The folder/file structure on an NTFS drive can be complicated, with many folders and nested folders. In addition, because you can assign permissions to groups and at different levels on an NTFS volume, figuring out the effective permissions of a particular folder or file for a particular user can be tricky.
Table 6-2
Inherited permissions OBJECT NTFS PERMISSIONS
Data Grant Allow full control (explicit)
Folder1 Allow full control (inherited) Folder2 Allow full control (inherited)
File1 Allow full control (inherited)
Table 6-3
Explicit permissions overwrite
inherited permissions OBJECT NTFS PERMISSIONS
Data Grant Allow full control (explicit)
Folder1 Allow full control (explicit)
Folder2 Allow full control (inherited)
File1 Allow full control (inherited)
For example, say you have a folder called Data. Within the Data folder, you have Folder1, and within Folder1, you have Folder2. If you grant Allow full control to a user account, the Allow full control permission will flow down to the subfolders and files within the Data folder.
In comparison, if you grant Allow full control on the Data folder to a user account and you grant Allow read permission to Folder1, the Allow read permission will overwrite the inherited permissions and will then flow down to Folder2 and File1.
c06FileandPrintServices.indd Page 163 12/14/10 3:58:54 PM user-s146
c06FileandPrintServices.indd Page 163 12/14/10 3:58:54 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
164 | Lesson 6
If a user has access to a file, he or she will still be able to gain access to the file even if he or she does not have access to the folder containing the file. Of course, because the user doesn’t have access to the folder, the user cannot navigate or browse through the folder to get to the file. Therefore, the user will have to use the universal naming convention (UNC) or local path to open the file.
When you view permissions, they will be one of the following:
• Checked: Here, permissions are explicitly assigned.
• Cleared (unchecked): Here, no permissions are assigned.
• Shaded: Here, permissions are granted through inheritance from a parent folder.
Besides granting the Allow permissions, you can also grant the Deny permission. The Deny permission always overrides other permissions that have been granted, including when a user or group has been given Full control. For example, if a group has been granted Read and Write permission yet one person within the group has been denied the Write permission, that user’s effective rights would be the Read permission.
When you combine applying Deny versus Allowed with explicit versus inherited permissions, the hierarchy of precedence of permission is as follows:
1. Explicit Deny 2. Explicit Allow 3. Inherited Deny 4. Inherited Allow
Because users can be members of several groups, it is possible for them to have several sets of explicit permissions for a particular folder or file. When this occurs, the permissions are combined to form the effective permissions, which are the actual permissions when logging in and accessing a file or folder. These consist of explicit permissions plus any inherited permissions.
When you calculate effective permissions, you must first calculate the explicit and inherited permissions for an individual or group and then combine them. When combining user and group permissions for NTFS security, the effective permission is the cumulative permission.
The only exception is that Deny permissions always apply.
For example, say you have a folder called Data. Within the Data folder, you have Folder1, and within Folder1, you have Folder2. If User 1 is a member of Group 1 and Group 2 and you assign the Allow write permission to the Data folder to User 1, the Allow read permission to Folder1 to Group 1, and the Allow modify permission to Folder2 to Group 2, then User 1’s effective permissions would be as shown in Table 6-4.
Table 6-4
Calculating effective permissions
USER 1 NTFS GROUP 1 GROUP 2 EFFECTIVE
OBJECT PERMISSIONS PERMISSIONS PERMISSIONS PERMISSIONS
Data Allow Write (explicit) Allow Write
Folder1 Allow Write (inherited) Allow Read (explicit) Allow Read and Write
Folder2 Allow Write (inherited) Allow Read (inherited) Allow Modify* (explicit) Allow Modify*
File1 Allow Write (inherited) Allow Read (inherited) Allow Modify* (inherited) Allow Modify*
*The Modify permission includes the Read and Write permissions.
c06FileandPrintServices.indd Page 164 12/14/10 3:58:54 PM user-s146
c06FileandPrintServices.indd Page 164 12/14/10 3:58:54 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
File and Print Services | 165 As another example, say you have a folder called Data. Within the Data folder, you have Folder1, and within Folder1, you have Folder2. If User 1 is a member of Group 1 and Group 2 and you assign the Allow Write permission to the Data folder to User 1, the Allow Read permission to Folder1 to Group 1, and the Deny Modify permission to Folder2 to Group 2, User 1’s effective permissions would be as shown in Table 6-5.
Table 6-5
Effective permissions affected by Deny permissions
USER 1 NTFS GROUP 1 GROUP 2 EFFECTIVE
OBJECT PERMISSIONS PERMISSIONS PERMISSIONS PERMISSIONS
Data Allow Write (explicit) Allow Write
Folder1 Allow Write (inherited) Allow Read (explicit) Allow Read and Write
Folder2 Allow Write (inherited) Allow Read (inherited) Deny Modify (explicit) Deny Modify File1 Allow Write (inherited) Allow Read (inherited) Deny Modify (inherited) Deny Modify
VIEW NTFS EFFECTIVE PERMISSIONS
GET READY. To view the NTFS effective permissions for a file or folder, perform the following steps:
1. Right-click the fi le or folder and select Properties.
2. Select the Security tab.
3. Click the Advanced button.
4. Click the Effective Permissions tab (Figure 6-3).
Figure 6-3
NTFS Effective Permissions tab
5. Click the Select button and type in the name of the user or group you want to view.
Click the OK button.
c06FileandPrintServices.indd Page 165 12/14/10 3:58:54 PM user-s146
c06FileandPrintServices.indd Page 165 12/14/10 3:58:54 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
166 | Lesson 6
When copying and moving files, the following three scenarios can result:
• If a folder or file is copied, the new folder or file will automatically acquire the permissions of the drive or folder to which it is being copied.
• If a folder or file is moved within the same volume, the folder or file will retain the same permissions that were already assigned.
• If a folder or file is moved from one volume to another volume, the folder or file will automatically acquire the permissions of the drive to which it is being moved.