by MS
If users or groups whose permissions you want to assign aren't already available in the Group Or User Names list on the Security tab, you can easily add them. To set basic permissions for users or groups not already listed on a file or a folder's Security tab, follow these steps:
On the Security tab, click Edit. This displays the Permissions For … dialog box.
In the Permissions For … dialog box, click Add to display the Select Users Or Groups dialog box, shown in Figure 10-3.
Figure 10-3: Use Select Users, Computers, or Groups to specify the groups whose permissions you want to configure.
Tip
Always double-check the value of the From This Location field. In workgroups, computers will always only show local accounts and groups. In domains, this field is changeable and set initially to the default (logon) domain of the currently logged on user. If this isn't the location you want to use for selecting user and group accounts to work with, click Locations to see a list of locations you can search, including the current domain, trusted domains, and other resources that you can access.
Type the name of a user or a group account in the selected or default domain. Be sure to reference the user account name rather than a user's full name. When entering multiple names, separate them with semicolons.
Click Check Names. If a single match is found for each entry, the dialog box is automatically updated as appropriate and the entry is underlined. Otherwise, you'll see an additional dialog box. If no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or click Locations to select a new location. When multiple matches are found, select the name(s) you want to use in the Multiple Names Found dialog box and then click OK. The users and groups are added to the Name list.
You can now configure permissions for each user and group you added by selecting an account name and then allowing or denying access permissions as appropriate.
Special Identities and Best Practices for Assigning Permissions
When you work with basic permissions, it is important to understand not only how the permissions are used but also how special identities can be used to help you assign permissions. The special identities you'll see the most are Creator Owner and Users, but others are also used occasionally, as described in Table 10-2.
Table 10-2: Special Identities Used When Setting Permissions
Special Identity
Description
Anonymous Logon
Includes any network logons for which credentials are not provided. This special identity is used to allow anonymous access to resources, such as those available on a Web server.
Authenticated Users
Includes users and computers who log on with a user name and password; does not include users who log on as Guest, even if the Guest account is assigned a password.
Creator/Owner
The special identity for the account that created a file or a folder. Windows Vista uses this group to identify the account that has ultimate authority over the file or folder.
Dialup
Includes any user who accesses the computer with a dial-up connection. This identity is used to distinguish dial-up users from other types of users.
Everyone
Includes all interactive, dial-up, and authenticated users. Although this group includes guests, it does not include anonymous users.
Interactive
Includes any user logged on locally or through a remote desktop connection.
Network
Includes any user who logs on over the network. This identity is used to allow remote users to access a resource and does not include interactive logons that use remote desktop connections.
Users
Includes authenticated users and domain users only. In Windows Vista, the built-in users group is preferred over everyone.
A solid understanding of these special identities can help you more effectively configure permissions on NTFS volumes. Additionally, whenever you work with permissions, you should keep the following guidelines in mind:
Follow the file system hierarchy Inheritance plays a big part in how permissions are set. By default, permissions you set on a folder apply to all files and subfolders within that folder. With this in mind, start at the root folder of a local disk or a user's profile folder (both of which act as top-level folders) when you start configuring permissions.
Have a plan Don't set permissions without a clear plan. If permissions get out of sync on folders, and you are looking for a way to start over so that you have some continuity, you might want to configure the permissions as they should be in a parent folder and then reset the permissions on all subfolders and files in that folder using the technique discussed in the "Restoring Inherited Permissions" section of this chapter.
Grant access only as necessary An important aspect of the file access controls built into NTFS is that permissions must be explicitly assigned. If you don't grant a permission to a user and that user isn't a member of a group that has a permission, the user doesn't have that permission—it's that simple. When assigning permissions, it is especially important to keep this rule in mind because it's tempting just to give users full control rather than the specific permissions they really need. Granting only the specific permissions users need to do their job is known as the principle of least privilege.
Use groups to manage permissions more efficiently Whenever possible, you should make users members of the appropriate groups and then assign permissions to those groups rather than assigning permissions to individual users. In this way, you can grant permissions to new users by making them members of the appropriate groups, and then, when a user leaves or goes to another group, you can change the group membership as appropriate. For example, when Sarah joins the sales team, you can add her to the SalesUS and SalesCan groups so that she can access those groups' shared data. If she later leaves the sales team and joins the marketing team, you can remove her from the SalesUS and SalesCan groups and add her to the MarketingUS and MarketingCan groups. This is much more efficient than editing the properties for every folder Sarah will need access to and assigning permissions.
Assigning Special Permissions
Windows Vista uses special permissions to carefully control the permissions of users and groups. Behind the scenes, whenever you work with basic permissions, Windows Vista manages a set of related special permissions that specify exactly the permitted actions. The special permissions that are applied for each of the basic permissions are as follows:
Read
q List Folder/Read Data
q Read Attributes
q Read Extended Attributes
q Read Permissions
Read & Execute or List Folder Contents
q All special permissions for Read listed previously
q Traverse Folder/Execute File
Write
q Create Files/Write Data
q Create Folders/Append Data
q Write Attributes
q Write Extended Attributes
Modify
q All special permissions for Read listed previously
q All special permissions for Write listed previously
q Delete
Full Control
q All special permissions listed previously
q Delete Subfolders And Files
q Change Permissions
q Take Ownership
Table 10-3 describes how Windows Vista uses each special permission.
Table 10-3: Special Permissions for Files and Folders
Special Permission
Description
Traverse Folder /Execute File
Traverse Folder allows direct access to a folder in order to reach subfolders, even if you don't have explicit access to read the data it contains. Execute File allows you to run an executable file.
List Folder /Read Data
List Folder lets you view file and folder
names. Read Data allows you to view the contents of a file.
Read Attributes
Allows you to read the basic attributes of a file or a folder. These attributes include Read-Only, Hidden, System, and Archive.
Read Extended Attributes
Allows you to view the extended attributes (named data streams) associated with a file.
Create Files /Write Data
Create Files allows you to put new files in a folder. Write Data allows you to overwrite existing data in a file (but not add new data to an existing file, because this is covered by Append Data).
Create Folders /Append Data
Create Folders allows you to create subfolders within folders. Append Data allows you to add data to the end of an existing file (but not to overwrite existing data, because this is covered by Write Data).
Write Attributes
Allows you to change the basic attributes of a file or a folder. These attributes include Read-Only, Hidden, System, and Archive.
Write Extended Attributes
Allows you to change the extended attributes (named data streams) associated with a file.
Delete Subfolders and Files
Allows you to delete the contents of a folder. If you have this permission, you can delete the subfolders and files in a folder even if you don't specifically have Delete permission on the subfolder or the file.
Delete
Allows you to delete a file or a folder. If a folder isn't empty and you don't have Delete permission for one of its files or subfolders, you won't be able to delete it. You can delete a folder that contains other items only if you have Delete Subfolders And Files permission.
Read Permissions
Allows you to read all basic and special permissions assigned to a file or a folder.
Change Permissions
Allows you to change basic and special permissions assigned to a file or a folder.
Take Ownership
Allows you to take ownership of a file or a folder. By default, administrators can always take ownership of a file or a folder and can also grant this permission to others.
In Windows Explorer, you can view special permissions for a file or a folder by right-clicking the file or the folder you want to work with and then selecting Properties. In the Properties dialog box, select the Security tab and then click Advanced to display the Advanced Security Settings dialog box, as shown in Figure 10-4. In this dialog box, the permissions are presented much as they are on the Security tab. The key differences are that you see individual allow or deny permission sets along with whether and how the permissions are inherited, as well as the resources to which the permissions will apply.
Figure 10-4: Use the Advanced Security Settings dialog box to configure special permissions.
Once you've accessed the Advanced Security Settings dialog box, you can set special permissions using the Add, Edit, and Remove buttons. To add a user or a group and then set special permissions for that user or group, follow these steps:
On the Security tab, click Advanced to display the Advanced Security Settings dialog box.
On the Permissions tab, click Edit. This opens the Advanced Security Settings dialog box for editing.
Click Add. This displays the Select User Or Group dialog box.
Type the name of a user or a group account in the selected or default domain. Be sure to reference the user account name rather than a user's full name. Only one name can be entered at a time.
When you click OK, the Permission Entry For … dialog box, shown in Figure 10-5, is displayed.
Figure 10-5: Configure the special permissions that should be allowed or denied.
Allow or deny special permissions as appropriate. If any permissions are shaded (unavailable), they are being inherited from a parent folder. You can override the inherited permission if necessary by selecting the opposite permission, such as Deny rather than Allow.
If the options on the Apply Onto list are available, choose the appropriate options to ensure the permissions are properly inherited. The options include the following:
q This Folder Only The permissions will apply only to the currently selected folder.
q This Folder, Subfolders And Files The permissions will apply to this folder, any subfolders of this folder, and any files in any of these folders.
q This Folder And Subfolders The permissions will apply to this folder and any subfolders of this folder. They will not apply to any files in any of these folders.
q This Folder And Files The permissions will apply to this folder and any files in this folder. They will not apply to any subfolders of this folder.
q Subfolders And Files Only The permissions will apply to any subfolders of this folder and any files in any of these folders. They will not apply to this folder itself.
q Subfolders Only The permissions will apply to any subfolders of this folder but will not apply to the folder itself or any files in any of these folders.
q Files Only The permissions will apply to any files in any of these folders and any files in subfolders of this folder. They will not apply to this folder itself or to subfolders.
When you are finished configuring permissions, click OK.
File Ownership and Permission Assignment
The owner of a file or a folder has the right to allow or deny access to that resource. Although members of the Administrators group and other authorized users also have the right to allow or deny access, the owner has the authority to lock out non-administrator users and then the only way to regain access to the resource is for an administrator or restore operator to take ownership of it. This makes the file or folder owner important in terms of what permissions are allowed or denied with respect to a given resource.
The default owner of a file or a folder is the person who created the resource. Ownership can be taken or transferred in several different ways. A current owner of a file or a folder can transfer ownership to another user or group at any time. A member of the Administrators group can take ownership of a file or a folder or transfer ownership to another user or group at any time—even if they are locked out of the resource according to the permissions. Any user with the Take Ownership permission on the file or the folder can take ownership, as can any member of the Backup Operators group (or anyone else with the Restore Files And Directories user right, for that matter).
Taking Ownership of Files and Folders
If you are an administrator, an authorized user, or a backup operator, you can take ownership of a file or a folder by completing the following steps:
In Windows Explorer, access the file or folder's Properties dialog box by right-clicking the file or folder and then selecting Properties.
On the Security tab, click Advanced to display the Advanced Security Settings dialog box.
On the Owner tab, click Edit. This opens the Advanced Security Settings dialog box for editing, as shown in Figure 10-6.
Figure 10-6: Use the Owner tab to take ownership of a file or a folder.
In the Change Owner To list box, select the new owner. If you're taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects option.
Click OK twice when you are finished.
Assigning Ownership
If you are an administrator or the current owner of a file, you can assign ownership of a file or a folder to another user or group by completing these steps:
In Windows Explorer, access the file or folder's Properties dialog box by right-clicking the file or folder and then selecting Properties.
On the Security tab, click Advanced to display the Advanced Security Settings dialog box.
On the Owner tab, click Edit. This opens the Advanced Security Settings dialog box for editing.
Click Other Users Or Groups to display the Select User Or Group dialog box.
Type the name of a user or a group and click Check Names. If multiple names match the value you entere
d, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you, and you can click OK to close the Select User Or Group dialog box.
In the Change Owner To list box, select the new owner. If you're assigning ownership of a folder, you can assign ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects option.
Click OK twice when you are finished.
Applying Permissions Through Inheritance
In the file and folder hierarchy used by Windows Vista, the root folder of a local disk and the %UserProfile% folder are the parent folders of all the files and folders they contain by default. Any time you add a resource, it inherits the permissions of the local disk's root folder or the user's profile folder. You can change this behavior by modifying a folder's inheritance settings so that it no longer inherits permissions from its parent folder. This would create a new parent folder, and any subfolders or files you added would then inherit the permissions of this folder.
Inheritance Essentials
Inheritance is automatic, and inherited permissions are assigned when a file or a folder is created. If you do not want a file or a folder to have the same permissions as a parent, you have several choices:
Stop inheriting permissions from the parent folder and then copy or remove existing permissions as appropriate.
Access the parent folder and configure the permissions you want all included files and folders to have.
Try to override an inherited permission by selecting the opposite permission. In most cases, Deny overrides Allow.
Inherited permissions are shaded (unavailable) on the Security tab of a file or a folder's properties dialog box. It is also important to note that when you assign new permissions to a folder, the permissions propagate down to the subfolders and files contained in that folder and either supplement or replace existing permissions. This propagation lets you allow additional users and groups to access a folder's resources or to further restrict access to a folder's resources independently of a parent folder.
