UEU-co logo


Previous Page Next Page

Assigning NTFS Permissions

NTFS permissions can be assigned to shares via the Share and Storage Management snap-in. When assigning NTFS permissions to a file, you need to use the Computer folder to access the file’s Properties dialog box. Let’s look at assigning NTFS folder permissions and then setting NTFS file permissions.

By the Way

Volumes can also be assigned NTFS permissions. This means that volume’s NTFS permissions can be propagated to the folders and the files on that volume (there is an advanced setting to set the inheritance for the permissions).

Assigning and Viewing NTFS Folder Permissions

You can assign NTFS permissions to folders on NTFS volumes. Files in the folder inherit their NTFS permissions from the folder. Because folders are synonymous (in most cases) with shares on the network (there would be little reason to add permissions to a folder that was not shared), the best tool for quickly accessing a folder’s NTFS permissions (meaning a share’s permissions) is the Share and Storage Management snap-in. To view and edit the NTFS permissions for a folder share, follow these steps:

1. Open the Share and Storage Management snap-in in the MMC (Start, Administrative Tools, Share and Storage Management) or expand the File Services node in the Server Manager to access the Share and Storage Management node. Shares (folders and volumes shared) are listed in the Details pane of the snap-in (see Figure 13.6).

Figure 13.6. Share NTFS permissions can be accessed in the Share and Storage Management snap-in.

[View full size image]

2. Right-click a share in the Details pane and then select Properties. The Properties dialog box for the share opens.

3. Click the Permissions tab on the Properties dialog box and then click the NTFS Permissions button. The Permissions dialog box opens, showing the NTFS permissions for the share (see Figure 13.7).

Figure 13.7. NTFS permissions are assigned in the share’s Permissions dialog box.

3. To add a group or user (or groups and users) to the Group or Usernames list, click the Add button. The Select Users, Computers, or Groups dialog box opens (see Figure 13.8).

Figure 13.8. Add users or groups to the Permissions dialog box, using the Select Users, Computers, or Groups dialog box.

4. Use the Location box to specify the local computer or domain that you want to access for the group or user to be added to the list.

5. Enter the group name or username (multiple entries can be made by separating each entry with a semicolon) in the Enter the Object Names to Select box.

6. To check the validity of your entries, click the Check Names button.

7. After the names have been checked, click OK. You are returned to the Security tab.

8. Select a group or user that you have added to the list, and set the permissions for the folder by using the Allow (or Deny) check boxes for the NTFS folder permissions listed. By default, the group or user that you add to the list is given the Read and Execute, List Folder Contents, and Read permissions. Set the permissions for each group or user that you added to the list.

Remember that assigning NTFS permissions to a folder secures the folder both locally and as a share on the network. Make sure that you give local users the appropriate access to the folder if you are using NTFS permissions.

Negating NTFS Permission Inheritance

In some cases, you may not want a subfolder or file to inherit the NTFS permissions that have been set for the parent folder (or volume). On the Security tab of a file’s (or folder’s) Properties dialog box (look back at Figure 13.7), click the Advanced button. The Advanced Security Settings dialog box for the file or subfolder opens.

Select the Permissions tab of the dialog box. This tab shows the current permissions for the file or folder by user and group. To edit the permissions and to have access to the inheritable permissions option, click Edit. A second Permissions tab opens (it’s the same as the Permissions tab on the Advanced Security Settings dialog box) with the settings active and available for editing (see Figure 13.9).

Figure 13.9. You can enable or disable permission inheritance.

[View full size image]

By default, inheritable permissions for the file or folder are included, meaning permissions propagate from the parent down to the actual file or folder. To turn off propagation of permissions from parent containers to the current object, click the Include Inheritable Permissions from This Object’s Parent check box to clear it. The file or subfolder now no longer inherits permissions that have been set for a parent container.

Viewing Effective Permissions

Because NTFS permissions to an object by a user are affected by the user’s group memberships, it can become confusing when you are trying to sort out what actual permissions a user has in relation to a particular network resource such as a share or a specific file in a share.

It really does make sense to base permission levels for users on group memberships and so when you set up the various user groups in the Active Directory Domain Services, you should keep in mind that the group is going to be a security container and membership in a group will affect the access that the group’s users have to network resources.

You can view the effective permissions for a file or folder. The effective permissions are the permissions that are afforded a user or group based entirely on group membership (remember that groups can be nested inside other groups in the Active Directory). You access the effective permissions for a user or group via the Advanced Security Settings dialog box.

By the Way

The fact that permissions to network resources are so tightly connected to group membership in the Active Directory means that you need to think carefully through the creation of your various groups and the needs of the users who will be in those groups before you begin to assign permissions. Having your group structure well defined before deploying your file servers and the associated permissions for the resources provided by the file servers makes your file access troubleshooting chores a lot less nightmarish in the future. Check out Hour 9, “Creating Active Directory Groups, Organizational Units, and Sites,” for more about groups and other ways to organize objects in the Active Directory tree.

Click the Effective Permissions dialog box on the Advanced Security Settings dialog box. To specify a particular user or group, click the Select button and the Select User, Computer, Group dialog box opens.

Type the name of the user or group (or enough of the user or group name to use the Check Names button) and then click OK to return to the Effective Permissions tab of the Advanced Security Settings dialog box. The effective permissions for the user or group are displayed (see Figure 13.10).

Figure 13.10. View the effective permissions for a user or group.

[View full size image]

Viewing effective permissions can help you sort out the bottom-line access that a user or group has to a particular shared file or folder. This information can be very useful when fine-tuning resource access on the network.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited