Setting permissions for a folder in Windows. File and folder permissions in NTFS Who is assigned access rights

Information taken from Chapter Thirteen of the Windows 2000 Administrator's Guide. Written by William R. Stanek.

On NTFS volumes, you can set security permissions for files and folders. These permissions grant or deny access to files and folders. To view current security permissions, do the following:

Understanding File and Folder Permissions

Table 13-3 shows the basic permissions that apply to files and folders.
There are the following basic file access permissions: Full Control, Modify, Read & Execute, Read and Write.
For folders, the following basic permissions apply: Full Control, Modify, Read & Execute, List Folder Contents, Read and Write.

When setting permissions for files and folders, you should always consider the following:

You only need to have Read permission to run scripts. The Execute File permission (special Execute File permission) is optional.
Access to the shortcut and associated object requires Read permission.
The Write to file permission (Write Data special permission) in the absence of Delete file permission (Delete special permission) still allows the user to delete the contents of the file.
If a user has the basic Full Control permission on a folder, they can delete any files in that folder, regardless of the permissions on those files.

Table 13-3 - Basic permissions for files and folders in Windows 2000

Base Resolution Value for folders Meaning for files
Reading Allows browsing folders and viewing a list of files and subfolders Allows viewing and accessing the contents of the file
Write Allows adding files and subfolders Allows writing data to a file
Allows browsing folders and viewing a list of files and subfolders; inherited by files and folders Allows viewing and accessing the contents of a file, as well as running an executable file
Allows browsing folders and viewing a list of files and subfolders; only inherited by folders Not applicable
Modify Allows viewing content and creating files and subfolders; allows folder deletion Allows reading and writing data to a file; allows file deletion
Full Control Allows viewing content and creating, modifying, and deleting files and subfolders Allows reading and writing data, as well as modifying and deleting a file

Basic permissions are created by grouping specific permissions into logical groups, which are shown in Table 13-4 (for files) and 13-5 (for folders). Special permissions can be assigned individually using advanced configuration options. When learning about special file permissions, keep the following in mind:
If access rights are not explicitly defined for a group or user, then access to the file is denied to them.
When calculating a user's effective permissions, all permissions assigned to the user, as well as the groups of which the user is a member, are taken into account. For example, if the user GeorgeJ has Read access, and at the same time is a member of the Techies group, which has Modify access, then as a result, GeorgeJ has Modify access. If the Techies group is included in the Administrators group with Full Control, then GeorgeJ will have full control of the file.

Table 13-4 - Special Permissions for Files

Special Permissions Full Control Modify Read & Execute Reading Write
Execute File X X X
Read Data X X X X
X X X X
X X X X
Write Data X X X
Append Data X X X
X X X
X X X
Delete X X
X X X X X
X
X

Table 13-5 shows the special permissions used to create basic folder permissions. When learning about special folder permissions, keep the following in mind:

When you set permissions on a parent folder, you can match the permissions of files and subfolders with the permissions of the current parent folder. To do this, select the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions check box.
Created files inherit some permissions from the parent object. These permissions are shown as the default file permissions.

Table 13-5 - Special permissions for folders

Special Permissions Full Control Modify Read & Execute List Folder Contents Reading Write
Folder overview (Traverse Folder) X X X X
Folder contents (List Folder) X X X X X
Read Attributes X X X X X
Read Extended Attributes X X X X X
Create Files X X X
Create Folders X X X
Write Attributes X X X
Write Extended Attributes X X X
Deleting subfolders and files (Delete Subfolders and Files) X
Delete X X
Read Permissions X X X X X X
Change Permissions X
Change of ownership (Take Ownership) X

Setting permissions for files and folders

To set permissions for files and folders, do the following:

1. In select a file or folder and click right click mice.
2. AT context menu select a team Properties and in the dialog go to the tab Security shown in Figure 13-12.


Figure 13-12 - Setting basic permissions for files or folders on the Security tab
3. Listed Name lists the users or groups that have access to the file or folder. To change the permissions for these users or groups, do the following:

Select the user or group whose permissions you want to change.

Use a List Permissions: (Permissions) to set or revoke permissions.

Advice. The inherited permissions checkboxes are greyed out. To revoke an inherited permission, reverse it.
4. To set permissions for users, contacts, computers, or groups that are not listed Name, press the button Add. The dialog box shown in Figure 13-13 will appear.


Figure 13-13 - Select users, computers and groups for which you need to allow or deny access.
5. Use the Dialog Box Choice: User, Computer or Group (Select Users, Computers, Or Groups) to select the users, computers, or groups for which you want to set access permissions. This window contains the fields described below:

Search in (Look In) This drop-down list allows you to view available accounts from other domains. Including a list of the current domain, trusted domains and other available resources. To see all accounts in a folder, select Entire Directory.

Name This column shows the existing accounts for the selected domain or resource.

Add This button adds the selected names to the list of selected names.

Check Names This button allows you to check the names of users, computers or groups in the list of selected names. This can be useful when names are entered manually and you need to make sure they are correct.

6. Listed Name highlight the user, contact, computer, or group to configure, then select or clear the check boxes in the Permissions: (Permissions) to define access rights. Repeat the same steps for other users, computers, or groups.
7. When finished, press the button OK.

System resource audit

The use of audit is The best way to track events on Windows 2000 systems. Auditing can be used to collect information related to the use of a resource. Examples of events to audit include file access, logon, and system configuration changes. After auditing of an object is enabled, entries are written to the system security log whenever an attempt is made to access that object. The security log can be viewed from a snap-in Event Viewer.

Note. To change most audit settings, you must be logged on as an Administrator or a member of the Administrators group, or have the Manage Auditing And Security Log in group policy.

Setting audit policies

Applying audit policies greatly improves the security and integrity of systems. Almost every computer system the network must be configured with security logging. Audit policy setting is available in the snap-in Group Policy. With this component, you can set audit policies for an entire site, domain, or organizational unit. Policies can also be set for personal workstations or servers.

After selecting the required Group Policy container, you can configure the audit policies as follows:

1. As shown in Figure 13-14, the node can be found by moving down the console tree: Computer Configuration, Windows Configuration (Windows Settings), Security Settings, Local Policies, Audit Policy.


Figure 13-14 - Configuring the audit policy using the Audit Policy node in Group Policy.
2. There are the following categories of audit:

Audit Account Logon Events monitors events related to user login and logout.

Audit Account Management keeps track of all events related to account management, snap-in tools. Audit entries appear when user, computer, or group accounts are created, modified, or deleted.

Monitors Active Directory access events. Audit entries are created each time users or computers access the directory.

Monitors login and logout events, as well as remote network connections.

Tracks usage system resources files, directories, shares, and Active Directory objects.

Audit Policy Change tracks changes to user rights assignment policies, audit policies, or trust policies.

Tracks every attempt by a user to exercise a given right or privilege. For example, the rights to archive files and directories.

Note. Policy Audit Privilege Use does not track events related to system access, such as using the interactive logon right or accessing the computer from the network. These events are tracked by the policy Audit Logon Events.

Audit Process Tracking keeps track of system processes and the resources they use.

Audit System Events monitors computer startup, restart, or shutdown events, as well as events that affect system security or appear in the security log.

3. To configure an audit policy, double-click on the required policy, or select the command from the context menu of the selected policy. Properties. This will open a dialog box. Local security policy setting (Properties).
4. Check box Define These Policy Settings. Then check or uncheck Success and Failure. Success auditing means creating an audit entry for each successful event (for example, a successful login attempt). Failure auditing means creating an audit entry for each unsuccessful event (such as a failed login attempt).
5. When finished, click the button OK.

Audit file and folder operations

If the policy is enabled Audit Object Access, you can use auditing at the level of individual folders and files. This will allow you to accurately track their usage. This opportunity available only on volumes with the NTFS file system.

To configure file and folder auditing, do the following:

1. AT Explorer ( windows explorer) select the file or folder for which you want to set up auditing. In the context menu, select the command Properties.
2. Go to the tab Security, and then click the button Advanced.
3. In the dialog box, click the tab Auditing shown in Figure 13-15.


Figure 13-15 Configuring audit policies for individual files or folders on the Auditing tab.
4. For audit settings to be inherited from the parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box must be selected.
5. To have child objects inherit the current object's audit settings, select the check box Reset audit items for all child objects and enable migration of inherited audit items (Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries).
6. Use a List Remove.
7. Add for the dialog box to appear OK, a dialog box will appear. Audit element for Folder or file name shown in Figure 13-16.

Note. If you want to track the activities of all users, use a special group Everyone (Everyone). Otherwise, select individual users or groups in any combination for auditing.


Figure 13-16 - Dialog box Audit element for Folder or file name(Auditing Entry For New Folder) used to set audit entries to a user, contact, computer, or group.
8. Apply (Apply Onto).
9. Check the boxes Success and/or Failure for required audit events. Success auditing means creating an audit entry for a successful event (for example, successfully reading a file). Failure auditing means creating an audit entry for an unsuccessful event (for example, an unsuccessful attempt to delete a file). Events for auditing are the same as special permissions (Tables 13-4 and 13-5) with the exception of offline file and folder synchronization, which cannot be audited.
10. When finished, click the button OK. Repeat these steps to set up auditing for other users, groups, or computers.

Auditing Active Directory Objects

If the policy is enabled Audit Directory Service Access, you can use Active Directory object-level auditing. This will allow you to accurately track their usage.

To configure object auditing, do the following:

1. in a snap Active Directory - users and computers (Active Directory Users And Computers) select the object container.
2. Right-click on the object to be audited and select the command from the context menu Properties.
3. Go to the tab Security and press the button Advanced.
4. Go to the tab Auditing dialog box Access Control Settings. For audit settings to be inherited from the parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box must be selected.
5. Use a List Auditing Entries to select users, computers, or groups whose activities will be monitored. To remove an account from this list, select it and click Remove.
6. To add an account, click the button Add. A dialog box will appear Choice: Users, Contacts, Computers or Groups (Select Users, Contacts, Computers, Or Groups), where you select an account to add. When you press OK, a dialog box will appear. Audit element for Folder or file name(Auditing Entry For New Folder).
7. If you need to refine objects to apply audit settings, use the drop-down list Apply (Apply Onto).
8. Check the boxes Success and/or Failure for required audit events. Success auditing means creating an audit entry for every successful event (for example, a successful read of a file). Failure auditing means creating an audit entry for each unsuccessful event (for example, an unsuccessful attempt to delete a file).
9. When finished, click the button OK. Repeat these steps to set up auditing for other users, contacts, groups, or computers.


The material is taken from the book "Windows 2000 Administrator's Guide". Written by William R. Stanek. Copyright © 1999 Microsoft Corporation. All rights reserved.

The NTFS file system allows you to configure access permissions to individual folders or files for individual users. You have the right to configure access to folders/files the way you want: close access to your files for some users and open access to other users. In this case, the former will be able to work with your documents, and the latter will see a window with the message “ File access denied". But the ability to configure access to folders/files is not limited to whether or not users can reach your documents. You can specify access permissions. So, some of the users will only be able to read the document, while others will be able to change it.

How to open or close access to files or folders in Windows?

To set the permissions for a file/folder, select the item Properties in the context menu of the given file/folder. In the window that opens, go to the tab Security. There are two ways to set up access rights in front of you.

  1. We press the button Change. Then we see the following picture:
    In this window, we can add or remove a user or an entire group of users for whom we want to set access rights to this object. For these purposes, you must use the buttons Add and Delete. After you have selected the users for whom you want to set the appropriate access rights, select them one by one and give them the appropriate rights based on different . To allow or, on the contrary, deny access, you must check the corresponding items. To save the changes, click Apply, then OK.
  2. Click the button Additionally. This window provides additional options for setting access rights to the object.

    The functionality that was presented in the first paragraph is contained in the tab Permissions. Buttons Add and Delete You can add users to the list or remove them accordingly. To set the appropriate permissions for the selected user or , use the button Change.

    In the drop-down menu, you can select the type of permission (allow or deny), and in the case of folders, you can select the scope of these rules. As you can see, this window provides all the same for the object. But if you press the button Display additional permissions, then you will get whole .

    The choice of the appropriate permissions is made by adding a checkmark in front of the corresponding item.

    tab Audit allows you to set up documentation of various access attempts to a file/folder. So, you can be notified every time someone successfully or unsuccessfully opens a folder/file, when someone changes the name or content of a document, and so on. You can audit both successful and unsuccessful activities. For auditing, you can also configure its scope. Documented data can be viewed in Event Log.

    tab Valid access rights will show the access rights to this object for the selected user.

Allow access or deny access?

Before you start checking the boxes for any users, you should know the following: access rights must be configured explicitly. This means that explicit permission must be obtained to access the object. But in order for there to be no access to the object, it is enough not to allocate any permissions at all. After all, if you have not explicitly specified access permission, the user will not be able to access this object. Therefore, a reasonable question arises why a permission type is needed at all ban? And for this you need to know two more rules:

  1. Permission type ban takes precedence over type allow.
  2. The total y for the user is obtained by summing up all access rules to the given object.

If there should be no questions with the first point, then the second one requires an explanation. Consider an example: if the folder folder regular user user has read and write permission, and the group Users have read-only permission on the folder folder, then the total access rights for the user user will allow both reading and writing relative to this folder, which is contrary to the policy that Users can only read this folder. That's why you need permission type ban. If, according to one policy, the user should have access to the file, but not in another way, then it is necessary to explicitly deny access to the file, because otherwise he will have it, and this contradicts the second policy.

It is in order to facilitate the summation of all access rules to an object that there is a tab Valid access rights.

Users, Administrators, Authenticated Users and so on

In addition to all of the above, you need to know that all users, regardless of the configured access rights, are by default included in the group Users. And by default, on all objects (except for some objects of the operating system), users of this group have read and change access. And here are the users from the group Administrators By default, they have full access to all system objects. To user group Verified includes any users who are logged on. Their access permissions are approximately equal to those of regular users.

Knowing this, you can save yourself the hassle of granting full access to a specific user with administrative rights, or setting read and write permissions for a normal user. All this has already been done.

In addition, you should not remove the above groups from the access rights to any object. Also, do not issue a ban on access for these groups. Even if you are a user with administrative rights, then denying access to the group Users to any object will unceremoniously hit you in the neck, since you are also a user of this group. Therefore, be careful and do not try to make changes to the default settings.

Computers running Windows operating systems can work with various file systems such as FAT32 and NTFS. Without going into similarities, one thing can be said that they differ in the main thing - the NTFS file system allows you to configure security settings for each file or folder (directory). Those. For each file or folder, the NTFS file system stores the so-called ACLs (Access Control List), which list all users and groups that have certain access rights to given file or folder. The FAT32 file system does not have this capability.

In the NTFS file system, each file or folder can have the following security rights:

  • Reading- Allows browsing folders and viewing the list of files and subfolders, viewing and accessing the contents of the file;
  • Recording- Allows adding files and subfolders, writing data to a file;
  • Reading and Execution- Allows browsing folders and viewing a list of files and subfolders, allows viewing and accessing the contents of a file, as well as launching an executable file;
  • List folder contents- Allows browsing folders and viewing only the list of files and subfolders. This permission does not grant access to the contents of the file!;
  • Change- Allows viewing the contents and creating files and subfolders, deleting a folder, reading and writing data to a file, deleting a file;
  • Full access- Allows viewing content, as well as creating, modifying and deleting files and subfolders, reading and writing data, and modifying and deleting a file

The rights listed above are basic. Basic rights are made up of special rights. Special rights are more detailed rights that form the basic rights. Using special permissions gives you a lot of flexibility in setting permissions.

List of special permissions for files and folders:

  • Browse Folders/Execute Files- Allows moving through the folder structure in search of other files or folders, executing files;
  • Folder Content/Data Read- Allows viewing the names of files or subfolders contained in the folder, reading data from the file;
  • Reading Attributes- Allows viewing such attributes of a file or folder as "Read only" and "Hidden";
  • Reading Additional Attributes- Allows viewing additional attributes of a file or folder;
  • Create Files / Write Data- Allows creating files in a folder (applies only to folders), making changes to a file and overwriting existing content (applicable to files only);
  • Create folders / Append data- Allows creating folders in a folder (applies only to folders), adding data to the end of a file, but not changing, deleting or replacing existing data (applicable to files only);
  • Attribute entry- Allows or prohibits changing such attributes of a file or folder as "Read-only" and "Hidden";
  • Recording Additional Attributes— Allows or prohibits changing additional attributes of a file or folder;
  • Deleting subfolders and files- Allows deletion of subfolders and files even if you don't have "Delete" permission (only applies to folders);
  • Removal- Allows deleting a file or folder. If a file or folder does not have Delete permission, the object can still be deleted if the parent folder has Delete Subfolders and Files permission;
  • Read permissions- Allows reading such file or folder access permissions as "Full Control", "Read" and "Write";
  • Changing Permissions- Allows changing such file or folder access permissions as "Full Control", "Read" and "Write";
  • Change of ownership- Allows you to take ownership of a file or folder;
  • Synchronization- Allows different threads to wait for files or folders and synchronize them with other threads that can occupy them. This permission only applies to programs running in multithreaded mode with multiple processes;

!!!All basic and special rights are both permissive and prohibitive.

All file and folder permissions are divided into two types: explicit and inherited. The inheritance mechanism implies the automatic transfer of something from the parent object to the child. In the file system, this means that any file or folder can inherit its permissions from its parent folder. This is a very convenient mechanism that eliminates the need to assign explicit rights to all newly created files and folders. Imagine that you have several thousand files and folders on some disk, how can you give them all access rights, sit and assign them to everyone? No. This is where inheritance works. We created a folder in the root of the disk, the folder automatically received exactly the same rights as the root of the disk. Changed the permissions for the newly created folder. Then, inside the created folder, another subfolder was created. This newly created subfolder will have the rights inherited from the parent folder, and so on. etc.

The result of the application of explicit and inherited rights will be the actual rights to a particular folder or file. There are a lot of pitfalls in this. For example, you have a folder in which you allow the user "Vasya" to delete files. Then you remember that in this folder there is one very important file that Vasya must not delete under any circumstances. You set an explicit ban on an important file (special ban right) "Delete"). It would seem that the deed is done, the file is clearly protected from deletion. And Vasya calmly enters the folder and deletes this super-protected file. Why? Because Vasya has the rights to delete from the parent folder, which in this case are priority.

Try not to use the assignment of rights directly to files, assign rights to folders.

!!! Try to assign rights only to groups, this greatly simplifies administration. Assigning rights to specific users is not recommended by Microsoft. Do not forget that the group can include not only users, but also other groups.

For example. If the computer is included in the domain, then the Domain Users group (domain users) is automatically added to its local Users group, and the Domain Admins group (domain administrators) is automatically added to the local Administrators group, and accordingly, assigning to any folder of rights to a group of local users, you automatically assign rights to all users of the domain.

Do not be discouraged if all of the above is not immediately clear. Examples and independent work will quickly correct the situation!

Let's get down to specifics.

All examples I will show by example Windows windows xp. In Windows 7 and above, the essence remained identical, only there were a few more windows.

So, in order to assign or change the rights to a file or folder, you need to right-click on the desired file or folder in Explorer and select the menu item "Properties"

You should see a window with a tab "Security"

If there is no such bookmark, then do the following. Launch Explorer, then open the menu "Service""Folder properties…"

In the window that opens, go to the "View" tab and uncheck the option "Use a simple general access to files(recommended)"

Everything, now all properties are available to you file system NTFS.

Back to bookmark "Security".

A lot of information is available to us in the window that opens. Above is a list "Groups and Users:", which lists all users and groups that have access rights to this folder (arrow 1). The bottom list shows the permissions for the selected user/group (arrow 2). In this case, this is the SYSTEM user. In this list of permissions, the basic permissions are visible. Note that in the column "Allow" the checkmarks are faded and not editable. This indicates that these rights are inherited from the parent folder. Once again, in this case, all rights of the SYSTEM user on the folder "Working" are completely inherited from the parent folder, and the SYSTEM user has all rights ( "Full access")

By highlighting the desired group or user in the list, we can view the basic rights for this group or user. Highlighting a user "Guest user ( [email protected] you can see that he has all the explicit rights

And here is the group "Users (KAV-VM1\Users" has combined rights, some of them are inherited from the parent folder (gray squares opposite "Reading and Executing", "List Folder Contents", "Reading"), and part is explicitly established - this is the right "Change" and "Record"

!!!Attention. Pay attention to the names of users and groups. Parentheses indicate the ownership of a group or user. Groups and users can be local, i.e. created directly on this computer, or can be domain. In this case, the group "Administrators" local, since the entry in brackets indicates the name of the KAV-VM1 computer, and after the slash the name of the group itself already comes. On the contrary, the user "Guest User" is a user of the btw.by domain, this is indicated by the full name entry [email protected]

Often, when viewing or changing rights, you can limit yourself to a window with basic rights, but sometimes this is not enough. You can then open a window that changes special permissions, the owner, or view the effective permissions. How to do it? Click on the button "Additionally". This window opens

In this window in the table "Permission Items" lists all users who have rights to this folder. In the same way as for basic permissions, we select the desired user or group and press the button "Change". A window opens showing all special permissions for the selected user or group

Similar to basic permissions, special permissions inherited from the parent folder will be displayed in a faded gray color and will not be editable.

As you may have noticed, there are several lines in the special permissions window for some users or groups.


This is because for one user or group there can be different types of rights: explicit and inherited, allowing or denying, differing in the type of inheritance. In this case, read permissions for the Users group are inherited from the parent folder, and modify permissions are added explicitly.

Examples of assigning rights.

!!! All examples will go with increasing complexity. Read and deal with them in the same sequence as they appear in the text. Similar actions in the following examples will be omitted to reduce the amount of text. 🙂

Example 1: Granting read-only access to a folder to a specific local security group.

First, let's create a local group, in which we will include the entire list of users we need. It is possible without a group, but then for each user you will need to configure the rights separately, and every time you need to give rights to a new person, you will need to do all the operations again. And if the rights are granted local group, then only one action is required to set up a new person - including this person in a local group. How to create a local security group, read in the article "Setting up local security groups".

So. We have created a local security group named "For Colleagues to Read",


to which all the necessary users have been added.

Now I'm setting the permissions for the folder. In this example, I will give permissions to the created group "Colleagues for reading" per folder "A photo".

Right click on the folder "A PHOTO" and select the menu item "Properties", go to bookmark "Security".

In the opened bookmark "Security" displays current folder permissions "A PHOTO". By selecting groups and users in the list, you can see that the rights of this folder are inherited from the parent folder (gray checkmarks in the column "Allow"). In this situation, I don't want anyone other than the newly created group to have any access to the folder "A PHOTO".

Therefore, I must remove the inheritance of rights and remove unnecessary users and groups from the list. I press the button "Additionally". In the opened window,


I uncheck the box "Inherit from the parent object the permissions applicable to child objects, adding them to those explicitly set in this window." . This will open a window where I can choose what to do with the current inherited rights.

In most cases, I advise you to click here "Copy", since if we choose "Delete", then the list of rights becomes empty, and you can actually take away the rights from yourself. Yes, don't be surprised, it's very easy to do. And if you are not an administrator on your computer, or not a group user "Archive Operators", then it will be impossible for you to restore the rights. The situation is like a door with an automatic latch, which you close, leaving the keys inside. Therefore, it is better to always press the button "Copy" and then delete what you don't need.

After I pressed "Copy", I again return to the previous window, only with the checkbox unchecked.

I press "OK" and return to the basic rights window. All rights have become available for editing. I need to leave permissions for the local group "Administrators" and user SYSTEM and delete the rest. I select unnecessary users and groups one by one and press the button "Delete".

As a result, I get this picture.

Now I just have to add a group "Colleagues for reading" and assign read permissions to this group.

I press the button "Add", and in the standard selection window I select the local group "Colleagues for reading". How to work with the selection window is described in detail in the article.

As a result of all the actions, I added the "Colleagues for Reading" group to the list of basic rights, while the rights were automatically set for this group "Reading and Executing", "List Folder Contents", "Reading".

All you have to do is press the button "OK" and rights are assigned. Now any user that belongs to the local security group "Colleagues for reading", will be able to read the entire contents of the folder "A PHOTO".

Example 2: Give users personal access to their subfolders within a folder.

This situation is also common in practice. For example, you have a folder for new scanned documents. In this folder, each user has its own separate subfolder. After scanning, the document is taken by the user from its subfolder. The task is to assign rights so that each user sees the contents of only his own subfolder and cannot access the colleague's subfolder.

For this example, I will rephrase the task a bit. Suppose we have a shared folder "A PHOTO", which has a subfolder for each user. It is necessary to set the rights so that the user has all the rights in his subfolder, and the subfolders of other users would be inaccessible to him.

For this setup, I completely repeat all the steps from the first example. As a result of the repetition, I get the rights for the entire group "Colleagues for reading" to read to all subfolders. But my task is to make only "my" subfolder visible to the user. Therefore, in the basic rights window, I click the button "Additionally"


and go to the special rights window, in which I select a group "Colleagues for reading" and I press the button "Change"

In the window that opens, I change the inheritance rules, instead of the value in the field "Apply:" i choose value "Only for this folder".

This is the most key moment this example. Meaning "Only for this folder" causes read permissions for the group "Colleagues for reading" apply only to the root of the folder "A PHOTO", but not on subfolders. Thus, each user will be able to get to his own folder, but he will not be able to look into the next one, he does not have the right to view subfolders. If you do not give this right to the group at all, then users will not be able to get into their subfolders at all. The file system won't let them through even to a folder "A PHOTO".

As a result, users will be able to access the folder "A PHOTO" but they will not be able to go further into subfolders!

In the special rights window, click "OK" and exit to the previous window, now in the column "Apply to" in front of the group "Colleagues for reading" worth the value "Only for this folder".

Click on all windows "OK" and we leave.

Everybody. Now it remains to set up personal rights for each subfolder. You will have to do this for each subfolder, the rights are personal for each user.

You have already done all the necessary actions in the first example, let's repeat what we have done 🙂

On a subfolder "User1" right click, select menu item "Properties", go to bookmark "Security". I press the button "Add"

and in the standard selection window I select a domain user with the name "User1".

It remains to check the box for the permission right "Change". At the same time, the checkbox for the permission right "Record" will be installed automatically.

Click "OK". We leave. It remains to repeat the same steps for all subfolders.

Example 3. Granting personal access to the user to his subfolder for writing, while prohibiting changes or deletions.

I know it sounds hard, but I'll try to explain. I call this kind of access a latch. In everyday life we ​​have a similar situation with the usual mailbox into which we throw paper letters. Those. You can drop a letter into a box, but you can't take it out of the box. In the computer industry, this can be useful for a situation where someone writes a report to you in a folder. Those. the file is written by the user, but then this user can no longer do anything with this file. Thus, you can be sure that the creator will no longer be able to change or delete the submitted report.

As in the previous example, we repeat all the steps, except that we do not immediately give the user full rights to our folder, initially we give only read access in basic permissions, and press the button "Additionally"

In the window that opens, select "User1" and press the button "Change"

In the window that opens, we see the standard read permissions

In order to give the user the right to create files, set the permission to the right "Create Files/Write Data", but on the right "Delete subfolders and files" and "Delete" put a ban. Leave inheritance as default "For this folder, its subfolders and files".

After pressing the button "OK" and returning to the previous window, you can see significant changes. Instead of one entry for "User1" two appeared.

This is because two types of rights are set, one is forbidding, they go first in the list, the second is permissive, they are second in the list. Since special rights are non-standard, in the column "Permission" worth the value "Special". When you press a button "OK" a window appears to which windows warns that there are deny rights and that they have more high priority. In translation, this means the same situation with a self-closing door, the keys to which are inside. I described a similar situation in the second example.

Everybody. Rights are set. Now "User1" will be able to write any file to its folder, open it, but will not be able to change or delete it.

But what about the complete analogy with a real mailbox?

To prevent the user from opening or copying the recorded file, you need to do the following. Again we open allowing special permissions for "User1", and in the field "Apply:" change the value to "Only for this folder"

The user does not have the right to read or copy the file.

Everybody. Now the analogy with a physical mailbox is almost complete. He will only be able to see the names of files, their size, attributes, but he will not be able to see the file itself.

View valid rights.

I want to say right away that the ability to view the effective rights for a folder or file is a complete fiction. In my view, such tools should provide guaranteed information. In this case, it is not. Microsoft itself admits that this tool does not take into account many factors that affect the resulting entitlements, such as sign-in conditions. Therefore, to use such a tool is only to mislead oneself about real rights.

The case described at the very beginning of the article, with a ban on deleting a file from a folder, in this case is very eloquent. If you simulate a similar situation and look at the rights of a file that is protected from deletion, you will see that the deletion rights of the file are prohibited. However, deleting this file is not difficult. Why Microsoft did this, I don't know.

If you still decide to view the current rights, then for this you need to click the button in the basic rights window "Additionally", and in the window of special rights go to the tab "Valid Permits".

Then you need to press the button "Choose" and in the standard selection window, select the desired user or group.

After selection, you can see the "approximate" valid permissions.

In conclusion, I want to say that the topic of NTFS file system rights is very extensive, the examples above are only a very small part of what can be done. Therefore, if you have questions, ask them in the comments to this article. I will try to answer them.

How to enable recording?

Master's response:

Many users who have a limited account face problems when writing files to removable drives. Of course, such troubles can also arise if the flash drive malfunctions, and if there are problems with formatting.

In the case of a problem with writing to the drive in use, if the user has a limited account on the computer, you need to change the setting that prevents writing. To do this, after downloading, go to operating system with rights and under the "Administrator" account. Now you need to change your account settings in such a way that an account with limited capabilities has the opportunity to copy information to removable media.

Now it remains to apply the changes and close the windows with the OK button. After restarting the PC, which is necessary for the changes to take effect, log in again to the operating system using your limited account. account. As a test, copy some file to your removable drive.

It happens that the flash drive is deliberately protected from writing. To exclude this, carefully consider how the small switch is located on the side of the flash drive - it should be in the Unlocked position. Most often, such actions are required by drives that are used in cameras, phones, players and other devices with SD and MicroSD memory cards.

The switch of the card reader also requires special attention, if it is used as an adapter for connecting the device. And this applies to MicroSD adapters, which are shaped like an ordinary SD card.

Find out if your flash drive is password protected? If so, then it needs to be unlocked on the device where it was placed on the block. The presence of a lock on the flash drive will not allow you to write to it.

But it happens that other reasons that cannot be clarified interfere with recording. So, the flash drive needs to be formatted, and not just standard programs on Windows! To do this, download and install on your PC special utilities developed by the flash drive manufacturer. Utilities will help format and fix removable disk errors.



RELATED ARTICLES