Windows XP Pro: The Missing Manual
There's one final aspect of user accounts that's worth mentioning: NTFS permissions, a technology that's the heart of Windows XP Pro's security system. Using this feature, you can specify exactly which co-workers are allowed to open which files and folders on your machine. In fact, you can also specify how much access each person has. You can dictate , for example, that Gomez and Morticia aren't allowed to open your Fourth-Quarter Projections spreadsheet at all, that Fred and Ginger can open it but not make changes, and George and Gracie can both open it and make changes. Your colleagues will encounter the permissions you've set up like this in two different situations: when tapping into your machine from across the network, or when sitting down at it and logging in using their own names and passwords. In either case, the NTFS permissions you set up protect your files and folders equally well.
NOTE In Chapter 20, you can read about a very similar form of access privileges called share permissions. There's a big difference between share permissions and the NTFS permissions described here, though: share permissions keep people out of your stuff only when they try to access your PC from over the network. Actually, there are other differences, too. NTFS permissions offer more gradations of access, for example. And using NTFS permissions, you can declare individual files accessible or inaccessible to specific co-workers ”not just folders. See Section 20.7.2.1 for details. Using NTFS permissions is most decidedly a power-user technique because of the added complexity it introduces. Entire books have been written on the topic of NTFS permissions alone. You've been warned . 17.9.1 Setting Up NTFS Permissions
To change the permissions for an NTFS file or folder, you open its Properties dialog box by right-clicking its icon, and then choosing Properties from the shortcut menu. The Properties dialog box appears; click the Security tab (Figure 17-19). Figure 17-19. The Security tab of an NTFS folder's Properties dialog box. If you have any aspirations to be a Windows XP power user, get used to this dialog box. You're going to see it a lot, because almost every icon on a Windows XP system ”files, folders, disks, printers ”has a Security tab like this one. 17.9.2 Step 1: Specify the Person
The top of the Security tab lists the people and groups that have been granted or denied permissions to the selected file or folder. When you click a name in the list, the Permissions box at the bottom of the dialog box shows you how much access that person or group has. The first step in assigning permissions, then, is to click the person or group whose permissions you want to change. If the person or group isn't listed, click the Add button to display the Select Users or Groups dialog box, where you can type them in (Figure 17-20).
NOTE Instead of typing in names one at a time, as shown in Figure 17-20, you can also choose them from a list, which lets you avoid spelling mistakes and having to guess at the variations. To do so, click the Advanced button to display an expanded version of the dialog box, and then click Find Now to search for all of the accounts and groups on the computer. Finally, in the resulting list, click the names of the people and groups you want to add (Ctrl-click to select more than one at once). Click OK to add them to the previous dialog box, and click OK again to add the selected users and groups to the Security tab. If you've used Windows 2000, in the meantime, you might wonder why this process is so much more convoluted in XP Pro that was in Windows 2000. The answer is: good question! 17.9.3 Step 2: Specify the Permissions
Once you've added the users and groups you need to the list on the Security tab, you can highlight each one and set permissions for it. You do that by turning on the Allow or Deny checkboxes at the bottom half of the dialog box. The different degrees of freedom break down as follows (they're listed here from least to most control, even though that's not how they're listed in the dialog box):
Of course, turning on Allow grants that level of freedom to the specified user or group, and turning it off takes away that freedom. (For details on the Deny checkbox, see the box on the facing page.)
NOTE If you're not careful, it's entirely possible to "orphan" a file or folder (or even your entire drive) by revoking everyone's permission to it, even your own, making it completely inaccessible by anyone . That's why, before you get too deeply into working with NTFS permissions, you might consider creating an extra user account on your system and granting it Full Control for all of your drives , just in case something goes wrong. 17.9.4 Groups and Permissions
Once you understand the concept of permissions, and you've enjoyed a thorough shudder contemplating the complexity of a network administrator's job (6 levels of permissions 3 thousands of files 3 thousands of employees = way too many permutations ), one other mystery of Windows XP Pro will fully snap into focus: the purpose of groups, introduced on Section 17.5.3. On those pages, you can read about groups as canned categories, complete with predefined powers over the PC, into which you can put different individuals to save yourself the time of adjusting their permissions and privileges individually. As it turns out, each of the ready-made Windows XP Pro groups also comes with predefined permissions over the files and folders on your hard drive. Here, for example, is how the system grants permissions to your Windows folder for the Users, Power Users, and Administrators groups:
If you belong to the Users group, you have the List Folder Contents permission, which means that you can see what's in the Windows folder; the Read permission, which means that you can open up anything you find inside; and the Read & Execute permission, which means that you can run programs in that folder (which is essential for Windows XP itself to run). But people in the Users group aren't allowed to change or delete anything in the Windows folder, or to put anything else inside. Windows XP is protecting itself against the mischievous and clueless. Members of the Power Users group have all of those abilities and more ”they also have Modify and Write permissions, which let them add new files and folders to the Windows folder (so that, for example, they can install a new software program on the machine). 17.9.5 When Permissions Collide
If you successfully absorbed all this information about permissions, one thing should be clear: people in the Power Users group ought to be able to change or delete any file in your Windows folder. After all, they have the Modify permission, which ought to give them that power. In fact, they can move or delete anything in any folder in the Windows folder, because the first cardinal rule of NTFS permissions is this: 17.9.5.1 NTFS permissions travel downstream, from outer folders to inner ones
In other words, if you save the Modify and Write permissions to a folder, then you ought to have the same permissions for every file and folder inside it. But if you are indeed in the Power Users group, you'll find that you can't, in fact, delete any of files or folders in the Windows folder. That's because each of them comes with Modify and Write permissions turned off for Power Users, even though the folder that encloses them has them turned on. Why would Microsoft go to this trouble? Because it wants to prevent people in this group from inadvertently changing or deleting important Windows files ”and yet it wants these people to be able to put new files into the Windows folder, so that they can install new programs. This is a perfect example of the second cardinal rule of NTFS permissions: 17.9.5.2 NTFS permissions that have been explicitly applied to a file or folder always override inherited permissions
Here's another example: Suppose your sister, the technical whiz of the household, has given you Read, Write, Modify, Read & Execute, and List Folder Contents permissions to her own My Documents folder. Now you can read, change, or delete every file there. But she can still protect an individual document or folder inside her My Documents folder ”the BirthdayPartyPlans.doc file, for example ”by denying you all permissions to it. You'll be able to open anything else in there, but not that file. Believe it or not, NTFS permissions get even more complicated, thanks to the third cardinal rule: 17.9.5.3 Permissions accumulate as you burrow downward through folders inside folders
Now suppose your sister has given you the Read and List Folder Contents permissions to her My Documents folder ”a "look, but don't touch" policy. Thanks to the first cardinal rule, you automatically get the same permissions to every file and folder inside My Documents. Suppose one of these inner folders is called Grocery Lists. If she grants you the Modify and Write permissions to the Grocery Lists folder, so that you can add items to the shopping list, you end up having Read, Modify, and Write permissions for every file in that folder. Those files have accumulated permissions ”they got the Read permission from My Documents, and the Modify and Write permissions from the Grocery Lists folder. Because these layers of inherited permissions can get dizzyingly complex, Microsoft has prepared for you a little cheat sheet, a dialog box that tells you the bottom line, the net result ”the effective permissions. To see it, follow these steps:
|