Windows 2000 Permissions
The permissions on Windows 2000 systems are all selectable with two columns of boxes which are:
- Allow - Grant the permission.
- Deny - Any denied permission for a group or user will override any allow permission, even if the user is in a group that is granted that permission.
If neither box is checked, the permission is not granted for the user or group, but if the user is in another group that has the permission, it will not be denied. Normally, if a user is a member of several groups that have different levels of permissions to an object, the least restrictive permissions apply unless the user, or one of their groups have the no access box checked for that permission.
Standard File and Folder Permissions
- Read(R) - View attributes, contents, and permissions. Can synchronize.
- Write(W) - Can change attributes, and file contents. Can create files or folders. Can synchronize.
- Read(R) and Execute(E) - Can change sub folders, perform read operations, and execute a file.
- List Folder Contents - Can perfrom read and execute permissions on folders. Can view folder contents, attributes, permissions. Can synchronize and change to subfolders.
- Modify - Perform Read, Execute, and Write permissions along with ability to delete.
- Full Control - Can perform Modify functions (above), take ownership, and modify permissions.
Permissions assigned to directories are inherited (default) by all files and subdirectories that are contained in the directory. The inheritance option, selected by default, may be deselected. Each file or directory has an Access Control List (ACL). To set permissions for additional users or groups, they are added to the ACL of the file or directory. Windows Explorer or the Cacls command line utility can be used to set permissions.
Special File and Folder Permissions
On the file or folder properties dialog, click the "Security" tab and the "Advanced" button to assign special file or folder permissions.
- Traverse Folder/Execute File - .
- List Folder/Read Data - .
- Read Attributes - The user can read the attributes (archive, compress, hidden, etc.) of the file, but not read the contents of the file.
- Read Extended Attributes - .
- Create Files/Write Data - .
- Create Folders/Append Data - .
- Write Attributes - .
- Write Extended Attributes - .
- Delete Subfolders and Files - .
- Delete - The user can delete the file.
- Read Permissions - The user can read the file.
- Change Permissions - Lets the user change permissions for the file, but not view or change the contents of the file.
- Take Ownership - The user can take ownership of the file, but can't give it back.
These permissions can be applied to directories, files, and subdirectories with one of the following selections:
- This folder, subfolders and files
- This folder only
- This folder and subfolders
- This folder and files
- Subfolders and files only
- Subfolders only
- Files only
File or Folder Creation, Moving, Copying and Permissions
- Created Files or folders - Inherit permissions of the folder they are created in.
- Moved or copied files or folders in the same NTFS volume - Keep their own original permissions.
- Moved or copied files or folders in a different NTFS volume - Inherit the NTFS permissions of the destination folder.
- Movement to any FAT volume - All permissions are lost.
When permissions are changed on a folder, by default, permissions are replaced on files in the folder, but not on subdirectories. This may be changed using the provided checkboxes such as "Replace Permissions on Subdirectories". When files are moved on NTFS partitions, if they are moved from one partition to another, it is as though they were copied. If files are moved to another folder, they retain their normal attributes including compression attribute reguardless of the attributes of the parent folder they are being moved to. When files are copied to another folder, they will adopt the attribute s of the folder they are being copied to.
NTFS File and Share Permissions
When these permissions are different, the most restrictive permissions are applied. The share and NTFS file permissions must overlap in order for the user to have the permission. That means to read a file, the user must have both read share and read NTFS permission.
When a user has full control permission for a folder, the permissions will apply to the files in the folder even though permission for an individual file in the folder may be set to NO ACCESS for that user.When a file or folder is moved, it retains its current permissions, but when it is copied, it inherits the permission of the parent folder or partition it is being copied to.
If the owner's user is a member of the administrators group, the owner is the administrators group. Administrators do not have access to all resources, but they may take ownership of any resource. Once ownership is taken, it cannot be given back. Also taking ownership of a resources changes all existing permissions for that resource.
Permissions that can be delegated include:
- Create, delete, and manage user groups.
- Create, delete, and manage user accounts.
- Manage group policy links - Gourp policies assigned by organizational unit may be modified.
- Modify group membership.
- Read all user information.
- Read user account passwords.
- Right click on the file or folder.
- Select properties
- Select the security tab on the properties sheet.
- Click on the permissions button.
- If the file you selected is a subdirectory there are the following check box choices:
- Replace permissions on subdirectories - Permission changes are applied to all sub folders.
- Replace permissions on existing files - Permissions are applied to all files in the folder. If both are selected, permissions are applied to all sub folders and files in all files in the folder and its sub folders.
- Click on OK to exit the permissions box and OK to exit the properties box.
Disk quotas are used to track the use of disk space for each user. They are normally disabled and are only supported on NTFS file systems. Quotas are tracked per partition and per user using ownership information to account for resource use. Compressed file sizes are measured according to the uncompressed file size.
Disk quotas may be viewed and administered by using the "Disk Management" tool to select the properties dialog box of the disk or volume. The "Quota" tab contains quota information and management functions. Quota management must be enabled. Warning levels may be set and hard limits may also be set. Disk space may be denied to users who exceed their quota limit. The events may be logged when the user exeeds their warning and/or quota limit.
Windows Explorer can be used to setup and monitor disk quotas. Windows Explorer local disk properties tabs:
- Quota - Used to enable quota management, deny disk space if the quota is exceeded, limit the disk space and set where the disk quota warning is given. You can also log when the user exceeds their warning level or quota level. The "Quota Entries" selection box is used to view quota utilization for the volume. To modify the quota levels for any given user, double click the user's entry.
- Web Sharing