Managing File and Folder Permissions
You can think of fi le and folder permissions as the base-level permissions—the permis-
sions that are applied no matter what. For NTFS volumes, you use fi le and folder per-
missions and ownership to further constrain actions within the share as well as share
permissions. For FAT volumes, share permissions provide the only access controls. The
reason for this is that FAT volumes have no fi le and folder permission capabilities.
File and folder permissions are much more complex than share permissions, and to
really understand how they can be used and applied, you must understand ownership
and inheritance as well as the permissions that are available.

As administrators, we often forget about the basic fi le and folder attributes that can
be assigned. However, basic fi le and folder attributes can affect access, so let’s look at
these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS
volumes. All fi les and folders have basic attributes regardless of whether you are work-
ing with FAT or NTFS. These attributes can be examined in Windows Explorer by right-
clicking the fi le or folder icon and then selecting Properties. Folder and fi le attributes
include Hidden and Read-Only. Hidden determines whether the fi le is displayed in fi le
listings. You can override this by telling Windows Explorer to display hidden fi les. On
NTFS, the Read-Only attribute for folders is initially shown as unavailable. Here, this
means the attribute is in a mixed state regardless of the current state of fi les in the folder.
If you override the mixed state by selecting the Read-Only check box for a folder, all fi les
in the folder will be read-only. If you override the mixed state and clear the Read-Only
check box for a folder, all fi les in the folder will be writable.
File and Folder Ownership
Before working with fi le and folder permissions, you should understand the concept of
ownership as it applies to fi les and folders. In Windows Server 2008, the fi le or folder
owner isn’t necessarily the fi le or folder’s creator. Instead, the fi le or folder owner is the
person who has direct control over the fi le or folder. File or folder owners can grant
access permissions and give other users permission to take ownership of a fi le or folder.
The way ownership is assigned initially depends on where the fi le or folder is being
created. By default, the user who created the fi le or folder is listed as the current owner.

ership of a folder, you can take ownership of all subfolders and fi les within the folder by
selecting the Replace Owner On Subcontainers And Objects check box. Click OK twice
when you are fi nished.
Figure 17-17 Taking ownership is done by using the Owner tab.
Transferring Ownership
If you are an administrator or a current owner of a fi le or folder, you can transfer own-
ership to another user by using a fi le or folder’s Properties dialog box. In Windows
Explorer, right-click the fi le or folder, and then select Properties. On the Security tab of
the Properties dialog box, display the Advanced Security Settings dialog box by click-
ing the Advanced button. Next, on the Owner tab, click Edit to display an editable ver-
sion of the Owner tab, as shown in Figure 17-17.
Click Other Users Or Groups to display the Select User, Computer, Or Group dialog
box. Type the name of a user or group, and click Check Names. If multiple names
match the value you entered, you’ll see a list of names and will be able to choose the one
you want to use. Otherwise, the name will be fi lled in for you, and you can click OK to
close the Select User, Computer, Or Group dialog box. Under Change Owner To on the
Owner tab of the Advanced Security Settings dialog box, the user you added is listed
and selected. When you click OK, ownership is transferred to this user.
Chapter 17
568 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Permission Inheritance for Files and Folders
By default, when you add a folder or fi le to an existing folder, the folder or fi le inherits
the permissions of the existing folder. For example, if the Domain Users group has
access to a folder and you add a fi le to this folder, members of the Domain Users group
will be able to access the fi le. Inherited permissions are automatically assigned when
fi les and folders are created.
When you assign new permissions to a folder, the permissions propagate down and
are inherited by all subfolders and fi les in the folder and supplement or replace exist-
ing permissions. If you add permissions on a folder to allow a new group to access a

shown in Figure 17-18.
Managing File and Folder Permissions 569
Chapter 17
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 17-18 Change inheritance as necessary.
Clear the Include Inheritable Permissions From This Object’s Parent check box. As
shown in Figure 17-19, you now have the opportunity to copy over the permissions
that were previously applied or remove the inherited permissions and apply only
the permissions that you explicitly set on the folder or fi le. Click Copy or Remove as
appropriate.
Figure 17-19 Copy over or remove the inherited permissions.
Resetting and Replacing Permissions
Another way to manage permissions is to reset the permissions of subfolders and fi les
within a folder, replacing their permissions with the current permissions assigned
to the folder you are working with. In this way, subfolders and fi les get all inheritable
permissions from the parent folder and all other explicitly defi ned permissions on the
individual subfolders and fi les are removed.
To reset permissions for subfolders and fi les of a folder, right-click the fi le or folder in
Windows Explorer, and then select Properties. On the Security tab of the Properties
dialog box, click Advanced to display the Advanced Security Settings dialog box. On
the Permissions tab, click Edit to display an editable version of the Permissions tab.
Chapter 17
570 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Select Replace All Existing Inheritable Permissions…, and then click OK. As shown in
Figure 17-20, you will see a prompt explaining that this action will remove all explicitly
defi ned permissions and enable propagation of inheritable permissions. Click Yes.
Figure 17-20 Confirm that you want to replace the existing permissions on subfolders and files.
Confi guring File and Folder Permissions
On NTFS volumes, you can assign access permissions to fi les and folders. These per-

Permission Description
Full Control This permission permits reading, writing, changing, and deleting
the fi le.
Modify This permission permits reading and writing of the fi le; allows
deletion of the fi le.
Read & Execute This permission permits viewing and accessing the fi le’s contents
as well as executing the fi le.
Write This permission permits writing to a fi le. Giving a user permission
to write to a fi le but not to delete it doesn’t prevent the user
from deleting the fi le’s contents.
Read This permission permits viewing or accessing the fi le’s contents.
Read is the only permission needed to run scripts. Read access is
required to access a shortcut and its target.
You can set basic permissions for fi les and folders by following these steps:
1. In Windows Explorer, right-click the fi le or folder you want to work with, and
select Properties. In the Properties dialog box, select the Security tab, shown
previously in Figure 17-21.
2. Click Edit to display an editable version of the Security tab. Users or groups that
already have access to the fi le or folder are listed in the Name list box. You can
change permissions for these users and groups by selecting the user or group you
want to change and then using the Permissions list box to grant or deny access
permissions.
Chapter 17
572 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
3. To set access permissions for additional users, computers, or groups, click Add.
This displays the Select Users, Computers, Or Groups dialog box.
4. The Locations button allows you to access account names from other domains.
Click Locations to see a list of the current domain, trusted domains, and other
resources that you can access. Because of the transitive trusts in Windows Server

Traverse Folder/Execute File
Traverse Folder lets you directly access a folder even
if you don’t have explicit access to read the data it contains. Execute File lets you
run an executable fi le.

List Folder/Read Data
List Folder lets you view fi le and folder names. Read Data
lets you view the contents of a fi le.

Read Attributes
Lets you read the basic attributes of a fi le or folder. These attri-
butes include Read-Only, Hidden, System, and Archive.
Managing File and Folder Permissions 573
Chapter 17
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Figure 17-22 The Advanced Security Settings dialog box can be used to access the special
permissions assigned to each user or group.

Read Extended Attributes
Lets you view the extended attributes (named data
streams) associated with a fi le. As discussed in Chapter 16, “Managing Windows
Server 2008 File Systems,” these include Summary fi elds, such as Title, Subject,
and Author, as well as other types of data.

Create Files/Write Data
Create Files lets you put new fi les in a folder. Write Data
allows you to overwrite existing data in a fi le (but not add new data to an existing
fi le because this is covered by Append Data).



Change Permissions
Lets you change basic and special permissions assigned to a
fi le or folder.

Take Ownership
Lets you take ownership of a fi le or folder. By default, admin-
istrators can always take ownership of a fi le or folder and can also grant this
permission to others.
Tables 17-3 and 17-4 show how special permissions are combined to make the basic
permissions for fi les and folders. Because special permissions are combined to make
the basic permissions, they are also referred to as atomic permissions.
Table 17-3 Special Permissions for Folders
Special Permissions
Full
Control Modify
Read &
Execute
List
Folder
Contents Read Write
Traverse Folder/
Execute File
XXXX
List Folder/Read Data
XXXXX
Read Attributes
XXXXX
Read Extended
Attributes

Execute Read Write
Traverse Folder/
Execute File
XXX
List Folder/Read Data X X X X
Read Attributes X X X X
Read Extended
Attributes
XXXX
Create Files/Write Data X X X
Create Folders/
Append Data
XX X
Write Attributes
XX X
Write Extended
Attributes
XX X
Delete Subfolders And
Files
X
Delete
XX
Read Permissions X X X X X
Change Permissions
X
Take Ownership
X
You can set special permissions for fi les and folders in Windows Explorer. Right-click
the fi le or folder you want to work with and then select Properties. In the Properties

related entries in Table 17-5 are No. This means the settings no longer apply onto subse-
quent subfolders or to fi les in subsequent subfolders.
Managing File and Folder Permissions 577
Chapter 17
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Table 17-5 Special Permissions Apply Onto Options
Apply Onto
Applies to
Current
Folder
Applies to
Subfolders
in the
Current
Folder
Applies to
File in the
Current
Folder
Applies to
Subsequent
Subfolders
Applies
to Files in
Subsequent
Subfolders
This folder only Yes No No No No
This folder,
subfolders, and
fi les

Note
When Apply These Permissions To Objects And/Or Containers Within This Container Only
is selected, all the values under Applies To Subsequent Subfolders and Applies To Files In
Subsequent Subfolders are No. The settings no longer apply onto subsequent subfolders
or to fi les in subsequent subfolders.
Chapter 17
578 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 17-24 Use Effective Permissions to help you determine how permissions will be applied to a
specific user or group.
Effective Permissions does have the following limitations:

You need the proper access permissions to view the effective permissions of a
user or group. That goes without saying, pretty much. But it is important to point
out.

You cannot determine permissions for global or universal security groups that are
nested in domain local groups. For example, by default Users has access to most
folders, and one of its members is Domain Users, which is a global security group.
If you try to determine the effective permissions for Domain Users, no permis-
sions are displayed.

You cannot determine the effective permissions for implicit groups or special
identities, such as Everyone, Interactive, Domain Controllers, Local Service, or
Network Service.
Managing File Shares After Confi guration
Confi guring shares can be a time-consuming process especially if you are trying to
troubleshoot why a particular user doesn’t have access or set up a new server with
the same fi le shares as a server you are decommissioning. Fortunately, there are some
techniques you can use to help you better manage fi le shares and the way they are

write, such as
net share > C:\logs\fi leshares.txt
If you follow the Net Share command with the name of a confi gured share, you’ll see the
complete confi guration details for the share as shown in the following example:
Share name EngData
Path C:\EngData
Remark
Maximum users No limit
Users
Caching Manual caching of documents
Permission CPANDL\Domain Admins, FULL
CPANDL\Domain Users, READ
CPANDL\EngineeringUsers, READ
The command completed successfully.
You can append the share confi guration details to the previously created log fi le by
using the append symbol (>>) instead of the standard redirect symbol (>), as shown in
the following example:
net share corpdata >> C:\logs\fi leshares.txt
Chapter 17
580 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Listing 17-1 shows the source of a command-line script that you could use to create a
confi guration log for the key shares on the computer. Although the path in the example
is set to c:\logs\fi leshares.txt, you can set any log path you want.
Listing 17-1 A sample share logging script
net share > C:\logs\fi leshares.txt
net share c$ >> C:\logs\fi leshares.txt
net share f$ >> C:\logs\fi leshares.txt
net share corpdata >> C:\logs\fi leshares.txt
net share corptech >> C:\logs\fi leshares.txt

Next, double-click Audit Object Access. This displays the Audit Object Access Proper-
ties dialog box shown in Figure 17-26. Under Audit These Attempts, select the Success
check box to log successful access attempts, the Failure check box to log failed access
attempts, or both check boxes, and then click OK. This enables auditing but it doesn’t
specify which fi les and folders should be audited.
Figure 17-26 Configure auditing for object access.
Specifying Files and Folders to Audit
After you have enabled Audit Object Access, you can set the level of auditing for individ-
ual folders and fi les. This allows you to control whether and how folder and fi le usage
is tracked. Keep in mind that auditing is available only on NTFS volumes. In addition,
everything discussed about inheritance applies to fi les and folders as well—and this is a
good thing. This allows you, for example, to audit access to every fi le or folder on a vol-
ume simply by specifying that you want to audit the root folder of the volume.
Chapter 17
582 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
You specify fi les and folders to audit using Windows Explorer. In Windows Explorer,
right-click the fi le or folder to be audited, and then, from the shortcut menu, select Prop-
erties. In the Properties dialog box, click the Security tab, and then click Advanced. In
the Advanced Security Settings dialog box, click Edit on the Auditing tab. You can now
view and manage auditing settings using the options shown in Figure 17-27.
Figure 17-27 Specify to which users and groups auditing should apply.
You have the same two inheritance options discussed earlier in the chapter:

If you want to inherit auditing settings from a parent object, ensure that the
Include Inheritable Permissions From This Object’s Parent check box is selected.

If you want child objects of the current object to inherit the settings you are set-
ting on the current folder, select the Replace All Existing Inheritable Auditing
Entries check box.

can cause multiple failed attempts to be logged even when the user performed the
action only once. Regardless, as an administrator, you should always check multiple failed
attempts because of the possibility that someone is attempting to breach your system’s
defenses.
Chapter 17
584 Chapter 17 File Sharing and Security
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Monitoring the Security Logs
Any time fi les and folders that you’ve confi gured for auditing are accessed, the action is
written to the system’s Security log, where it’s stored for your review. The Security log
is accessible from Event Viewer. Successful actions can cause successful events, such
as successful fi le reads, to be recorded. Failed actions can cause failed events, such as
failed fi le deletions, to be recorded.
Auditing File and Folder Access 585
Chapter 17
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.