Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Bookmark It

Search this book:
 
Previous Table of Contents Next


5.4.1. NTFS File Permissions

The default permissions on NTFS files are Everyone, Full Control. This means that by default the NTFS security is set to be most permissive. Figure 5.2 shows the default permissions assigned to NTFSfile.txt.txt.


Figure 5.2.  The default permissions assigned to NTFSfile.txt.txt.

The right of Full Control encompasses all six file access rights. The six rights can also be assigned individually by selecting Special Access as shown in Figure 5.3.


Figure 5.3.  Assigning Special Access file rights.

The six rights displayed in Figure 5.3 provide the user or group with a different capability. A user or group can be assigned all, none, or any combination of the rights.

Read (R): Grants the right to view the contents of a file.
Write (W): Grants the right to change the contents of a file.
Execute (X): Grants the right to launch an executable file.
Delete (D): Grants the right to delete the entire file.
Change Permissions (P): Grants the right to modify the access control entries in the file’s ACL.
Take Ownership (O): Grants the right to assign oneself as the owner of the file. The owner has the right to change permissions. The Administrators group has the global right to take ownership regardless of assignments.

In order to simplify administration, predefined groupings of file rights can be assigned. As shown in Figure 5.4, granting Read access from the File Permissions screen also assigns the right to Execute. Granting Change access permits Read, Write, Execute, and Delete access.


Figure 5.4.  Granting Read access also grants Execute access.

NTFS security supports the No Access right. When No Access is assigned it supersedes all other rights. Even if users have been granted rights individually or based upon group membership the rights will be fully revoked if they or a group of which they are members has been assigned No Access.

Figure 5.5 demonstrates how an administrator can assign Full control to Everyone but still restrict guests of the KNOWLEDGE domain from having access to the file NTFSfile.txt.txt.


Figure 5.5.  Members of KNOWLEDGE/GUESTS will be explicitly denied access to the file NTFSfile.txt.txt.

Granting the No Access right for a file to Everyone will prevent all users from accessing the file. This will preclude even the administrators from accessing the file.

As an alternative to using the GUI interface to assign file permissions, you can use the command-line utility cacls both to display the access control list (ACL) for a particular file or to change it. You may specify more than one file or user in the command, making this a useful tool to be used in login scripts.

5.4.2. NTFS Directory Permissions

When an NTFS volume is created the root directory is given an ACL that gives Everyone full control. When a new subdirectory is created, it receives, or inherits, a copy of the ACL from the parent directory. If the default permission of Full Control has not been changed, then the new subdirectory receives all of the rights shown in Figure 5.6. Although the names of permissions are the same as those granted to files, the function of each is different.


Figure 5.6.  The folder rights encompassed by Full Control.

The options available when granting Special Directory Access are

Read (R): Grants only the right to view the name of the directory and the names of files within the directory. It does not grant the ability to read contents of files within the directory.
Write (W): Grants the right to add files to the directory. It does not grant the ability to write to the files within the directory.
Execute (X): Grants only the right to maneuver through the directory to subdirectories below. If you have rights to a subdirectory but not to a directory in its path you will not be able to switch to the subdirectory without typing its entire path.
Delete (D): Grants the right to delete the directory itself. This right will not be permitted if you do not have the right to delete the files within the directory.
Change Permissions (P): Grants the right to modify the access control entries in the directory’s ACL.
Take Ownership (O): Grants the right to make oneself the owner of the directory.

You can individually select the directory rights by selecting Special Directory Access or by selecting any of the predefined groups of rights under the Security tab of the directory’s properties. Setting Special File Access modifies the default access control list generated for files copied into or created in the directory. In Figure 5.7 the directory NTFSdirx is marked as Full Control on the directory and RX as the default file ACL. Notice how the rights are now reflected as Everyone, Special Access (ALL)(RX). The (ALL) represents the right of Full Control on the directory, and the (RX) represents the default file ACL settings.


Figure 5.7.  The default ACL for files created in or copied to NTFSdirx will now reflect Everyone, (RX).


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.