IDP.Net Consulting


 

NTFS Permissions

 

This discusses resource security using NTFS permissions. It specifically discusses security on files and folders within the NT File System (NFTS). The document covers NTFS file and folder permissions, lists, using NTFS permissions, planning NTFS permission, using special access permission, copying and moving data with NTFS permissions assigned, and troubleshooting NTFS permission problems. This document also introduces you to the next generation of NTFS, NTFS 5.0, which windows 2008 touts as its standard file system. In addition, this document outlines all of the components of using NTFS permissions on a NTFS 5.0 file system effectively on a Windows 2000 network. Once you have read and digested this document, you should be able to secure your windows 2008 network with NTFS permissions with ease.

 



UNDERSTANDING NTFS PERMISSIONS

This discussion covers the basics of file and folder permissions. It walks you through the kinds of permissions you can assign to files and folders and how to use them. The new and improved Access Control List is discussed, as well as the effects of multiple applied permissions and inherited permissions. First, let's answer a couple of common questions about NTFS permissions:

 

  • What is a permission? A permission is a rule associated with an object to regulate which users can gain access to that object and in what manner.
  • When can I use a permission? Permissions can be used only on NTFS formatted partitions or volumes, and that is why they are commonly referred to as NTFS permissions.
  • Who can set or apply permissions? Administrators, the user that owns the files or folders, and all other users or groups that have the Full Control permission to those file and folders.

NTFS Permissions and Files
NTFS file permissions are used to control the access that a user, group, or application has to files. This includes everything from reading a file to modifying and executing the file. There are five NTFS file permissions:

 

  1. Read

     
  2. Write

     
  3. Read & Execute

     
  4. Modify

     
  5. Full Control

The five NTFS file permissions are also listed in Table 1 with a description of the access that is allowed to the user or group when each permission is assigned. As you can see, the permissions are listed in a specific order. They all build upon each other.

 

TABLE 1: NTFS FILE PERMISSIONS
NTFS File Permission      Allowed Access
Read   This allows the user or group to read the file and view its attributes, ownership, and permissions set.
Write This allows the user or group to overwrite the file, change its attributes, view its ownership, and view the permissions set.
Read & Execute      This allows the user or group to run and execute the application. In addition, the user can perform all duties allowed by the Read permission.
Modify This allows the user or group to modify and delete a file including perform all of the actions permitted by the Read, Write, and Read and Execute NTFS file permissions.
Full Control This allows the user or group to change the permission set on a file, take ownership of the file, and perform actions permitted by all of the other NTFS file permissions.


If a user needs all access to a file except to take ownership and change its permissions, the Modify permission can be granted. The access allowed by the Read, Write, and Read & Execute are automatically granted within the Modify permission. This saves you from assigning multiple permissions to a file or group of files. In later discussions in this document you will see what happens when multiple NTFS file permissions are assigned and applied and how you can determine the net access the user or group has to that file or folder.

 

NOTE: A file's attributes are properties of the file such as Read-Only, Hidden, Archive, and System. The System attribute is usually applied only to operating system boot files.


NTFS Permissions and Folders
NTFS Folder permissions allow what access is granted to a folder and the files and subfolders within that folder. These permissions can be assigned to a user or group. This topic defines each NFTS folder permission and its effect on a folder. Table 2 displays a list of the NTFS file permissions and the access that is granted to a user or group when each permission is applied.

 

TABLE 2: NTFS FOLDER PERMISSIONS
NTFS File Permission     Allowed Access
Read   This allows the user or group to view the files, folders, and subfolders of the parent folder. It also allows the viewing of folder ownership, permissions, and attributes of that folder.
Write This allows the user or group to create new files and folders within the parent folder as well as view folder ownership and permissions and change the folder attributes.
List Folder Contents     This allows the user or group to view the files and subfolders contained within the folder.
Read & Execute     This allows the user or group to navigate through all files and subfolders including perform all actions allowed by the Read and List Folder Contents permissions.
Modify This allows the user to delete the folder and perform all activities included in the Write and Read & Execute NTFS folder permissions.
Full Control This allows the user or group to change permissions on the folder, take ownership of it, and perform all activities included in all other permissions.


Notice that the only major difference between NTFS file and folder permissions is the List Folder Contents NTFS folder permission. By using this NTFS folder permission you can limit the user's ability to browse through a tree of folders and files. This is useful when trying to secure a specific directory such as an application directory. A user must know the name and location of a file to read or execute it when this permission is applied to its parent folder.

Understanding the Access Control List (ACL)
Everyone who is familiar with Microsoft Windows NT 4.0 will find here a big change for the better. The ACLs or Access Control Lists of the past were written and assigned to a user once a successful Windows NT domain login had been established. The operating system would summarize the user's allowed access in an ACL. When a user in Microsoft Windows NT 4.0 tried to access a file or folder, the operating system would look at the user's ACL and determine whether the user was allowed access. One aspect of this feature turned out to be a huge drawback for everyday user access. If a user called the helpdesk or any other support person to gain access to a file or folder and that person made the appropriate change to the permissions, the user would have to log off and log back on. This is because the ACL in Microsoft Windows NT 4.0 was created only after a successful logon. As you will find out, windows 2008 has made a change in how ACLs work and how users use them.

NTFS 5.0 in windows 2008 stores an ACL with every file and folder on the NTFS partition or volume. The ACL includes all the users and groups that have access to the file or folder. In addition, it indicates what access or specifically what permissions each user or group is allowed to that file or folder. Then, whenever a user makes an attempt to access a file or folder on an NTFS partition or volume, the ACL checks for an ACE (Access Control Entry) for that user account. The ACE will indicate what permissions are allowed for that user account. The user is granted access to that file or folder, provided that the access requested is defined within the ACE. In other words, when user wants to read a file, the Access Control Entry is checked in that file's Access Control List. If the Access Control Entry for that user contains the Read permission, the user is granted access to read that file.

 

NOTE: If a user does not have an ACL of the file that he or she wants to access, access is denied.


Consider the same user/helpdesk situation discussed earlier. When the support person makes the change to the permissions on the file the user needs access to, the change is immediately saved in that file's ACL. The user can then access the file without having to log out and back in.

This is only the case when assigning permissions to users for file or folder resources. When a user is added to a group to gain access to additional resources or otherwise, the user must log out and back in to access those resources. That is because NTFS permissions granted to groups are read in a different manner.


Applying Multiple NTFS Permissions
Multiple permissions can be assigned to a single user account. They can be assigned to the user account directly or to a group the user account is a member of. When multiple permissions are assigned to a user account, unexpected things can happen. To prevent any heartache we are going to discuss the rules and regulations for assigning multiple NTFS permissions to a single user or group. This will include how file and folder permissions work together, and how denying a specific permission can affect a users' allowed access.

First of all, NTFS permissions are cumulative. This means that a user's effective permissions are the result of combining the user's assigned permissions and the permissions assigned to any groups that the user is a member of. For instance, if a user is assigned Read access to a specific file, and a group that the user account is a member of has the Write permissions assigned, the user is allowed the Read and Write NTFS permission to that file.

File Permissions Override Folder Permissions
NTFS file permissions override or take priority over NTFS folder permissions. A user account having access to a file can access that file even though it does not have access to the parent folder of that file. However, a user would not be able to do so via the folder, because that requires this "List Folders Contents" permission. When the user makes the attempt to access the file, he or she must supply the full path to it. The full path can either be the logical file path (F:\MyFolder\MyFile.txt) or use the Universal Naming Convention (UNC). To access the file via UNC the user must supply the server name, share, directory, and file, for example:

 

\\MYSERVER\Win2kShare\MyFolder\MyFile.txt 

If the user has access to the file but does not have an NTFS folder permission to browse for that file, the file will be invisible to the user and he or she must supply the full path to access it.

Deny Overrides All Other Permissions
The concept of permission denial has not changed through the evolution of the Microsoft Windows operating systems and NTFS. If a user is denied an NTFS permission for a file, any other instance where that permission has been allowed will be negated. Microsoft does not, nor do I, recommend using permission denial to control access to a resource for one main reason. For instance, if a user has access to a file or folder as being a member of a group, denying permission to that user stops all other permissions that the user might have to the file or folder. This can be very hard to troubleshoot on a large network with thousands of users and groups.

This is another example of how multiple NTFS file and folder permissions are cumulative and what happens to the user's effective permissions. For an example of Deny overriding all other NTFS permissions look at Figure 1.

In Figure 1, User A is a member of Group 1 and Group 2, where he is granted access to Folder A. Group 1 allows access to Folder A and both of the files within that folder. Group 2, on the other hand, denies access to a specific file, File 1. When a user account is denied access to a file or folder, all other permissions granting that user access to that file or folder are negated. Figure 1 shows that User A's combined access to File 1 is no access at all.

Understanding Inherited NTFS Permission
By default, when NTFS permissions are assigned to a parent folder, all of the same permissions are applied or propagated to the subfolders and files of that parent folder. Alternatively, the automatic propagation of these permissions can be stopped. An example of NTFS permission inheritance is shown in Figure 2.

Subfolders and files inherit NTFS permissions from their parent folder. As the windows 2008 administrator you assign NTFS permissions to a folder. All current subfolders and files with that folder inherit those same permissions. In addition, any new files or subfolders created within that parent folder assume the same NTFS permission of that parent folder.

You can prevent NTFS permission inheritance, so that any file and subfolders in a parent folder will not assume the same NTFS permissions of their parent folder. Now here is the tricky part. The directory or folder level in which you decide to prevent the default NTFS permission inheritance becomes the new parent folder for NTFS permission inheritance.


USING NTFS PERMISSIONS

This discussion is about using NTFS permissions. The topics include planning and working with NTFS permissions. The discussion topic will give guidelines to use when planning NTFS permission on a windows 2008 network and will explain the step-by-step process for assigning such permission.

Planning NTFS Permissions
A windows 2008 network should be well thought out and planned for. The first thing that comes to mind is the Active Directory and windows 2008 domain infrastructure. This is very important, but a plan for NTFS permissions should also be thought out way in advance before a windows 2008 network is implemented.

Having a plan for NTFS permissions on your windows 2008 network will save time and money for your organization. You will also find that a network with well-planned NTFS permissions is that much easier to manage. Use the following guidelines to help you plan NTFS permissions on your windows 2008 network. Notice that some steps are not directly related to NTFS permissions themselves, but they help organize the data on your network. This makes it easier for you to manage the resources on your windows 2008 network and make sure those resources are secure.

 

  1. The data on your windows 2008 network needs to be organized into manageable units. Separate the users' home directories from applications and public data. Try to keep data in centralized units. For instance, group all of the home directories into one folder and place them on an NTFS volume away from other data. By doing this you gain benefits such as not having to assign NTFS permissions to files, but only to the grouped folders. In addition, backup strategies become less complex. Now application files are grouped separately and do not have to be backed up with the home directories. Organizing your data can make many things easier to manage, including assigning NTFS permissions.

     
  2. Assign user only the level of access that is required. If a user needs only to read a file, grant only the Read permission to the resource that they require access to. This precludes the possibility of a user damaging a file, such as modifying an important document or even deleting it.

     
  3. When a group of users require the same access to a resource, create a group for those users and make each a member of that new group. Assign the NTFS permissions required to that resource to the newly created group. If at all possible avoid assigning NTFS permissions to users and only assign them to groups.

     
  4. When assigning permissions to folders with working data, use the Read & Execute NTFS folder permission. This should be assigned to a group containing the users that need to access this folder and to the Administrators group. This will allow the users to work with the data, but will also prevent them from deleting any important files in the folder.

     
  5. When assigning NTFS permissions to a public data folder, use the following criteria as a guideline. Assign the Read & Execute and Write NTFS permissions to the group containing the users that need access to the public data folder. The Creator Owner of the folder should be assigned the Full Control NTFS permission. Any user on the network that creates a file, including one in a public data folder, is by default the Creator Owner of that file. After that file has been created, the windows 2008 administrator can grant NTFS permissions to other users for file ownership. If the Read & Execute and the Write NTFS permissions are assigned to group of users that need access to the public data folder, they have Full Control to all files that they create in the public data folder and can modify and execute files created by other users.

     
  6. If at all possible do not deny NTFS permission to a group or user. This is not a recommended way to manage resources on a windows 2008 network, because only NTFS permissions assigned for that resource elsewhere for the user or group are automatically stopped. This can cause a great deal of time and frustration in troubleshooting permission problems.

     
  7. User education is always a good idea. If users have a basic understanding of the NTFS permissions and how to secure resources on a network, they can assign and manage their own files. Unfortunately user education does take a bit of time and money, but if done successfully it will pay off in the end.

This is it for the NTFS permission guidelines. When planning how to organize your data on a windows 2008 network, remember to consider NTFS permissions and how they will be affected. Every business and organization is different, but if most of these simple guidelines can be followed, managing your resources in a secure environment will be that much easier. And remember that Total Cost of Ownership is the name of the game.

Working NTFS Permissions
After a newly created volume is formatted with the NTFS 5.0 file system in windows 2008, by default the Full Control NTFS permission is granted to the Everyone group. This, of course, should be changed as soon as possible. The reason is that allowing Everyone full control means just that, everyone. That includes guests, if the Guest account is enabled, and even anonymous Internet users, if security settings on the firewall are such that they can access files on that server. By default, even though you are running NTFS, no security at all is applied. The approved NTFS permission plan should be implemented immediately. If an NTFS permission plan does not exist yet, at lease change the access for the Everyone group from Full Control to Read. Then you can assign the appropriate NTFS permissions to users as they are needed.

Now let's look into working with NFTS permissions and how to assign them. Let's start by looking at Figure 3.

 

  1. On your windows 2008 desktop, right-click My Computer.

     
  2. Click Explore. This will start the Windows Explorer.

     
  3. Click the plus sign to the left of an NTFS volume that you would like to view.

     
  4. Find a folder and right-click on that folder.

     
  5. Click the Properties option on the list.

     
  6. Now use Alt-Tab to switch to the Securities tab, or select it by clicking on it.
NOTE: When viewing the Securities tab from the Properties dialog box of a file, the List Folder Contents NTFS permissions is not listed in the Permissions list box.


Now that we are all on the same page, let's look at the options available to us on the security tab. Table 3 lists the options available on the Securities tab and describes briefly what they are used for.

 

TABLE 3: SECURITIES TAB OPTIONS
Options Descriptions
Name   The name list box displays a list of the users that currently have access to the selected resource. You can highlight an object in the list and either change that objects' current NTFS permission or select remove to Remove it from the list.
Permissions In the Permissions list box is a list of all the NTFS permissions. To allow or deny a NTFS permission to the object selected in the Name list box click the appropriate check box.
Add    By clicking the Add command button, the Select Users, Computers, or Groups dialog box opens. This is where you can select what objects to add to the Names list box.
Remove You can remove objects in the Names list box by selecting an object and then clicking Remove.


For the purposes of this discussion we are going to skip the Advanced command button and what it does. That will be covered when we discuss the next topic, Using Special Access Permissions. The only other option on the Securities tab check box to allow inheritable permissions from parent to propagate to this object. By default when a folder is created on a NTFS volume this option is set. To turn it off, open the Securities tab and clear the check box. Figure 4 displays the message box that is displayed.


USING SPECIAL ACCESS PERMISSIONS

NTFS file and folder permissions for the most part are a sufficient way to secure your resources on a windows 2008 network. Where they do not provide the level of granularity required, you can use Special Access Permissions can be used.

 

Defining Special Access Permissions
There are fourteen Special Access Permissions, and they provide the finite level of to resources on a windows 2008 network that some administrators require. I will use three tables to explain the Special Access Permissions and how they relate to NTFS file and folder permissions. Table 4 lists the Special Access Permissions and provides a description of the kind of access they allow or deny.

 
TABLE 4: SPECIAL ACCESS PERMISSIONS
Permission   Description
Traverse Folder/Execute File   This allows or denies a user to browse through a folder's subfolders and files where he would otherwise not have access. In addition, it allows or denies the user the ability to run programs within that folder.
List Folder/Read Data     This allows or denies the user to view subfolders and fill names in the parent folder. In addition, it allows or denies the user to view the data within the files in the parent folder or subfolders of that parent.
Read Attributes    This allows or denies a user to view the standard NTFS attributes of a file or folder.
Read Extended Attributes This allows or denies the user to view the extended attributes of a file or folder, which can vary due to the fact that they are defined by the programs themselves.
Create Files/Write Data This allows or denies the user the right to create new files in the parent folder. In addition, it allows or denies the user to modify or overwrite existing data in a file.
Create Folders/Append Data This allows or denies the user to create new folders in the parent folder. In addition, it allows or denies the user the right to add data to the end of files. This does not include making changes to any existing data within a file.
Write Attributes   This allows or denies the ability to change the attributes of a files or folder, such as Read-Only and Hidden.
Write Extended Attributes This allows or denies a user the ability to change the extended attributes of a file or folder. These attributes are defined by programs and may vary.
Delete Subfolders and Files     This allows or denies the deleting of files and subfolder within the parent folder. It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted.
Delete This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete.
Read Permissions   This allows or denies the user the ability to read the standard NTFS permissions of a file or folder.
Change Permissions This allows or denies the user the ability to change the standard NTFS permissions of a files or folder.
Take Ownership This allows or denies a user the ability to take ownership of a file or folder. The owner of a file or folder can change the permissions on the files and folders she owns, regardless of any other permission that might be in place.
Synchronize This allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies to only multithreaded, multiprocessing programs.


 

NOTE: Some of the Special Access Permissions have two parts, as shown in Table 4. The first applies to folders and the second only to files. Remember this when referring to these tables.


Now let's look at how these new special access permissions are related to the standard NTFS file permissions. Table 5 displays a cross-reference chart of NTFS file permissions and special access permissions. You will see that the each of the standard NTFS file permissions is actually a group made up of special access permissions. Notice also how the Write NTFS permission is made up of six special access permissions. The Write NTFS permission is actually made up of the Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions, and Synchronize special access permissions.

You will find that having these reference tables will be very helpful when deciding which special access permissions to use in your organization.

Table 6 displays the same list of special access permissions but shows how they interrelate to the NTFS folder permissions.

Change Permissions
Two of the special access permissions are particularly useful in application. We discuss here the first one, the Change Permissions special access permission.

When using special access permissions it is no longer necessary to assign a user or windows 2008 administrator the Full Control NTFS permission so that they have the allowed right to change permissions. Using the Change Permissions special access permission a user or windows 2008 administrator can change permissions to a file or folder. However, they do not have access to delete any files or subfolders. That way the user or windows 2008 administrator can control the access to the data but not delete any of the data itself.

Take Ownership
The second particularly useful special access permission is Take Ownership.

All files and folders on a nNTFS volume have an owner. By default, the owner is the person installing the volume and formatting it with the NTFS file system. This is usually a windows 2008 Administrator. File and folder ownership can be transfer to another user or group. You can grant a user account or a user group the ability to take ownership of a file or folder. As an administrator, you have the ability to take control of any files or folders on the NTFS volume.

Two hard-and-fast rules apply here. Remember these when thinking about granting someone the ability to take ownership of a file or folder.

 

  1. The owner of a file or folder or any user with the Full Control NTFS permission to a file or folder can assign the Full Control standard NTFS permission or the Take Ownership special access permission, which allows taking control of that file or folder. For instance, if User A has the Full Control standard NTFS permission to D:\Apps and assigns the Take Ownership special access permission to User A, User A can now take ownership of any files or folders in D:\Apps.

     
  2. A windows 2008 administrator can take ownership of a file or folder at any time. This is one of the inherited rights that administrators have. Administrators can then assign the Take Ownership special access permission to another user or group, so that they can take control of the files and folders in a parent folder. For instance, if User A leaves the organization for another position, a windows 2008 administrator can assign the Take Ownership special access permission to the former employee's manager for the former employee's files and folders. The manager can then take ownership of those files and folders.
NOTE: The Take Ownership special access permission can be assigned to a user account or group. The receiving user account or group can then take ownership of the respected resources. You cannot, however, give ownership of a file or folder to a user account or group.


Using Special Access Permissions
Special access permissions provide a more finite level of security than the standard NTFS permissions. I suggest learning how to use them in you own environment. This subtopic will give you a quick glance at how to assign special access permissions to an NTFS volume.

To set special access permissions to a folder take the following steps:

 

  1. On your windows 2008 desktop, right-click My Computer.

     
  2. Click Explore. This will start the Windows Explorer.

     
  3. Click the plus sign to the left of an NTFS volume that you would like to view.

     
  4. Find a folder and right-click on that folder.

     
  5. Click the Properties option on the list.

     
  6. Use Alt-Tab to switch to the Securities tab, or select it by clicking on it.

     
  7. Now click Advanced to view the Access Control properties dialog box, as shown in Figure 5.

     
  8. Now click on Add.

     
  9. This opens up the Select User, Compute, or Group dialog box as shown in Figure 6.

     
  10. After you select the object that you would like to add the special access permissions to, click OK.

     
  11. This displays the Permission Entry dialog box, as shown in Figure 7.

Now we see that all of the special access permissions are listed in the permissions list box. This is where all special access permission are assigned and denied. Let's discuss the options for a moment. Table 7 lists the options and their descriptions.

 

TABLE 7: OPTION IN THE PERMISSIONS ENTRY DIALOG BOX
Permission   Description
Name   This is the user use account or group name that will be affected by the special access permissions. Clicking on the Change command button can change the user account or group affected.
Apply onto   This dropdown list box lists the level of the folder hierarchy at which the special access permissions being assigned will be applied.
Permissions This is a list of all the special access permissions. To allow a special access permission click the check box in the Allow column to the right of the permission. In addition, to deny a special access permission click the check box in the Deny column to the right of the special access permission.
Apply these permissions to objects and/or containers within this container only    This allows or denies permission inheritance for the parent folder. To allow permission inheritance for the special access permissions being assigned select this check box, otherwise clear the check box.
Clear All    This clears all of the check boxes in the Allow and Deny columns in the permissions list box.


Taking Ownership of Secure Resources
A windows 2008 administrator working with NTFS file and folder permissions should know how to take ownership of a resource. This doesn't mean walking down to the local parts shop and picking up a new hard disk. I am talking about using the Take Ownership special access permission.

To take control of a file or folder the user or group member must have the Take Ownership permission assigned to them for that file or folder. Then they must explicitly take ownership of that file or folder. The following is a list of the steps that you would take:

 

  1. On your windows 2008 desktop, right-click My Computer.

     
  2. Click Explore. This will start the Windows Explorer.

     
  3. Click the plus sign to the left of an NTFS volume that you would like to view.

     
  4. Find a folder and right-click on that folder.

     
  5. Click the Properties option on the list.

     
  6. Use <Alt><Tab> to switch to the Securities tab, or select it by clicking on it.

     
  7. Click Advanced to view the Access Control Settings dialog box.

     
  8. In the Access Control Settings dialog box use <Alt><Tab> to switch to the Owner tab or select it by clicking on it.

     
  9. Select your name in the Change owner to list box. This specifies that you are going to take ownership of the resource.

     
  10. Check the Replace owners on sub containers and objects check box, and click Ok.

That is all for special access permissions and how they relate to the standard NTFS permissions. Now you can assign NTFS permissions with ease on your windows 2008 network, confident that you have the knowledge to do so.


COPYING AND MOVING DATA

Copying and moving data is something that every administrator does, usually on a pretty frequent basis. When copying files and folders with NTFS permissions assigned to them you need to folder certain guidelines. The NTFS permissions sometimes change as the file and folders are moved or copied. It is important to know these guidelines before you start shuffling data around your windows 2008 network. This discussion outlines these rules and explains what happens to the NTFS permissions when files and folders are moved or copied.

Copying Files and Folders
When files and folders on a NTFS volume are copied to another volume, the permissions change. For instance, if you copy a file from one NTFS volume to another NTFS volume, the following things happen if the right criteria are met.

 

  • The receiving NTFS volume treats the file as a new file. Like any new file, it gains the permissions of the folder it is created in.
  • The user account used to copy the file must have the Write NTFS permission in the destination folder on the receiving volume.
  • The user account used to copy the file becomes the Creator Owner of that file.

This means that any permissions assigned to that file before it is copied are lost during the copy itself. If you want to keep those same permissions, they will have to be reassigned at the destination folder.

When files and folders are copied from an NTFS volume to a FAT partition, the permissions are lost. This happens because FAT partitions do not support NTFS permissions.

Moving Files and Folders
When files or folders are copied from an NTFS volume, the permissions change. Now when files or folders are moved from an NTFS volume, the permissions might or might not change. This depends entirely on where the destination folder lies. We can safely assume that when files or folders are moved to a FAT partition, the permissions are lost. That is correct, and for same reason that NTFS permissions are lost when copying files and folders from a NTFS volume to a FAT partition. There are in fact two other cases worth pointing out when moving files and folders from an NTFS volume: moving files and folders within a NTFS volume and moving files and folder to another separate NTFS volume.

When moving files and folders within a single NTFS volume, these rules are followed:

 

  1. The files and folders keep the original permissions assigned to them.

     
  2. The user account moving the files and folders must have the Write NTFS permission to the destination folder.

     
  3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder.

     
  4. The user account used to move the files and folders becomes the Creator Owner of those files and folders.

When moving files and folders from one NTFS volume to a separate NTFS volume, these are the rules followed:

 

  1. The files and folders being moved inherit the permissions of the destination folder. For example, if you move a file from a folder that has Everyone with Read permission into a folder on another partition that has permissions only allowing Domain Admins Read access, the file will now carry the latter security settings.

     
  2. The user account moving the files and folders must have the Write NTFS permission to the destination folder, since a move is really a combination copy/delete.

     
  3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder.

     
  4. The user account used to move the files and folders becomes the Creator Owner of those files and folders.


TROUBLESHOOTING PERMISSIONS PROBLEMS

The number one goal of a windows 2008 administrator should be making sure that resources are always available to the users. This includes many things, but I'm talking here about the secure data on the network. If users cannot access the data they need to do their job, production slows. Now your boss is breathing down you neck, asking why the users can't get to their data, and how long will it take for you to fix the NTFS permission problem. This discussion will lay down some rules on NTFS permission problems. The topics include avoiding NTFS permission problems and troubleshooting NTFS permission problems.

Avoiding NTFS Permission Problems
Avoiding permission problems involves following some basic guidelines. Below is a list of do's and don'ts when assigning NTFS permissions on a NTFS 5.0 file system. Use this list as a reference when assigning NTFS permissions on your windows 2008 network.

 

  • When assigning NTFS permissions, try to assign only enough access for a user or group of users to perform their job.
  • Try not to assign any NTFS permissions at the file level. This increases the complexity of managing the permissions. Assign the NTFS permissions at the folder level only. If several files require the same access, move them to a common folder and assign the permissions to that folder.
  • Application executables should have Read & Execute and Change assigned to the Administrators group. The Users group, on the other hand, should have only Read & Execute. This will prevent users or a virus from modifying the files. When an administrator wants to update the application executables, he or she can temporarily assign himself or herself Full Control to perform the task.
  • Assign Full Control to the Creator Owner of public folders and the Read and Write NTFS permissions to the Everyone group. This way users have full access to the files that they create, but the members of the Everyone group can only read and create files in the folder.
  • Try not to deny any NTFS permissions. If you have to do this to a user or group, document it well and state that this is a special case. Instead of denying access to a resource by denying NTFS permissions, don't assign the permissions to gain access.

Troubleshooting NTFS Permissions
This topic is designed to help you troubleshoot the most common NTFS permission problems. Table 8 lists the most common ones and solutions.

 

TABLE 8: COMMON NTFS PERMISSION PROBLEMS AND SOLUTIONS
Problem Solution
A user or group cannot access a file or folder. Check the permissions assigned to the user or group. Permissions may not be assigned for the selected resource, or permission could be denied. In addition, the permissions could have been changed if the file or folder has been copied or moved.
The administrator assigns access to a group for a selected file or folder, but the users of that group still cannot access the file or folder. Ask the user to log off and then log back on. When the user logs back on, his NTFS permission are updated to include the new group that they were added to. Another way to update a user's permissions is to ask them to disconnect the network drive on which the file or folder resides and then reconnect it. This forces the permissions to update on the reconnect of the network drive.
A user with Full Control to file has deleted some files in a folder, and you want to prevent them from doing it again.    Open the Permission Entry box for that folder and remove the Delete Subfolders and Files special access permission for that user.