Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Permissions

The permissions on Windows 2000 systems are all selectable with two columns of boxes which are:

  • Allow - Grant the permission.
  • Deny - Any denied permission for a group or user will override any allow permission, even if the user is in a group that is granted that permission.

If neither box is checked, the permission is not granted for the user or group, but if the user is in another group that has the permission, it will not be denied. Normally, if a user is a member of several groups that have different levels of permissions to an object, the least restrictive permissions apply unless the user, or one of their groups have the no access box checked for that permission.

Standard File and Folder Permissions

  • Read(R) - View attributes, contents, and permissions. Can synchronize.
  • Write(W) - Can change attributes, and file contents. Can create files or folders. Can synchronize.
  • Read(R) and Execute(E) - Can change sub folders, perform read operations, and execute a file.
  • List Folder Contents - Can perfrom read and execute permissions on folders. Can view folder contents, attributes, permissions. Can synchronize and change to subfolders.
  • Modify - Perform Read, Execute, and Write permissions along with ability to delete.
  • Full Control - Can perform Modify functions (above), take ownership, and modify permissions.

Permissions assigned to directories are inherited (default) by all files and subdirectories that are contained in the directory. The inheritance option, selected by default, may be deselected. Each file or directory has an Access Control List (ACL). To set permissions for additional users or groups, they are added to the ACL of the file or directory. Windows Explorer or the Cacls command line utility can be used to set permissions.

Special File and Folder Permissions

On the file or folder properties dialog, click the "Security" tab and the "Advanced" button to assign special file or folder permissions.

  • Traverse Folder/Execute File - .
  • List Folder/Read Data - .
  • Read Attributes - The user can read the attributes (archive, compress, hidden, etc.) of the file, but not read the contents of the file.
  • Read Extended Attributes - .
  • Create Files/Write Data - .
  • Create Folders/Append Data - .
  • Write Attributes - .
  • Write Extended Attributes - .
  • Delete Subfolders and Files - .
  • Delete - The user can delete the file.
  • Read Permissions - The user can read the file.
  • Change Permissions - Lets the user change permissions for the file, but not view or change the contents of the file.
  • Take Ownership - The user can take ownership of the file, but can't give it back.

These permissions can be applied to directories, files, and subdirectories with one of the following selections:

  • This folder, subfolders and files
  • This folder only
  • This folder and subfolders
  • This folder and files
  • Subfolders and files only
  • Subfolders only
  • Files only

File or Folder Creation, Moving, Copying and Permissions

  • Created Files or folders - Inherit permissions of the folder they are created in.
  • Moved or copied files or folders in the same NTFS volume - Keep their own original permissions.
  • Moved or copied files or folders in a different NTFS volume - Inherit the NTFS permissions of the destination folder.
  • Movement to any FAT volume - All permissions are lost.

Moving Files

When permissions are changed on a folder, by default, permissions are replaced on files in the folder, but not on subdirectories. This may be changed using the provided checkboxes such as "Replace Permissions on Subdirectories". When files are moved on NTFS partitions, if they are moved from one partition to another, it is as though they were copied. If files are moved to another folder, they retain their normal attributes including compression attribute reguardless of the attributes of the parent folder they are being moved to. When files are copied to another folder, they will adopt the attribute s of the folder they are being copied to.

NTFS File and Share Permissions

When these permissions are different, the most restrictive permissions are applied. The share and NTFS file permissions must overlap in order for the user to have the permission. That means to read a file, the user must have both read share and read NTFS permission.

When a user has full control permission for a folder, the permissions will apply to the files in the folder even though permission for an individual file in the folder may be set to NO ACCESS for that user.When a file or folder is moved, it retains its current permissions, but when it is copied, it inherits the permission of the parent folder or partition it is being copied to.

Ownership

If the owner's user is a member of the administrators group, the owner is the administrators group. Administrators do not have access to all resources, but they may take ownership of any resource. Once ownership is taken, it cannot be given back. Also taking ownership of a resources changes all existing permissions for that resource.

Delegated Permissions

Permissions that can be delegated include:

  • Create, delete, and manage user groups.
  • Create, delete, and manage user accounts.
  • Manage group policy links - Gourp policies assigned by organizational unit may be modified.
  • Modify group membership.
  • Read all user information.
  • Read user account passwords.

Setting Permissions

  1. Right click on the file or folder.
  2. Select properties
  3. Select the security tab on the properties sheet.
  4. Click on the permissions button.
  5. If the file you selected is a subdirectory there are the following check box choices:
    • Replace permissions on subdirectories - Permission changes are applied to all sub folders.
    • Replace permissions on existing files - Permissions are applied to all files in the folder. If both are selected, permissions are applied to all sub folders and files in all files in the folder and its sub folders.
  6. Click on OK to exit the permissions box and OK to exit the properties box.

Disk Quotas

Disk quotas are used to track the use of disk space for each user. They are normally disabled and are only supported on NTFS file systems. Quotas are tracked per partition and per user using ownership information to account for resource use. Compressed file sizes are measured according to the uncompressed file size.

Disk quotas may be viewed and administered by using the "Disk Management" tool to select the properties dialog box of the disk or volume. The "Quota" tab contains quota information and management functions. Quota management must be enabled. Warning levels may be set and hard limits may also be set. Disk space may be denied to users who exceed their quota limit. The events may be logged when the user exeeds their warning and/or quota limit.

Windows Explorer can be used to setup and monitor disk quotas. Windows Explorer local disk properties tabs:

  • General
  • Tools
  • Hardware
  • Sharing
  • Security
  • Quota - Used to enable quota management, deny disk space if the quota is exceeded, limit the disk space and set where the disk quota warning is given. You can also log when the user exceeds their warning level or quota level. The "Quota Entries" selection box is used to view quota utilization for the volume. To modify the quota levels for any given user, double click the user's entry.
  • Web Sharing