Learn about the technologies behind the Internet with The TCP/IP Guide!|
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
|View over 750 of my fine art photos any time for free at DesktopScenes.com!|
Standard Permission Groups
Windows NT provides a set of six individual permissions for controlling access to files and folders. Windows 2000 refines these individual permissions even further, into a set of over a dozen different permission components. These NTFS permissions allow for fine control of the access rights of users and groups to NTFS objects, but in many cases they are "overkill". To force administrators to always deal with these fine-grained permissions would be a time-consuming chore.
To avoid the necessity of always setting low-level permissions, Windows defines standard permission groups. These are simply collections of the low-level permissions that are given names and can be applied to objects. When you use a permission group, all the components contained in the group are applied to the object automatically.
First, let's look at the standard permission groups for Windows NT:
Well, that table is probably a bit overwhelming at first glance, but it's not all that confusing if you consider it carefully. Under Windows NT, applying the permission group gives the users the permission types indicated by the checkmarks. Note that the checkmarks apply only to the object type specified. Of particular note, "Add & Read" grants the write permission to the folder, but not to the files contained within the folder. Also, the "No Access" group is a "trump card" of sorts; it will override other permission settings. See the discussions of permission settings and inheritance for more on how permission conflicts are addressed.
Under the more advanced Windows 2000 scheme, there are 13 different permission components, which are collected into six different standard groups, as the table below illustrates:
Notes: "List Folder
Contents" and "Read and Execute" have the same permission components, which
is a bit confusing. The differences between them have to do with how NTFS handles
inheritance of these permissions. "List Folder Contents" is only used for
folders and is not inherited by files within the folder. "Read and Execute"
applies to folders and files and is inherited by both. Also, the oddball, 14th permission
component, "Synchronize", is a member of all of the groups above.
You may notice, in looking at this table, that the "No Access" group is missing under the Windows 2000 scheme. In Windows NT, all permission groups except "No Access" provide "positive access"--saying, in effect, "you are allowed" to do something. "No Access" is the only one that says "you are not allowed" to do something. Unfortunately, it is very broad; it really says "you cannot do anything". This inflexibility was corrected under Windows 2000 by giving users the ability to allow or disallow any permission group or individual permission. Under this setup, "No Access" simply isn't required. See the discussion of permission assignment for more information on this.