Windows 2000 Basics

Windows 2000 B= asics - NTFS vs. Share permissions and their interactions

Will Willis

A common problem people who are learning NT and Window= s 2000 have is with respect to permissions. Most of them are used to operating sys= tems designed for home users, such as Windows 95/98/ME, which do not support the concept of file and folder level security. Therefore, this time around we’re going to discuss Windows 2000 file level security and shared fo= lder security and examine how the permissions interact with each other. This will also be a good primer for the 70-210 Windows 2000 Professional and 70-244 Supporting Windows NT 4.0 Networks certification exams, which include quest= ions dealing with this very topic.

File Permissions

Before we begin, let’s define what we mean by file permissions. What we mean is = that individual files can be owned, and permissions can be assigned in order to control the users and groups that are able to access the file (or folder) f= or the purpose of viewing, modifying, or deleting. There are other possible permission levels as well, but we’ll focus on those as our primary interest.

Before you can use file permissions with Windows NT or Windows 2000, you have to have an NTFS (NT File System) partition on your h= ard drive. Windows 2000 supports the FAT file systems that Windows 9x uses, but if you install the operating system on a = FAT16 or FAT32 partition you will be unable to take advantage of file and folder permissions. On a FAT partition, the only means of affecting a file is by changing the attribute of it from one of the following:

NTFS permissions b= ecause the security features are part of the NTFS file system. When you have an NT= FS partition, you can go into the properties of a file or folder and click on = the Security tab. There you will find = the following permissions in the mail dialog:

Advanced button, the permissions get even more granular. Permission can be explicitly allowed or denied for any number of users or groups. It is worth noting that if a user has the Full Control attribute fo= r a folder, they will have that level of control over all files and subfolders = even if permissions on the files are set to deny access. You can disable the inheritance of permissions from upper level folders to prevent this from happening. Simply uncheck the box that says allow inheritable permissions from parent to propagate to this object.

Manipulating Files with NTFS Permissions

A source of confusion for many beginning system administrators regards what happens to the NTFS permissions when you copy or move a file. The answer is: it depends! Okay, so that’s not very help= ful eh? Well, there are a few scenarios to consider when looking at what happen= s to the NTFS permissions. The scenarios are:

same partition, the file system doesn’t create a new copy, instead = it merely updates the pointer that tells where the file is located. When you m= ove a file to a different partition= , the move function is actually the combination of a copy and a delete. The origi= nal file is copied to the new location, and then deleted from the original location. Because of this, it is easy to see why the following table makes sense:

Source Part= ition	Destination Partition	Action take= n on file or folder	Resulting permissions
NTFS	FAT	Move or copy	Lose all permissions
NTFS	Same NTFS	Move	Retain existing permissions
NTFS	Same NTFS	Copy	Inherit permissions of destination folder
NTFS	Different NTFS	Move or Copy	Inherit permissions of destination folder
FAT	NTFS	Move or Copy	Inherit permissions of destination folder
FAT	FAT	Move or Copy	No permissions on FAT partitions

Share Permissions

Unlike NTFS permissions, which apply to local files and folders, share permissions apply to folders shared for network access. Shar= ed folders have the following possible permissions levels:

deny permission= takes precedence over any allow permissions. If a user belongs to one group that is allowed Full Control ov= er a folder and another group that has been explicitly denied the Modify permiss= ion, that user will be unable to read or write data in that folder. For this rea= son it is recommended not to explicitly deny permission unless necessary, inste= ad simply uncheck the allow permission if you don’t want a user or group= to have access to a resource.

Share permissions are also cumulative with the excepti= on of the deny permission. That is, if a user belongs to one group that has been given Read permission and another group that has been given Write permission, the user will have both Read and Write privileges to that resou= rce. Because permissions can quickly become complicated, it is recommended to as= sign permissions to groups rather than individual users wherever possible.

NTFS and Share Permission Interactions

One of the trickier aspects of permissions management = is the interaction between share permissions and NTFS permissions. If you share a folder on an NTFS partition, in addition to the share permissions you must = also have the requisite NTFS permissions in place in order to gain access to the resource. If the shared folder is on a FAT partition, the share permissions= are all that is necessary.

The interaction between the NTFS permissions and share permissions has been known to cause frustration for more than one system administrator. This is especially true as your server environment grows in = size and becomes more complex. Therefore careful planning goes into ensuring that users can access resources as expected, with the appropriate level of permissions. Try to organize resources in a way that keeps the security consistent. For example, if you have a collection of read-only documents th= at users need to access, store all of them in a single folder or folder tree w= here you won’t have to worry about some files and subfolders having full control permissions and others Read, etc. Also, grant users and groups the minimum level of permission required to complete their tasks. Unless they h= ave a specific need to have full control of a resource, don’t give it to them. Assign permissions to groups rather than users whenever possible, and implement an audit policy to track resource usage. We’ll look at sett= ing up an audit policy in a future article, but until then happy studying and g= ood luck with your exams and managing permissions on your Windows NT/2000 workstations and servers.

Comments or questions? Will Willi= s can be reached at WWillis@Transcende= r.com