6.1 File Access
The following table summarizes the permissions for folders and files.
Read Write List folder contents Read & execute Modify Full Control
Read
View folder details and attributes. View file attributes; open a file.
When both share and NTFS permissions apply:
• You determine the effective permissions of each type using the most permissive permission. • You then compare the effective permissions of both NTFS and share permission. • The more restrictive of the two sets of permissions takes effect.
Why should you assign permissions to groups rather than user?
Because if a user leave and a new arrives. All the setting would have to be added again to each user. Groups make it easier. Also if a user needs to change departments. It easier to move it to another group, than remove all the old settings and add the new ones.
Write
Change folder or file data and attributes.
What is the difference between explicit permissions and inherited permissions?
Explicit = You go to a folder and apply it Inherited= Sub folders inherit permissions set on parent folders. (Can be disabled. Can be forded).
Modify
Includes all Read & Execute and Write actions and adds the ability to add or delete files.
Read & execute
Includes all Read actions and adds the ability to run programs.
List folder & contents
Includes all Read actions and adds the ability to view a folder's contents.
Full control
Includes all other actions and adds the ability to take ownership of and change permissions on the folder.
When setting up or managing NTFS permissions, be aware of the following concepts:
Ownership Explicit vs. inherited permissions Copying or moving files Using icacls
Ownership
Ownership affects access and assigning permissions as follows: • Every object, including files and folders, has an owner. • The owner is typically the user who created the file. • The owner has full control over the file and can assign permissions to the file. • Administrators have the Take Ownership right to all objects. Administrators can assign ownership of a file or folder even if they do not have permissions to access the file. • You can reassign ownership of a file or folder to give a user all permissions. You might reassign ownership when someone leaves your organization. • If you cannot access a file because of insufficient permissions, take ownership of the file and modify the permissions.
Explicit vs. inherited permissions
Permissions are also called Access Control Entries (ACE). An ACE can either allow or deny access, and can be configured explicitly or inherited. • Explicit permissions are set on the object; inherited permissions are set on the parent object and apply to the contents of the folder. • By default, when new files or folders are created, they inherit the permissions of their parent folder. • You can block inheritance by deselecting Allow inheritance in the NTFS permissions window. • When blocking inheritance, a recommended practice is to copy the inherited permissions, so you will have a record of the inheritable permissions. • If you need to reset the inherited permissions for a file or folder, select the parent folder and then select the Replace the permissions of all existing child objects option under the Advanced options of the Security tab. • Removing inheritance is an advanced NTFS permission option. • The allow permission grants the user, group, or computer the specified permission to the object. • The deny permission restricts access to the object. • The deny permission overrides the allow permission, unless the deny permission is inherited and the allow permission is explicit. • Explicit permissions take precedence over inherited permissions, even inherited deny permissions. • Use the deny permission only when you want to override specific permissions that are already assigned. • Permissions are cumulative. Users gain the sum of all permissions granted to the user account and any groups. In Windows Server 2012, you can check the effective permissions for a file or folder on the Effective Access tab. The permissions shown in the Effective Permissions tab are approximate permissions, and can vary depending on how a user logs in or how they access the resource.
This section covers the following 70-410 exam objective:
This objective may include but is not limited to: • Create and configure shares • Configure share permissions • Configure offline files • Configure NTFS permissions • Configure NTFS quotas
How do logged on users get updated permissions?
Through Special Identities
Using icacls
Use the icacls command to manage standard NTFS permissions from a command prompt. Be aware of the following switches: • /grant grants the specified user access rights. • /deny explicitly denies the specified user access rights. • /save saves and enables the ability to restore the user access rights. • /restore restores user access rights.
Copying or moving files
You must have the following permissions to copy or move a file: • To copy a file or folder, you must have Read permissions to the source file and Write permission to the destination location. • To move a file or folder, you must have Read and Modify permission to the source file, and Write permission to the destination location. Copying or moving files or folders that have NTFS permissions assigned can affect the permissions on the file or folder. • If you copy or move a file to a non-NTFS partition, all permissions are removed. • If you copy or move a file to a different NTFS partition, the file will inherit the permissions assigned to the parent partition and folders. • When a file has explicit NTFS permissions assigned to that file: • If you copy or move the file to a different NTFS partition, the explicit permissions will be removed. • If you move the file to a different folder on the same NTFS partition, the explicit permissions will be kept. • If you copy the file to a different folder on the same NTFS partition, the explicit permissions will be removed. In all cases, the file will also inherit permissions from its new partition and folder. • Use the robocopy and xcopy command line utilities to copy files while maintaining the NTFS permissions (even when copying between partitions).
This section covers the following Windows Server Pro: Install and Configure exam objective:
• 5.0 File and Print Services. • Manage NTFS Permissions • Configure NTFS Permissions • Configure Inherited Permissions • Manage Combined NTFS and Share Permissions • Configure Quotas • Manage Quota Restrictions • Create Quota Entries • Configure Quota Limits
Best practice for permissions include:
• Assign permissions as high up in the folder structure as possible. • Assign permissions to groups, not individual users. You can use special identities which is a group created by Windows. • Use domain groups to set permissions. • Set the Group scope as Domain local • Set the Group type as Security
After finishing this section, you should be able to complete the following tasks:
• Configure NTFS permissions. • Remove inherited permissions. • Enable quota restrictions. • Create a quota entry. • Modify quota limits.
Permissions are assigned to resources and not to users or groups. The two types of permissions are:
• NTFS permissions control access to folders and files stored on an NTFS partition. • With NTFS permissions, each file and folder has an access control list (ACL). • The ACL identifies the users or groups and their level of access to the folder or file. • NTFS file permissions are available only on NTFS volumes or partitions. • NTFS permissions are in effect when files are accessed through the network or when they are accessed locally.
NTFS quotas limit the amount of space that a user can use on an NTFS volume. Be aware of the following regarding quotas:
• Quotas are tracked based on file ownership. • A quota amount applies to all users in the group. • Quota entries can be used to specify a different limit for a designated user. • If you use a soft quota, the administrator is notified when a user meets the quota limit. • If you use a hard quota, a user is not allowed to use more disk space. • You can set a warning limit that notifies the user when a specified percentage of their quota limit is reached. • File Server Resource Manager provides an administrator more flexibility by allowing quotas on a folder basis.
Shared folder permissions are assigned to a shared folder. Key facts about shared folder permissions are:
• Shared folder permissions are in effect only when the resource is accessed from the network. For example, denying access using Shared folder permissions will have no effect on the user's ability to access files when the user logs on locally. In that case, only the NTFS permissions will control access.
The two types of NTFS permissions are:
• Standard permissions • Special permissions
Be aware of the following special permission details:
• Use special permissions to determine the level of permissions propagation, such as applying to all files and folders and subfolders, or to only the files in the folder. • Special permissions offer finer control over the actions that can be performed on the file or the folder. To edit these permissions, click the Advanced button on the Security tab in the file or folder properties. • Permissions are cumulative. If you are a member of two groups, both with different NTFS or special permissions, you will have the combined permissions of both groups (known as effective permissions). • In Windows Server 2012, you can set a condition for a special permission.