NTFS permissions (Windows 2000)

Definition of NTFS permissions (Windows 2000) in The Network Encyclopedia.

What is what is NTFS permissions (Windows 2000)?

A set of permissions used in Microsoft Windows 2000 to secure folders and files located on an NTFS file system partition or volume. NTFS permissions provide security for both local and network access to the file system.

They are different from shared folder permissions, which can be applied only to folders and which secure the file system for network access only, not for local access.

How It Works

NTFS permissions in Windows 2000 differ depending on whether they are applied to files or to folders. The five standard file permissions and six standard folder permissions are listed in the following tables. These standard file and folder permissions are actually composed of various groupings of the 18 different special permissions - for more information, see the entry on NTFS special permissions (Windows 2000). These groupings simplify the job of securing files and folders on NTFS file system partitions and volumes.

Standard NTFS File Permissions in Windows 2000

File Permission User Access Granted
read
Open the file and view its permissions, attributes, and ownership
write
Modify the file, modify its attributes, and view its permissions, attributes, and ownership
read & execute
Delete the file and do everything read permission allows
modify
Delete the file and do everything read & execute and write permissions allow
full control
Take ownership, modify permissions, and do everything modify permission allows

Standard NTFS Folder Permissions in Windows 2000

Folder Permission User Access Granted
read
View contents of folder and view its permissions, attributes, and ownership
write
Create new files and folders in the folder, modify its attributes, and view its permissions, attributes, and ownership
list folder contents
View contents of folder
read & execute
View subfolders within the folder and do everything read and list folder contents permissions allow
modify
Delete the folder and do everything read & execute and write permissions allow
full control
Take ownership, modify permissions, and do everything modify permission allows

To use these standard permissions to secure a file or folder you must be the object's owner, have full control of the object, or be a member of the Administrators system group. You must explicitly assign a permission to a file or folder for the permission to be granted. If no permission is specified for a given user or group, the user or group has no access to the file or folder. When you explicitly assign a permission you can choose to either allow or deny the permission.

When you create a file or folder on an NTFS file system volume, it inherits the permissions of its parent folder or volume. When you assign a permission to a parent folder or volume, you have the option of propagating that permission to all of its child folders and files.

The following rules apply to assigning permissions for files and folders on NTFS file system volumes:

  • If a user belongs to two or more groups and the groups have different permissions on a given folder, the user’s effective permission is the least restrictive (most permissive) of the permissions. For example, if a user has read permission on a file and a group the user belongs to has modify permission, the effective permission is modify, which is the least restrictive of the two.
  • A permission explicitly denied overrides a similar permission explicitly allowed. For example, if a user has read permission on a file and a group the user belongs to has been denied read permission, the user cannot open and read the file.
  • A permission for a file overrides a similar permission for the folder containing the file. For example, if a user has modify permission on a file and read permission on the folder containing the file, the user can open, read, edit, and save changes to the file.
NOTE

The differences between NTFS standard permissions for Windows 2000 and for Windows NT include the following:

  • Windows 2000 has six folder permissions; Windows NT has seven.
  • Windows 2000 has five file permissions; Windows NT has four.
  • In Windows 2000 you can explicitly grant or explicitly deny any standard file or folder permission. In Windows NT you can only explicitly grant a permission (but you can explicitly grant no access as a permission).

TIP

When you format a partition or volume using NTFS, the Everyone system group is automatically assigned full control permission for the root of the volume. Any new files or folders you create on the volume inherit this permission. Be aware that leaving full control for everyone might create a security risk; you should replace it with more suitable permissions such as full control for the Authenticated Users special identity.

See also