PlayUKlottery.com - win up to 42 million Pounds
Lesson 3: Using NTFS Special Access Permissions

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 3: Using NTFS Special Access Permissions

The standard NTFS permissions generally provide all of the access control that you need to secure your resources. However, there are instances where the standard NTFS permissions do not provide the specific level of access that you want to assign to users. To create the specific level of access, you can assign NTFS special access permissions. When you assign special access permissions to folders, you can choose where to apply the permissions down the tree to subfolders and files.

After this lesson, you will be able to

  • Explain how to use NTFS special permissions.

  • Assign the Take Ownership permission and take ownership of a folder or file.

Estimated lesson time: 25 minutes

Understanding NTFS Special Access Permissions

Special access permissions provide you with a finer degree of control for assigning access to resources. The special access permissions, when combined, constitute the standard NTFS permissions. For example, the standard Read permission includes the Read Data, Read Attributes, Read Permissions, and Read Extended Attributes special access permissions.

Two of the special access permissions are especially useful for managing access to files and folders: Change Permissions and Take Ownership.

Change Permission

You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the other administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder.

To give administrators the ability to change permissions, assign Change Permissions to the Administrators group for the file or folder.

Take Ownership

You can transfer ownership of files and folders from one user account or group to another user account or group. You can give someone the ability to take ownership and, as an administrator, you can take ownership of a file or folder.

The current owner or any user with the Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user or a member of the group to take ownership.

Members of the Administrators group have the Take Ownership special access permission. This gives administrators the ability to take ownership of a file or folder, regardless of the other permissions that are assigned to the file or folder. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with the Full Control permission, can assign Take Ownership permission to a user account or group, allowing the user or group member to take ownership. However, to become the owner of a file or folder, a user or group member with the Take Ownership permission must explicitly take ownership of the file or folder.

To take ownership of a file or folder, open the Properties dialog box for the file or folder in Windows Explorer, and select the Security tab. On the Security tab, click the Advanced button. The Access Control Settings dialog box appears. In the Access Control Settings dialog box, on the Owner tab, in the Change Owner To list, select your name. Select the Replace Owner On Subcontainers And Objects check box to take ownership of all subfolders and files that are contained within the folder.

Setting Special NTFS Permissions

If an employee leaves the company, an administrator can take ownership of the employee's files and assign the Take Ownership permission to another employee, and then that employee can take ownership of the previous employee's files. To set the Change Permissions or Take Ownership permissions, in the Properties dialog box for a file or folder, on the Security tab, click the Advanced button. In the Access Control Settings dialog box for a file or folder, on the Permissions tab, select the user account or group for which you want to apply NTFS special access permissions (see Figure 8.4).

Click to view at full size.

Figure 8.4 The Access Control Settings dialog box

After you have selected the user account or group, click the View/Edit button and the Permission Entry dialog box appears (see Figure 8.5).

Click to view at full size.

Figure 8.5 Setting special NTFS permissions for a file or folder

In the Permission Entry dialog box, you configure the options described in Table 8.4.

Table 8.4 Special NTFS Permissions

Option Description
Name Specify the user account or group name. To select a different user account or group, click the Change button.
Apply Onto Specify the level of the folder hierarchy at which the special NTFS permissions are inherited. The default is This Folder, Subfolders And Files.
Permissions Allow the special access permissions. To allow the Change Permissions or Take Ownership permissions, select the appropriate check box in the Allow column.
Apply These Permissions To Objects And/Or Containers Within This Container Only Specify whether subfolders and files within a folder inherit the special access permissions from the folder. Select this check box to propagate the special access permissions to files and subfolders. Clear this check box to prevent permissions inheritance.
Clear All Click this button to clear all selected permissions.

Understanding NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. However, you can prevent permissions inheritance.

Allowing Permissions Inheritance

Files and subfolders inherit permissions from their parent folder. Whatever permissions you assign to the parent folder also apply to subfolders and files that are contained in the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and subfolders, as well as for any new files and subfolders that are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained in the folder. The folder at which you prevent permissions inheritance becomes the new parent folder, and permissions that are assigned to this folder will be inherited by the subfolders and files that are contained in it.

Practice: Taking Ownership of a File

In this practice, you will observe the effects of taking ownership of a file. To do this, you will determine permissions for a file, assign the Take Ownership permission to a user account, and then take ownership as that user.

  • To determine the permissions for a file

    1. Log on to your domain as Administrator, and then start Windows Explorer.

    2. In the C:\Apps folder, create a text document named Owner.txt.

    3. Right-click Owner.txt, and then click Properties.

      4. Microsoft Windows 2000 displays the Owner Properties dialog box with the General tab active.

    4. Click the Security tab to display the permissions for the Owner.txt file.

    5. Click the Advanced button.

      6. Windows 2000 displays the Access Control Settings For Owner dialog box with the Permissions tab active.

    6. Click the Owner tab.

      7. Who is the current owner of the Owner.txt file?

    Answers

  • To assign permission to a user to take ownership

    1. In the Access Control Settings For Owner dialog box, click the Permissions tab.

    2. Click Add.

      3. Windows 2000 displays the Select User, Computer, Or Group dialog box.

    3. In the Look In box at the top of the dialog box, ensure that your domain is selected.

    4. Under Name, click User Four, and then click OK.

      5. Windows 2000 displays the Permission Entry For Owner dialog box. Notice that all of the permission entries for User Four are blank.

    5. In the Permissions list, select the Allow check box next to Take Ownership.

    6. Click OK.

      7. Windows 2000 displays the Access Control Settings For Owner dialog box with the Permissions tab active.

    7. Click OK to return to the Owner Properties dialog box.

    8. Click OK to apply your changes and close the Owner Properties dialog box.

    9. Close all applications, and then log off Administrator.

  • To take ownership of a file

    1. Log on to your domain as User4 with a password of User4, and then start Windows Explorer.

    2. Expand the C:\Apps folder, and then click the C:\Apps folder in the console pane.

    3. Right-click Owner.txt in the details pane, and then click Properties.

      4. Windows 2000 displays the Owner Properties dialog box with the General tab active.

    4. Click the Security tab to display the permissions for Owner.txt.

    5. Click Advanced to display the Access Control Settings For Owner dialog box, and then click the Owner tab.

      6. Who is the current owner of Owner.txt?

    6. Under Name, select User Four, and then click Apply.

      7. Who is the current owner of Owner.txt?

    7. Click OK to close the Access Control Settings For Owner dialog box.

      8. Windows 2000 displays the Owner Properties dialog box with the Security tab active.

    8. Click OK to close the Owners Properties dialog box.

    Answer

  • To test permissions for a file as the owner

    1. While you are logged on as User Four, assign User Four the Full Control permission for the Owner.txt file, and click Apply.

    2. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.

      3. A Security dialog box appears to indicate that you are preventing any inheritable permissions from propagating to this object.

    3. In the Security dialog box, click the Remove button.

    4. Click OK to close the Owner Properties dialog box.

    5. Close all open windows and Log off.

    Lesson Summary

    NTFS special access permissions provide you with a finer degree of control for assigning access to resources. Two of the special access permissions are especially useful for managing access to files and folders: Change Permissions and Take Ownership.

    By assigning the Change Permissions permission to a user or group, you can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder. In this way, the other administrator or user cannot delete or write to the file or folder but can assign permissions to the file or folder. To give administrators the ability to change permissions, assign the Change Permissions permission to the Administrators group for the file or folder.

    The current owner or any user with the Full Control permission can assign the Take Ownership special access permission to another user account or group, allowing the user or a member of the group to take ownership. An administrator can take ownership of a folder or file, regardless of assigned permissions. When an administrator takes ownership of a file or folder, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.

    By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder. However, you can prevent permission inheritance.