Previous Page | Next Page

  1. Introduction
  2. Capabilities
  3. Structure
  4. The Registry
  5. System and Configuration Files
  6. Security
  7. Application Support
  8. Requirements
  9. Installation
  10. Unattended Installation
  11. Booting
  12. Filesystems
  13. Programs
  14. Control Panel
  15. Tool
  16. Commands
  17. Customization
  18. Environment Variables
  19. Printing
  20. Performance
  21. System Services
  22. Permissions
  23. Groups
  24. User Rights and Auditing
  25. User Profiles
  26. Policies
  27. Network Model
  28. Resource Access
  29. Network Browsing
  30. Protocol Support
  31. RAS
  32. Networking
  33. Backups
  34. Events
  35. Error Handling
  36. Diagnostic Tools
  37. Items to Memorize
  38. Terms
  39. Credits

Windows NT Permissions

Access Types

  • User level - The user must enter their password to gain access to a resource. Domains support user level security.
  • Share level - The user logs in once and can get access to resources based on their user ID which allows various permissions to various resources set up on the system. Workgroups support share level security.

The most restrictive permissions of SHARE and the NT filesystem are combined when users access a resource remotely.

Two general permission types.

  1. Share-level - Define access through the network to a file or other resource such as a printer. The owner or administrator of the resource defines users and groups that have access to the resource and decides the amount of access they have.
  2. Resource-level - Define userís access to a resource locally.

Most resource-level permissions are for files and folders. Only NTFS filesystems support file and folder permissions including read, write, delete, change, and execute for specific users and groups. FAT filesystem properties only allow for read only, archive, system, and hidden properties.


An object is any resource that has properties. Any resource that can have have accesses set is a security object. Permissions to use an object stay with the object, not the user or group. These permissions reside in an access control list (ACL) which stays with the object. The access is determined when the user tries to access the object, not at logon time.


The ACL is a database with a list of groups and users that can access the object the ACL is attached to. It references SIDs rather than user names in user and group account entries. The account entries are called Access Control Entries (ACEs) and each one indicates a particular level of permission such as read only or full control for the particular user or group. The ACL is therefore a list of ACEs.

ACE Types

There is an ACE (Access control entry) for each user or group that is granted or denied access to the object

  • Access Allowed - Access is allowed and the entries in the ACE determines what access level is allowed.
  • Access Denied - Access for this user is denied.
  • Security Audit - Causes actions or processes accessing this resource on this account to be recorded by the security auditor.

Access Determination

A user is granted an access token when they logon. When a user attempts to access an object, the Security Reference Monitor will compare the userís security access token information to the access control list and determines the level of access to give to the user. All permissions are evaluated and an overall permission is calculated. The calculated access is returned as a security handle. which becomes part of the user's access token as long as they access the object. Therefore the user cannot be denied access to the object until the user releases control of the object even if their permissions are changed by the administrator. If the user is logged on, permissions take effect when the user logs off and logs on again.

An ACL is created for a file or folder when permissions are assigned. When the security reference monitor checks the entries in the ACL against the user's access token and finds a match, it follows the following rules:

  • The highest level of access is granted to the user based on his group and user ID unless the following item is true.
  • If NO ACCESS permission is set for the user's group or ID, then no access is allowed. The user could have full access, but if their group has NO_ACCESS, then the user will have no access.

Resource sharing

The default permissions of a new NTFS volume are set to Everyone, Full control. To enable a resource to be shared, right click on it and select the "Sharing" option. The name of the resource may be set, the number of users that can use the resource at one time can be set, and share level permissions can be set. Don't give the EVERYONE group NO_ACCESS.

Share Level Permissions

  • Read - Allows the folder and file names to be displayed and programs to be run with similar access to sub folders.
  • Change - Allows changes to be made to files and folders, including creating and deleting them.
  • Full Control - Allows full access to the folder, its files, and its sub folders, with the ability to take ownership of files and change permissions of files and folders.
  • No Access - Denies all access to the folder or its contents.

If two or more users try to access the same file simultaneously, the first user can modify the file, and other users can only read the file. Folder permissions apply to all files and folders in the shared folder.

File and Folder Permissions

  • Read(R)
  • Write(W)
  • Execute(E) - Can change sub folders and run executable files
  • Delete(D)
  • Change Permission(P) - The user/group can change file or folder access permissions.
  • Take Ownership(O) - The user/group can take ownership of a file or folder.

Standard Folder Permissions

  • No Access (None) - Prevents file access.
  • List(RX) - A folder permission option. Folders, sub folders, and files names in them may be viewed but it does not allow file contents to be viewed.
  • Read(RX) - List access is given along with the ability to see the contents of files and run executable files.
  • Add(WX) - A folder permission option. Files may be added to folders but folder contents may not be seen.
  • Add and Read(RWX) - Add access is given along with the ability to see the contents of files and run executable files.
  • Change (RWXD) - Files and folders may be displayed, added, modified, and executable files may be run.
  • Full Control (All) - Permits Change access in addition to allowing modification of permissions and taking ownership of folders and files. To preserve POSIX support on NT, a user may delete a file in a folder (that they have full control of) even if they have "No Access" to that particular file.
  • Special Directory Access - Permits individual selection of permissions (R,W,E,D,P,O) for folders.
  • Special File Access - Permits individual selection of permissions (R,W,E,D,P,O) for files.

Standard File Permissions

  • No Access (None) - Prevents file access
  • Read(RX) - Allows reading and execution of files.
  • Change(RWXD) - Files may be read, modified, and deleted.
  • Full Control(All)
  • Special Access - Permits individual selection of permissions (R,W,E,D,P,O) for files.

When a user has full control permission for a folder, the permissions will apply to the files in the folder even though permission for an individual file in the folder may be set to NO ACCESS for that user.When a file or folder is moved, it retains its current permissions, but when it is copied, it inherits the permission of the parent folder or partition it is being copied to.


If the owner's user is a member of the administrators group, the owner is the administrators group. Administrators do not have access to all resources, but they may take ownership of any resource. Once ownership is taken, it cannot be given back. Also taking ownership of a resources changes all existing permissions for that resource.

Setting Permissions

  1. Right click on the file or folder.
  2. Select properties
  3. Select the security tab on the properties sheet.
  4. Click on the permissions button.
  5. If the file you selected is a subdirectory there are the following check box choices:
    • Replace permissions on subdirectories - Permission changes are applied to all sub folders.
    • Replace permissions on existing files - Permissions are applied to all files in the folder. If both are selected, permissions are applied to all sub folders and files in all files in the folder and its sub folders.
  6. Click on OK to exit the permissions box and OK to exit the properties box.

Moving Files

When permissions are changed on a folder, by default, permissions are replaced on files in the folder, but not on subdirectories. This may be changed using the provided checkboxes such as "Replace Permissions on Subdirectories". When files are moved on NTFS partitions, if they are moved from one partition to another, it is as though they were copied. If files are moved to another folder, they retain their normal attributes including compression attribute reguardless of the attributes of the parent folder they are bieing moved to. When files are copied to another folder, they will adopt the attribute s of the folder they are being copied to.

Hidden shares and Administrative shares

Shares with the "$" at the end are hidden which hides the share from browse requests. There are hidden shares used by the OS and the administrator, which can be viewed from the server applet in the control panel. The drive$ shares are the drive letter followed by a $ such as C$, D$. To access these shares, use their UNC name.

  • drive$ - This share is normally C$, D$, etc., which is the drive letter followed by the $. If is the root directory of NT recognizable partitions Users that can use this share remotely are administrators, server operators, and backup operators.
  • Admin$ - This is the directory the NT system files reside in which is normally C:\WINNT40. Users that can use this share are administrators, server operators, and backup operators.
  • IPC$ - This share represents named pipes that are used by the operating system for remote administration or remote access.
  • Netlogon - This share exists on domain controllers and is used to authenticate users that log on the NT domain.
  • Print$ - Supports remote access for shared printers.
  • REPL$ - Created by and used for the Directory Replication service. It identifies locations of directories and files for export.

Administrative shares may be viewed from the Control Panel Server applet by selecting the "Shares" button. Hidden shares are created by adding the $ sign to the end of the share name.

Accessing a shared folder

The following ways may be used to access shared folders.

  • Network Neighborhood
  • The find command
  • Drive mapping with Windows Explorer
  • Drive mapping with My Computer