Lesson 3: Assigning Special Permissions
The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, there are instances in which the standard NTFS permissions do not provide the specific level of access that you may want to assign to users. To create a specific level of access, you can assign NTFS special permissions. This lesson introduces the NTFS special permissions. It then outlines the requirements and procedures for taking ownership of a folder or file.
After this lesson, you will be able to
Define special permissions
Give users the ability to change permissions on files or folders
Give users the ability to take ownership of files and folders
Explain the concept of taking ownership of a file or folder
Take ownership of a file or folder
Estimated lesson time: 20 minutes
Special permissions provide an additional level of access to assign to users. Table 9.8 lists the special permissions that can be assigned to files and folders.
Table 9.8 Special File and Folder Permissions
| Special Permission | Function |
|---|---|
Traverse Folder/Execute File |
Traverse Folder allows or denies moving through folders that the user does not have permission to access, to reach files or folders that the user does have permission to access (applies to folders only). Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right in group policy. (By default, the Everyone group is given the Bypass Traverse Checking user right.) Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. Execute File allows or denies running program files (applies to files only). |
List Folder/Read Data |
List Folder allows or denies viewing file names and subfolder names within the folder (applies to folders only). Read Data allows or denies viewing data in files (applies to files only). |
Read Attributes |
Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS. |
Read Extended Attributes |
Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary. |
Create Files/Write Data |
Create Files allows or denies creating files within the folder (applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content (applies to files only). |
Create Folders/Append Data |
Create Folders allows or denies creating folders within a folder (applies to folders only). Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only). |
Write Attributes |
Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. |
Write Extended Attributes |
Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary. |
Delete Subfolders and Files |
Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. |
Delete |
Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted the Delete Subfolders and Files permission on the parent folder. |
Read Permissions |
Allows or denies reading permissions for the file or folder, such as Full Control, Read, and Write. |
Change Permissions |
Allows or denies changing permissions for the file or folder, such as Full Control, Read, and Write. |
Take Ownership |
Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder. |
Synchronize |
Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs. |
Special permissions are set on the Permission Entry For dialog box for the file or folder. This dialog box is accessed by selecting Advanced on the Security tab of the Properties dialog box for the file or folder, and then selecting View/Edit for a Permission Entry on the Access Control Setting For dialog box for the file or folder.
Each of the standard file and folder permissions consists of a logical group of special permissions. Table 9.9 lists each standard file or folder permission and specifies which special permissions are associated with the standard permission.
Table 9.9
| Special Permission | Full Control | Modify | Read & Execute | List Folder Contents | Read | Write |
|---|---|---|---|---|---|---|
Traverse Folder/Execute File |
x |
x |
x |
x |
|
|
List Folder/Read Data |
x |
x |
x |
x |
x |
|
Read Attributes |
x |
x |
x |
x |
x |
|
Read Extended Attributes |
x |
x |
x |
x |
x |
|
Create Files/Write Data |
x |
x |
|
|
|
x |
Create Folders/Append Data |
x |
x |
|
|
|
x |
Write Attributes |
x |
x |
|
|
|
x |
Write Extended Attributes |
x |
x |
|
|
|
x |
Delete Subfolders and Files |
x |
|
|
|
|
|
Delete |
x |
x |
|
|
|
|
Read Permissions |
x |
x |
x |
x |
x |
x |
Change Permissions |
x |
|
|
|
|
|
Take Ownership |
x |
|
|
|
|
|
Synchronize |
x |
x |
x |
x |
x |
x |
NOTE Although the List Folder Contents and Read & Execute standard permissions appear to have the same special permissions, these special permissions are inherited differently. List Folder Contents is inherited by folders but not files, and it only appears when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.
When you assign special permissions to folders, you can choose where to apply the permissions down the tree to subfolders and files.
The Change Permissions and Take Ownership special permissions are particularly useful for controlling access to resources.
Using the Change Permissions special permission, you can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder.
To give administrators the ability to change permissions, assign Change Permissions to the Administrators group for the file or folder.
Using the Take Ownership special permission, you can give users or groups the ability to take ownership of files or folders. As an administrator, you can take ownership of a file or folder.
The following rules apply for taking ownership of a file or folder:
The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special permission to another user account or group, allowing the user account or a member of the group to take ownership.
An administrator can take ownership of a file or folder, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.
For example, if an employee leaves the company, an administrator can take ownership of the employee's files, assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employee's files.
IMPORTANT You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing that user to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder, as explained later in this chapter.
You can assign the Change Permissions or Take Ownership special permissions to enable users to change permissions and take ownership of files and folders.
To set Change Permissions or Take Ownership permissions
Locate the file or folder for which you want to apply special permissions. Right-click the file or folder, click Properties, then click the Security tab.
Click Advanced.
In the Access Control Settings For dialog box (see Figure 9.5) for a file or folder, in the Permissions tab, select the user account or group for which you want to apply special permissions.
Figure 9.5 Access Control Settings For dialog box for the Program Files folder
On the Access Control Settings For dialog box, you can view the permissions that are applied to the file or folder, the owner, and where the permissions apply.
For the Allow Inheritable Permissions From Parent To Propagate To This Object check box:
Check the box to specify that this object will inherit permissions from the parent folder.
Clear the box to specify that this object will not inherit any permissions from the parent folder.
For the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions check box:
Check the box to reset any existing permissions on child objects so that the child objects will inherit permissions from the parent object.
Clear the box to not reset any existing permissions on child objects so that the child objects will not inherit permissions from the parent object.
Click View/Edit to open the Permission Entry For dialog box for the file or folder (see Figure 9.6).
Figure 9.6 Permission Entry For dialog box for the Program Files folder
The options in the Permission Entry For dialog box are described in Table 9.10.
Table 9.10 Options in the Permission Entry For Dialog Box
| Option | Description |
|---|---|
Name |
The user account or group name. To select a different user account or group, click Change. |
Apply Onto |
The level of the folder hierarchy at which the special NTFS permissions are inherited. The default is This folder, subfolders, and files. |
Permissions |
The special permissions. To allow the Change Permissions permission or Take Ownership permission, select the Allow check box. |
Apply These Permissions To Objects And/Or Containers Within This Container Only |
Specify whether subfolders and files within a folder inherit the special permissions from the folder. Select this check box to propagate the special permissions to files and subfolders. Clear this check box to prevent permissions inheritance. |
Clear All |
Click this button to clear all selected permissions. |
Taking Ownership of a File or Folder
To take ownership of a file or folder, the user or a group member with Take Ownership permission must explicitly take ownership of the file or folder.
To take ownership of a file or folder
In the Access Control Settings For dialog box for the file or folder, in the Owner tab, in the Change Owner To list, select your name.
Select the Replace Owner On Subcontainers And Objects check box to take ownership of all objects and subcontainers within the folder.
Click OK.
Practice: Taking Ownership of a File
In this practice you observe the effects of taking ownership of a file. To do this, you determine permissions for a file, assign the Take Ownership permission to a user account, and then take ownership as that user.
To determine the permissions for a file
Log on to your domain as Administrator, then start Windows Explorer.
In the C:\Data directory (where C:\ is the name of your system drive), create a text file named OWNER.TXT.
Right-click OWNER.TXT, then click Properties.
Microsoft Windows 2000 displays the OWNER.TXT Properties dialog box with the General tab active.
Click the Security tab to display the permissions for the OWNER.TXT file.
What are the current allowed permissions for OWNER.TXT?
Click Advanced.
Windows 2000 displays the Access Control Settings For OWNER.TXT dialog box with the Permissions tab active.
Click the Owner tab.
Who is the current owner of the OWNER.TXT file?
To assign permission to a user to take ownership
In the Access Control Settings For OWNER.TXT dialog box, click the Permissions tab.
Click Add.
Windows 2000 displays the Select User, Computer, Or Group dialog box.
In the Look In list at the top of the dialog box, select your domain.
Under Name, click User83, then click OK.
Windows 2000 displays the Permission Entry For OWNER.TXT dialog box.
Notice that all of the permission entries for User83 are blank.
Under Permissions, select the Allow check box next to Take Ownership.
Click OK.
Windows 2000 displays the Access Control Settings For OWNER.TXT dialog box with the Permissions tab active.
Click OK to return to the OWNER.TXT Properties dialog box.
Click OK to apply your changes and close the OWNER.TXT Properties dialog box.
Close all applications, then log off Windows 2000.
To take ownership of a file
Log on to your domain as User83, then start Windows Explorer.
Expand the C:\Data directory.
Right-click OWNER.TXT, then click Properties.
Windows 2000 displays the OWNER.TXT Properties dialog box with the General tab active.
Click the Security tab to display the permissions for OWNER.TXT.
Windows 2000 displays the Security message box, indicating that you can only view the current permission information on OWNER.TXT.
Click OK.
Windows 2000 displays the OWNER.TXT Properties dialog box with the Security tab active.
Click Advanced to display the Access Control Settings For OWNER.TXT dialog box, then click the Owner tab.
Who is the current owner of OWNER.TXT?
Under Name, select User83, then click Apply.
Who is the current owner of OWNER.TXT?
Click OK to close the Access Control Settings For OWNER.TXT dialog box.
Windows 2000 displays the OWNER.TXT Properties dialog box with the Security tab active.
Click OK to close the OWNER.TXT Properties dialog box.
To test permissions for a file as the owner
While you are logged on as User83, assign User83 the Full Control permission for the OWNER.TXT file, then click Apply.
Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
In the Security dialog box, click Remove to remove permissions from the Users group and the Administrators group for the OWNER.TXT file.
Were you successful? Why or why not?
Click OK to close the OWNER.TXT Properties dialog box.
Delete the OWNER.TXT file.
Close all applications.
In this lesson you learned about special permissions. You learned specifically about two of them: Change Permissions and Take Ownership. You can give administrators and other users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. This prevents the administrator or user from deleting or writing to the file or folder, but it allows them to assign permissions to the file or folder.
You also learned how to use the Take Ownership special permission to give users or groups the ability to take ownership of files or folders. The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special permission to another user account or group, allowing the user account or a member of the group to take ownership. You cannot assign anyone ownership of a file or folder. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder.
An administrator can take ownership of a folder or file, regardless of assigned permissions. When an administrator takes ownership of a file or folder, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.
In the practice portion of this lesson you determined the permissions for a file, assigned the Take Ownership permission to a user account, and then took ownership as that user.