لطفا منتظر باشید ...
Publisher| PermissionsTasks |
NTFS Permissions
NTFS permissions are the primary means of controlling access to
filesystem resources on WS2003. To assign or modify NTFS permissions
on a file or folder, you must either:
- Be the owner (creator) of the file or folder
- Have Full Control permission on the file or folder
- Be a member of the Administrators group
To assign NTFS permissions, you can use Windows Explorer or My
Computer. The following procedures assume you have already selected
the file or folder whose permissions you want to assign or modify.
|
Assign Standard Permissions to a File
Right-click on file
Properties Security Add select domain select user or group Add allow or deny standard permissions Unless you explicitly allow different permissions, when you assign
NTFS standard file permissions to a user or group, the default
permissions assigned are Allow Read & Execute.When you try to allow or deny different combinations of NTFS standard
permissions, you will discover that not all combinations are allowed.
For example, if you try to allow Full Control, then all five
checkboxes under Allow automatically become checked. Table 4-41 shows the permissible combinations of NTFS
standard permissions that can be assigned using the Security tab.
Selecting | Automatically selects | ||||
|---|---|---|---|---|---|
Full Control | Modify | Read & Execute | Read | Write | |
Full Control | Yes | Yes | Yes | Yes | Yes |
Modify | Yes | Yes | Yes | ||
Read & Execute | Yes | Yes | |||
Read | Yes | ||||
Write | Yes | ||||
tell the whole story and works only if you are allowing standard
permissions and not denying them. If you both allow and deny
permissions, other combinations are possible, while many
aren't. Furthermore, the Security tab
doesn't always show the whole picture. For example,
if you first allow Full Control permission, which causes all five
checkboxes under Allow to be checked and then deselect the checkbox
for Modify, the result is a configuration not displayed in Table 4-41namely, the combination of allowed Read
& Execute, Read, and Write permissions. A message then appears
beside the Advanced button saying, "Additional
permissions are present but not viewable here. Press Advanced to see
them." Finally, when special permissions (described
later in this section) are assigned to a file or folder, this same
message appears on the Security tab while the standard permissions
for that user or group are displayed as unassigned. The moral of the
story may be that the GUI here is simply too smart for its own good,
and unless you have a good grasp of the 18 underlying NTFS special
permissions, it's easy to get confused by
what's going on.If the checkboxes for standard permissions are checked but filled
(grayed out), these permissions are inherited from the parent folder
(or the volume if the file is in the root directory). When you create
a file or save a document in a folder, it automatically inherits the
permissions of its parent folder. When you assign new permissions to
a file for a user or group, however, these permissions are never
grayed out since they are assigned, not inherited.If you deselect the checkbox labeled "Allow
inheritable permissions from parent to propagate to this
object" before clicking Apply or OK, a warning will
appear saying that you are preventing permissions being inherited to
the file from its parent folder. You are given two options:
- Copy
This copies the permissions of the parent folder to your file but
breaks the chain of permissions inheritance from the parent to the
child. If the child were a folder instead of a file, it would become
the root of a new chain of inherited permissions.- Remove
This removes the permissions of the parent folder from your file and
breaks the chain of permissions inheritance. Again, if the child were
a folder instead of a file, it would become the root of a new chain
of inherited permissions.
Assign Standard Permissions to a Folder
Right-click on folder
Properties Security Add select domain select user or group Add allow or deny standard permissions Unless you allow ordeny different permissions, when you
assign NTFS standard folder permissions to a user or group, the
default permissions assigned are Allow Read & Execute. Otherwise,
the behavior here is similar to that in Assign Standard
Permissions to a File earlier in this section, except that
there are six standard folder permissions instead of only five
standard file permissions (the sixth folder permission is List Folder
Contents).
Assign Special Permissions to a File
Right-click on file
Properties Security Advanced Add select domain select user or group allow or deny special permissionsUnlike assigning standard permissions where selecting one checkbox
may cause others to magically become selected or deselected as well,
assigning special permissions is more straightforward: you can assign
any combination of these 13 special file permissions, the only caveat
being that you can't allow and deny a permission at
the same time.Clearing the checkbox "Allow inheritable permissions
from parent to propagate to this object" will break
the chain of permissions inheritance from the parent folder to the
selected file.
Assign Special Permissions to a Folder
Right-click on folder
Properties Security Advanced Add select domain select user or group allow or deny special permissionsThe behavior here is similar to that in Assign StandardPermissions to a File earlier in this section, except that
with folders you have two additional options:
- Apply onto
Lets you apply your special permissions to either:- This folder, subfolders, and files (the default)
- This folder only
- This folder and subfolders
- This folder and files
- Subfolders and files only
- Subfolders only
- Files only
- Apply these permissions to objects and/or containers within this container only
You have to select this checkbox if you want your selection in the
"Apply onto" listbox to actually
work. This is an "Are you sure?"
kind of checkbox.
As in Assign Standard Permissions to a File
earlier in this section, clearing the checkbox
"Allow inheritable permissions from parent to
propagate to this object" breaks the chain of
permissions inheritance from the parent folder to the selected
folder.An additional option for folders appears here:
"Reset permissions on all child objects and enable
propagation of inheritable permissions." Selecting
this checkbox removes all explicitly defined permissions on all child
objects (the tree of files and subfolders within your folder) and
turns on inheritance between the selected folder and the child
objects within it. Only inherited permissions propagated downward
from your folder will be in effect. After you confirm the action, the
checkbox automatically clears itself in case
you need to apply it again later.
Modify Standard Permissions on a File or Folder
Right-click on file or folder
Properties Security select name allow or deny standard permissionsFor moreinformation,
see the earlier Assign Standard Permissions to a
File .
Modify Special Permissions on a File or Folder
Right-click on file or folder
Properties Security Advanced select name View/EditFor more information,see the
earlier Assign Standard Permissions to a File .
Take Ownership of a File or Folder
Windows Explorer
right-click on a drive, file, or folder Properties Security Advanced Owner Other Users and Groups choose a new ownerThe only users listed onthe Owner tab are the currently
logged-on user and the Administrators group. You must have Take
Ownership permission on the file or folder to be able to take
ownership of it. When you take ownership of a folder, you can
optionally take ownership of all subdirectories and their files.
View Effective Permissions
New to WS2003 is a feature that allows you to view the effective NTFS
permissions on a resource for a specified user or group:Windows Explorer
right-click on a drive, file, or folder Properties Security Advanced Effective Permissions Select specify user or group view effective permissionsThis feature is useful for viewing the effective permissions whenusers belong to several groups and these groups are assigned
different permissions on a resource.
Shared-Folder Permissions
To assign shared-folder permissions, you must first be able to access
the icon of the shared folder. The following procedures assume you
have already used Windows Explorer or some other tool to select the
shared folder with the permissions you want to assign or modify.
Assign Shared-Folder Permissions
Right-click on shared folder
Sharing Permissions Add select domain select user or group Add allow or deny shared-folder permissions Unless you allow ordeny different permissions, when you
assign shared-folder permissions to a user or group, the default
permission that is assigned is Allow Read.When you try to allow or deny different combinations of shared-folder
permissions, you will discover that not all combinations are allowed.
For example, if you try to allow Full Control, then all three
checkboxes under Allow automatically become checked. Table 4-42 shows the permissible combinations of
shared-folder permissions that can be assigned using the Sharing tab.
These combinations work only if you are allowing permissions; if you
both allow and deny permissions, other combinations are possible.
Selecting | Automatically selects | ||
|---|---|---|---|
Full Control | Change | Read | |
Full Control | Yes | Yes | Yes |
Change | Yes | ||
Read | Yes | ||
Modify Shared-Folder Permissions
Right-click on shared folder
Sharing Permissions select name allow or deny shared-folder permissions
