How do I assign NTFS Permissions and how do I remove NTFS Permissions? Whats about special permissions? And how do I disable NTFS permission inheritance? How do NTFS permissions assigned to folders and to files combine? Read more to get an insight!
In this post you are going to learn how to manage NTFS permissions. Throughout this section, we will continue to use MyFolder as our example folder.
How to Assign or Remove NTFS Permissions
First, locate the folder or file you want to grant permissions to. Right click that folder. Then click on
Click on the security tab to view the ACL (Access Control List) for the folder. Under
Groups or user names click the
To remove a user, simply click on that user and press the
Remove button followed by the
To add a user, click the
Now you can select the User/Groups you wish to grant access to MyFolder. The options within the
Select Users or Groups form are as follows:
- Object Types: Allows you to filter what type of object you want to assign, in order to narrow your search.
- Locations: If you are on a Windows Network, you can choose between the local computer or Active Directory to search for network users in your organization.
For our example, we are going to type “FileShare-Operatoren” in the
Enter the object names to select textbox and then click the
Check Names button, followed by the
“FileShare-Operatoren” now appears on the “Permissions for MyFolder” page. Here you can choose which permissions to grant the user. Once you assign these permissions, click the
OK button. For this exercise, we assigned the “Full Control” permission to the user from the “FileShare-Operatoren” group. You can also deny permissions using the “Deny” column. As a reminder, we do not recommend denying permissions to users. Instead, it is best to control user access through the groups which they belong to.
Group now has “Full Control” NTFS permissions within the ACL.
How to Assign Special NTFS Permissions
First, locate the folder or file you want to grant NTFS permissions to. Right click that folder. Then click on
Click on the security tab to view the ACL (Access Control List) for the folder. Then click on
This is the
Advanced Security Settings tab, which changed in Windows Server 2012 to provide an interface that is easier to understand and manage.
In the permissions tab, click on the
On the permissions entry page, click on
Select a principal.
Choose the user or group you want to grant special NTFS permissions to. We will use group “FSV_Change” for our example. Then click the
Once you have selected your user or group, by default, you are presented with the list of basic permissions. To see the list of advanced permissions, click on
Show advanced permissions.
Select the proper advanced permissions for the user and click the
OK button. For more details about each advanced permission type, please refer to the previous chapter.
You will now see the advanced permissions assigned on the
Advanced Security Settings page. Click the
OK button to complete the process.
How to Disable Inheritance
You can disable inheritance for any given file or folder by going to the Security tab within the properties of that file/folder and clicking on
Advanced followed by
In next step you have to choose one of the following options. The first option
Convert inherited permissions into explicit permissions on this object will copy all inherited permissions and set them explicitly on this level. This would be the same as if you set all of these permissions manually.
The second option
Remove all inherited permissions from this object will remove any permissions. You must be aware that you have to set permissions now by your own. Otherwise no permissions will be set on this folder anyway.
When administrators and users start changing NTFS permissions regularly, some files or folders can become inaccessible to users and groups that should have access. For this reason, you can, at any time, go back to the default inherited state by choosing
Replace all child object permission entries with inheritable permission entries from this object as seen in next image.
How to Override Folder Permissions with File Permissions
It is possible to override access to a file within a folder that you do not have access to. In our example, let’s say that you do not have access to “MyFolder”, but there is a specific file within MyFolder called “MyFile” that you need access to. You can receive access to only this specific file if you use the “Bypass Traverse Checking” security setting permission.
Bypass Traverse Checking is a setting that is assigned through Group Policy Settings. Therefore, we won’t cover it in detail in this article.
How to Override Folder Permissions with Deny Permission
It is possible to override any permissions with a Deny Permission. In our example, lets say that you do have modify access to “MyFolder” because of your membership in a specific security group, and you are a member of a group that is denying permissions to a specific file in that folder, you will not get access to this file.
Denying permissions overrides any other permissions a user might have. Consider, this is not the recommended method of controlling access to resources.
In Figure above:
- John is member of Group Sales_W and Group Sales_File2_DW.
- For folder Sales John will inherit Write permissions from Group Sales_W.
- And John will inherit Deny Write permissions for File2 from Group Sales_File2_DW.
The results are:
- John can read and write to File1.
- He can also read File2, but cannot write to this file because he is a member of Group Sales_File2_DW, which grants Deny Write permission to this file.
Prevent Unauthorized Access to Sensitive Windows Folders!
- Analyze and Report NTFS Permissions in Seconds
- See All NTFS Permissions Each User has and Why
- Save and Compare Reports
- Check Folder Hierarchies to Find Differences
Get your free trial of the easiest and fastest NTFS Permission Reporter now!