Welcome back to your free training course for the Windows 7 70-680 exam. In this videoI will continue to look more into NTFS permissions covering the advanced featuresNTFS can offer. Before I get started, I want to first lookat something not covered in our sharing video and NTFS video. This is how Share and NTFSpermissions work when combined. Put simply, when these permissions are combinedthe most restrictive permission wins. Given this example, if the share permissionsare set to full control on the share and the NTFS permissions are set to read, the userwill only ever have read access to the file. The fact that they have full control at theshare level does not give them more rights. This also applies in reverse. If theshare permissions are set to read and the NTFS permission are set to full control,again the effective permissions for a file or folder would be read. When you are dealingwith NTFS and sharing permission together, simply ask yourself which is the most restrictivepermission and this will tell you what permissions the end user will get. In the last video I looked at the standard NTFS permissions which gave you 6 basicpermissions you could choose from. If you need more control over your files and folders,you can assign them advanced permissions often referred to as special permissions. This givesyou 13 permissions to choose from. These 13 permissions map to the 6 basic permissionscovered in the last video. First you have the read permission. When you assign the readpermission to a file or folder you are essential assigning it the following 4 permissions. The first permission is list folder read data. If applied at the folder level it will allowyou to see the filename of any file or folder regards of the permissions on the file orfolder. If you want to make a submission folder, a folder in which people can drop files butnot see the files that have already been written to the folder, you would clear this permission. If this permission is applied at the file level this gives the user the ability to readdata in the file. The next permission is the read attributespermission. This gives the user the ability to read the basic attributes of a file orfolder. This includes the read only, hidden and archive attributes. The next advancedpermission that is set when selecting the basic read permission in read extended attributes. Extended attributes are set by programs and may vary from program to program. The last permission set when selecting read is read permissions. This allows the userto read the NTFS permissions but not make changes. You can see from assigning the basicread permission in NTFS you are in fact setting 4 of the advanced permissions. Inmost cases, assigning the basic permission will work fine, in some rare cases you willneed to configure the permission on a more granular level then setting basicpermissions allows. If I now look at the basic write permission,this is also assigned to 4 of the advanced permissions. The first is “create fileswrite data”. On the folder level this gives you the ability to create files in the folder. If you don’t want to allow creating of new files edit the existing folder permissionsand clear this permission. If you apply this permission to a file, this permission allowsthe user to write to the file. The next permission is “create folder appenddata”. This permission when applied to the folder level allows the user to create newsub folders in that directory. When it is applied at the file level it allows the userto append data to the end of a file but not change any existing data. If you had a logfile that you wanted to ensure was not changed after it was written to, you would selectthis permission and clear the write data permission. The next permission is the write attributespermission. This allows the user to change the basic file attributes on the file such asread only, hidden and archive. The last permission is write extended attributes which allowsthe user to change extended attributes set by programs. The next of the basic permission is list folder contents. This permission is only availableat the folder level. This permission set the traverse folder permission and the 4 readpremisisons. The traverse folder permission allows a user to go through directories evenif there don’t have access to them. For example, let’s say a user does not havepermissions to a folder. This would also mean that they could not access any folders belowthat folder. However by giving them transverse permissions,they could access any folder under the folder that they have access to. Simply put, theycan access a folder lower in the folder hierarchy is they knew it was there even when they don’thave access to the folders above. When you select list folder contents, it includesall the permissions set when you select the basic read or write permission. The next basic permission is read & execute. When this basic permission is set it appliesall the advanced permissions above it on both the folder and file level and adds the executefiles permission when applied to files. The execute permission allows the user torun executable files. This does not include scripts and other files that are essentiallyrun by anther program. Think of it like this, if the file can be opened using the file opencommand from anther program or dragged and dropped on a program to open or run it thenit is not an executable file. The next basic NTFS permission is modify. This includes all the above permissions and adds the delete permission. The delete permissiondoes just that, it allows you to delete a file or folder. You can probably start guessingthat using the advanced permissions gives you a lot more control over files then usingthe basic permissions. Using advanced permissions you could give the user the ability to readfiles and delete files but not change files. Something that is not possible using the modifypermissions. The last of the basic permissions is fullcontrol which adds 3 advanced permissions. This first permission adds the ability todelete extended attributes created by applications. The next permission is change permissions. This allows the user to change the NTFS permissions that have been assigned. The last of the advanced permission is the take ownership permission. This allows a useror users to change the owner of a file or folder. The owner of a file or folder hasthe ability to change the NTFS permissions even if they do not have access to the file. I will now change to my Windows 7 computer to demonstrate advanced NTFS permissions. First of all I will open Windows explorer and go to the properties of a directory Icreated called NTFS advanced permissions. Once in the properties I will go to the securitytab. First of all I will edit the standard permissions to demonstrate a point. I will change the permissions for users to list folder contents. Now if I go back andselect the button advanced and select the permissions for users, it will show it hasthe permissions of list folder contents but also it applies only to this folder and subfolders. For the files in the directory, it gets itaccess for the entry below it. Notice that the permissions in this case are called special. These are applied to the folder, sub folder and file level. This essential means the filesdon’t have execute access. To show this a bit clearer, if I press buttonchange permissions and then select this entry and press edit, you will notice that “traversefolder execute file” is not ticked. This entry will make sure that files in this folderdo not have the execute permission. If I were to add this permission back in andgo back to the previous screen, I now only have one entry. That is, read, write and execute. You will notice that when you edit permissions, if the edit matches a basic permission itwill be displayed as that basic permission. If Windows can’t not match the permissionsto a basic permission the entry will be listed as special. If I go back in and edit the permissions, notice that I can apply this permission toa number of different places. Firstly the folder level and then every combination offolders, sub folders and files down to files by themselves. This gives you a lot of control. For example, you could create a folder where users could only access files in that folderbut could not access any data in any of the sub folders. You may be thinking I could just create these folders myself and then assign permissionsto them. By doing it this way, gives you more control over new files and folders that arecreated and also gives you the ability to manage the permissions of the folder, filesand sub folders from one point. In this example, I will create a folder inwhich users can place files but not delete them. Also they will be able to list any filesthat are in the folder. Once I enter in the permission’s they will appear as specialpermission’s. Remember that the permissions a user receivesare a combination of the groups they are in. If I select the tab effective permission’sand then enter in a user account. Notice that the user still has permissions to everythingeven though I just assigned them special permissions. The effective permission’s tab is a goodway to troubleshoot the permission’s allocated to a user. If I go back to the permission’s tab, notice that authenticated users has been given modifyaccess. This is where the user is getting their permissions from. To fix the problem,I simply need to remove this entry. Now if I go back to effective permission’sand select the user again, this time the user has the special permissionsthat I configured earlier. In this video and the last video I lookeda configuring NTFS permission. NTFS permissions help protected your files fromunauthorized access. In the next video I will look at how to configure encryption on yourfiles. Encryption is anther method you can use to protect your files. For more free videosfor this completely free Windows 7 training course, check out our web site or you tubechannel. Thanks for watching.
Sign up here with your email
ConversionConversion EmoticonEmoticon