning (or the lack of it) before the implementation of NTFS permissions. One may point out that it can also be due incompetency of the person doing the task. I agree that could also happen, but if there is proper planning, documentation, and layout, these problems can be avoided even if you let your junior admin do the task.

As part of the Planning phase, here are some of the things an Admin can do:

Design a Folder Structure

Before creating the actual folders, you must know what folders are to be created. Whether you prefer digital or physical board, list the shares that will be created for each department or group. Work with the knowledge you already have of your current environment. There will be changes along the way (e.g. new department or new projects) but this would be a good start.

Identify who has access

After listing the shares to be created, map out the users or groups that have access to specific folders. You may List down the users or groups and draw a line to connect them to the appropriate shares. How ever you want this done, make sure to have fun doing it!

Plan the Permissions

This one is critical so take your time going through the shares and groups and write down the appropriate permission. If you use naming conventions such as R for Read-only or F for Full Control, make sure to be consistent to avoid confusion along the way.

Proper Documentation

A good planning always has good documentation. It’s always good to have something to go back to when you forget. This not only serves as your guide but something you can pass down to your junior staff or even to your boss. With that said, documentation must be clear and concise. Also, changes in the organization are inevitable so whatever method you used to document, make sure it can easily be modified and expanded.

Being an Admin can be stressful, but if you have proper planning, implementation, and clear documentation, it smoothens administration and helps you focus on other areas.

A more detailed guide on Planning and Managing NTFS Permissions can be found here. Download your free course now!

 

Take Ownership of Windows Folder and Files

What you need to know before taking Ownership of Files and Folders

Taking ownership of files and folder is an easy thing to do. Instructions are all over the internet that even a regular Windows user will find it simple and effortless. But have you ever wonder why you need to do this and it’s effects? Now before you take the ownership of all folders in your PC (please don’t!), I will share some information about taking ownership of files and folders.

Concept of File and Folder Ownership

The owner controls how permissions are set and to whom permissions are granted on the files and folder. By default, the owner would be the user who created the object. In simple terms, if you created a folder then by default you become the owner of that folder and having ownership means you get to decide who can access the folder and gives you the power to transfer the ownership to another user.

Who can take and transfer ownership

As mentioned above, the default owner, the user who created the file or folder can transfer the ownership. But aside from the owner, other user or group with certain permission can also take the ownership. These are:

  • Member of the Administrators group
  • A user with taking Ownership permission
  • Member of the Backup Operators group

Why do you need to take the ownership?

Because you can! Just kidding! Have you tried deleting or renaming a folder but you get access denied? That’s most likely caused by lack of permission, and being the owner of the folder allows you to do some changes on that folder. This is just an example why taking ownership is needed, and I’ve listed couple more examples below.

  • You connect an external drive from another PC, and you’re denied access to the folders
  • Upgraded from Windows 7 or 8 to Windows 10 and you wish to delete Windows.old folder to free up some space
  • You attached the 2nd disk to your PC. The disk used to be a system drive (with OS Installed), and you’re denied access to the folders
  • Make changes to system files (example: replace a bad .dll file)
  • Manage files or folder owned by the user account that’s already deleted

How to take ownership of the files and folders?

Here I will show you how to do it via GUI. There is also a built-in command line tool in Windows called takeown.exe if you want to do it via command line.

In this example, we will take ownership of the System32 folder. Right-click the folder you wish to take the ownership and go Properties. Click on Security tab and then Advanced

The Advance settings will show you the current owner of the file or folder. Click on Change

Enter the name of the new owner and click Check Names or click Advanced to find the user.

Once the new user is entered, click OK and now the new owner will be shown. Tick the option “Replace owner on subcontainers and objects” if you also want to take ownership of the subfolders and files. Click OK and you’re done!

Taking Ownership from TrustedInstaller

Although this article talks about taking ownership of files and folders, it is critical to know that taking ownership from TrustedInstaller can lead to system failure. The TrustedInstaller account is used to secure core operating system files and registry keys so unless you’re very sure of what you’re doing then I don’t recommend messing with this.

Wrapping up!

Taking ownership of files and folders will give user capability to override restrictions and allow them to perform the necessary task. However, always take extra precaution when changing the ownership especially on system files. Have I said that already? Well, that’s because I wanted to emphasize this. If you need to change it for temporary access then, by all means, do it but don’t forget to change it back to the original owner (TrustedInstaller) to avoid issues with the Operating System. You might also want to keep track of which folder a user own as some users may have taken ownership of certain folders. If you’re the only user or admin on your PC, then it might not be necessary but for a larger organization, having a tool like FolderSecurityViewer will help you with this task. Be sure to check it out!

Useful Resources