Learn about the technologies behind the Internet with The TCP/IP Guide!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
View over 750 of my fine art photos any time for free at DesktopScenes.com!

[ The PC Guide | Systems and Components Reference Guide | Hard Disk Drives | Hard Disk Logical Structures and File Systems | New Technology File System (NTFS) | NTFS Security and Permissions ]

Standard Permission Groups

Windows NT provides a set of six individual permissions for controlling access to files and folders. Windows 2000 refines these individual permissions even further, into a set of over a dozen different permission components. These NTFS permissions allow for fine control of the access rights of users and groups to NTFS objects, but in many cases they are "overkill". To force administrators to always deal with these fine-grained permissions would be a time-consuming chore.

To avoid the necessity of always setting low-level permissions, Windows defines standard permission groups. These are simply collections of the low-level permissions that are given names and can be applied to objects. When you use a permission group, all the components contained in the group are applied to the object automatically.

First, let's look at the standard permission groups for Windows NT:

Standard Permission Group

Object Types Affected

Permission Types Granted
(Applies Only To Appropriate Object Types)

Description

Read (R)

Write (W)

Execute (X)

Delete (D)

Change Permissions (P)

Take Ownership (O)

No Access

Folders or Files

 

 

 

 

 

 

Denies all access to the file or folder. The user can see the name of the object, but cannot do anything with it.

List

Folders Only

Yes

 

Yes

 

 

 

Users can see the list of files in the folder and traverse subfolders, but cannot view or execute files.

Read

Folders or Files

Yes

 

Yes

 

 

 

Users can read files and folders, execute files and traverse folders, but cannot change anything.

Add

Folders Only

 

Yes

Yes

 

 

 

Users can add files or subfolders to the folder, and can traverse subfolders, but cannot read or execute files.

Add & Read

Folders Only

Yes

Yes

Yes

 

 

 

Users can add files or subfolders to the folder, and can read and execute files in the folder as well.

Change

Folders or Files

Yes

Yes

Yes

Yes

 

 

The user can read, write, execute or delete the file, or if applied to a folder, the files and subfolders within the folder. Note that this does not grant access to delete the folder itself. The user also cannot change permissions on the file or folder, or take ownership of it.

Full Control

Folders or Files

Yes

Yes

Yes

Yes

Yes

Yes

All permissions are granted. This also includes the special permission "Delete Subfolders and Files", which can only be given through the "Full Control" group under Windows NT.

Well, that table is probably a bit overwhelming at first glance, but it's not all that confusing if you consider it carefully. Under Windows NT, applying the permission group gives the users the permission types indicated by the checkmarks. Note that the checkmarks apply only to the object type specified. Of particular note, "Add & Read" grants the write permission to the folder, but not to the files contained within the folder. Also, the "No Access" group is a "trump card" of sorts; it will override other permission settings. See the discussions of permission settings and inheritance for more on how permission conflicts are addressed.

Under the more advanced Windows 2000 scheme, there are 13 different permission components, which are collected into six different standard groups, as the table below illustrates:

Permission Components (Windows 2000 and Windows NT 4.0 SCM)

Standard Permission Groups (Windows 2000 and Windows NT 4.0 SCM)

Read

Write

List Folder Contents

Read and Execute

Modify

Full Control

Traverse Folder /
Execute File

 

 

Yes

Yes

Yes

Yes

List Folder /
Read Data

Yes

 

Yes

Yes

Yes

Yes

Read Attributes

Yes

 

Yes

Yes

Yes

Yes

Read Extended Attributes

Yes

 

Yes

Yes

Yes

Yes

Create Files /
Write Data

 

Yes

 

 

Yes

Yes

Create Folders /
Append Data

 

Yes

 

 

Yes

Yes

Write Attributes

 

Yes

 

 

Yes

Yes

Write Extended Attributes

 

Yes

 

 

Yes

Yes

Delete Subfolders and Files

 

 

 

 

 

Yes

Delete

 

 

 

Yes

Yes

Read Permissions

Yes

Yes

Yes

Yes

Yes

Yes

Change Permissions

 

 

 

 

Yes

Take Ownership

 

 

 

 

 

Yes

Notes: "List Folder Contents" and "Read and Execute" have the same permission components, which is a bit confusing. The differences between them have to do with how NTFS handles inheritance of these permissions. "List Folder Contents" is only used for folders and is not inherited by files within the folder. "Read and Execute" applies to folders and files and is inherited by both. Also, the oddball, 14th permission component, "Synchronize", is a member of all of the groups above.

You may notice, in looking at this table, that the "No Access" group is missing under the Windows 2000 scheme. In Windows NT, all permission groups except "No Access" provide "positive access"--saying, in effect, "you are allowed" to do something. "No Access" is the only one that says "you are not allowed" to do something. Unfortunately, it is very broad; it really says "you cannot do anything". This inflexibility was corrected under Windows 2000 by giving users the ability to allow or disallow any permission group or individual permission. Under this setup, "No Access" simply isn't required. See the discussion of permission assignment for more information on this.

Next: Ownership and Permission Assignment


Home  -  Search  -  Topics  -  Up

The PC Guide (http://www.PCGuide.com)
Site Version: 2.2.0 - Version Date: April 17, 2001
Copyright 1997-2004 Charles M. Kozierok. All Rights Reserved.

Not responsible for any loss resulting from the use of this site.
Please read the Site Guide before using this material.
Custom Search