Learn about the technologies behind the Internet with The TCP/IP Guide!|
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
|View over 750 of my fine art photos any time for free at DesktopScenes.com!|
Access control lists (ACLs) are used to manage which users and groups of users are allowed to access different files and folders (objects) within NTFS volumes. These ACLs contains entries that specify what rights each user or group has for the object in question. These access rights are called permissions.
When Windows NT was built, six different permission types were created for NTFS objects. The NT user interface was designed to allow these permissions to be associated with objects. Each permission type controls a different kind of access to an object, and each has an abbreviation letter. These permission types are sometimes called special permissions, to differentiate them from standard permission groups that are applied at a higher level.
In some cases, the meaning of a permission is the same for both files and directories (folders); in others, the meaning is different, depending on if the permission is applied to a folder or a file. This table shows the different NT permissions and how they apply to folders and files:
Note: There is also one
other fundamental permission type: Delete Subfolders and Files. This permission,
when applied to a parent folder, allows a user to delete files and subfolders within it,
even if they do not have delete permission on those files and subfolders. Under Windows NT
this permission type cannot be individually applied to folders. It is only available as
part of the "Full Control" standard permission group.
Until Windows 2000 was released, these six basic permissions were the lowest level that an NTFS user could access. When Windows 2000 was introduced, the six permission types above were "broken down" into 13 different permission components, to allow for more "fine-tuned" control over different kinds of access. While some people believe this "breaking down" was part of Windows 2000, in fact, these 13 components have always been present in NTFS! Under Windows NT, they were just hidden under the six permission types above. The table below lists the different permission components and shows how they correlate to the six Windows NT permission types:
A few notes about this table:
As you can see, Windows 2000 gives you much more "granularity" of control over individual permissions. The Read, Write and Execute permissions have been broken down into several components. Of course, it's pretty unusual for someone to really need control this fine over most objects. (For example, how often do you think you would want to give permission to someone to write data but not append data to a file? Not frequently.) In fact, even the six Windows NT "special permissions" are often more detail than is really necessary. For convenience, Windows provides several pre-defined standard permission groups to allow commonly-desired sets of permissions to be applied to files and folders quickly.
Tip: The finer permissions
granularity introduced with Windows 2000 are also available to Windows NT 4.0 users who
have installed Service Pack 4 or later, through the Security Configuration Manager (SCM).