Active Directory By the Numbers: Windows Server 2003

NTFS Special Permissions Types

Far more complex (and flexible) than the simple network share permissions, NTFS file permissions allow us to control what group /user has access to shared files on our network. In addition, they also control access to these same files when a user is logged into the server locally (network share permissions affect only those files and folders shared over a network). NTFS permissions work only when your server's hard drives are formatted using the NTFS file system. There are 14 different NTFS special permissions:

• Traverse Folder/Execute File : This NTFS permission allows or denies a user or group the ability to browse through directories (when applied to folders) and allows or denies the ability to launch programs (when applied to files).

• List Folder/Read Data : This permission allows or denies a user or group the ability to list the contents of a folder and subfolder (when applied to folders) and allows or denies the ability to read data files (when applied to files).

• Read Attributes : Windows files have certain attributes attached to them, such as Read Only or Hidden (invisible). This permission allows or denies a user or group the ability to view these attributes.

• Read Extended Attributes : Many Windows applications add extra, or extended, file attributes to files or folders. This NTFS permission allows or denies a user or group the ability to view these attributes.

• Create Files/Write Data : This permission allows or denies a user or group the ability to create new files within folders (when applied to folders) and allows or denies the ability to write data to existing files, overwriting existing data (when applied to files).

• Create Folders/Append Data : As its name implies, this permission allows or denies a user or group the ability to create folders and subfolders (when applied to folders). It also allows or denies the ability to append data to existing files without altering existing content of those files (when applied to files).

• Write Attributes : A close cousin of the Read Attributes permission, Write Attributes allows or denies a user or group the ability to change the attributes of a file or folder (such as read only or invisible).

• Write Extended Attributes : A close cousin of the Read Extended Attributes permission, Write Extended Attributes allows or denies a user or group the ability to change the extended attributes of a file or folder (the extended attributes may vary, as they are defined by custom software applications).

• Delete : Delete allows or denies a user or group the ability to remove files or folders.

• Delete Subfolders and Files : This permission allows or denies a user or group the ability to remove all subfolders and files within a parent folder, even if they have not been granted the Delete NTFS permission. This permission applies only to folders, but still affects the files contained inside those folders.

• Read Permissions : This permission allows or denies a user or group the ability to view the NTFS file permissions on files and folders.

• Change Permissions : This permission allows or denies a user or group the ability to change NTFS file permissions on files and folders.

• Take Ownership : A powerful file permission, Take Ownership allows or denies a user the ability to take ownership of a file or folder. When a user takes ownership of an object, he or she has the ability to change permissions on it.

• Synchronize : This is a special NTFS permission dealing with multi-threaded/multi-process programs.

Now that's a bunch of information to take in all at once! Thankfully, you do not have to worry about each and every one of these permissions when assigning NTFS permissions to folders and files. Microsoft has grouped these permissions into six logical categories: Full Control , Modify , Read and Execute , List Folder Contents , Read , and Write . The diagrams on the following pages help us summarize where the 14 NTFS special permissions fit into these six categories.

Figure 3-4: The NTFS Read Permission groups the List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, and Synchronize special permissions together.

Figure 3-5: The NTFS Write Permission groups the Create File/Write Data, Create Folder/Append Data, Read Permissions, Write Attributes, Write Extended Attributes, and Synchronize special permissions together.

Figure 3-6: The List Folder Contents and Read and Execute NTFS permissions are identical in appearance. The only difference between them is List Folder Contents applies only to folders, and Read & Execute applies to files. Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, and Synchronize special permissions are all grouped into this permissions group.

Figure 3-7: The Modify NTFS permission groups Traverse Folder/Execute File, Create Files/Write Data, Create Folder/Append Data, Delete, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, Write Attributes, Write Extended Attributes, and Synchronize special permissions.

Figure 3-8: The Full Control NTFS permission groups all NTFS special permissions into one setting. Give a user full control over a file or folder, and he or she is able to do just about anything with it.

Keep in mind that when NTFS permissions are assigned to a particular folder, those permissions are applied to, or inherited by, all subsequent folders created inside that first folder. This makes assigning permissions to sub folders and files relatively painless, as the server does most of the work for you.

Any NTFS permissions applied to a folder gets replicated to all sub folders within the parent. This creates a practical way in which to control what user/group has control over what folder/file.