Network Administration: Windows Server 2008 Permission Basics

Permissions allow users to access shared resources on a network. Simply sharing a resource such as a disk folder or a printer doesn’t guarantee that a given user is able to access that resource. Windows makes this decision based on the permissions that have been assigned to various groups for the resource and group memberships of the user.

If the user belongs to a group that has been granted permission to access the resource, the access is allowed. If not, access is denied. In theory, permissions sound pretty simple. In practice, however, they can get pretty complicated. The following paragraphs explain some of the nuances of how access control and permissions work:

  • Every object — that is, every file and folder — on an NTFS volume has a set of permissions called the Access Control List, or ACL, associated with it.

  • The ACL identifies the users and groups who can access the object and specifies what level of access each user or group has. For example, a folder’s ACL may specify that one group of users can read files in the folder, while another group can read and write files in the folder, and a third group is denied access to the folder altogether.

  • Container objects — files and volumes — allow their ACLs to be inherited by the objects that they contain. As a result, if you specify permissions for a folder, those permissions extend to the files and child folders that appear within it.

File and Folder Permissions allowed on a NTFS Volume
Permission Description
Full control The user has unrestricted access to the file or folder.
Modify The user can change the file or folder’s contents, delete
the file or folder, read the file or folder, or change the
attributes of the file or folder. For a folder, this permission
allows you to create new files or subfolders within the
Read & Execute For a file, this permission grants the right to read or execute
the file. For a folder, this permission grants the right to list
the contents of the folder or to read or execute any of the files
in the folder.
List Folder Contents This permission applies only to folders; it grants the right to
list the contents of the folder.
Write Grants the right to change the contents of a file or its
attributes. For a folder, grants the right to create new files and
subfolders within the folder.
Read Grants the right to read the contents of a file or folder.
  • Actually, the six file and folder permissions comprise various combinations of special permissions that grant more detailed access to files or folders. The following table lists the special permissions that apply to each of the six file and folder permissions.

  • It’s best to assign permissions to groups rather than to individual users. Then, if a particular user needs access to a particular resource, add that user to a group that has permission to use the resource.

Special Permissions
Special Permission Full Control Modify Read & Execute List Folder Contents Read Write
Traverse Folder/Execute File * * * *
List Folder/Read Data * * * * *
Read Extended Attributes * * * * *
Create Files/Write Data * * *
Create Folders/Append Data * * *
Write Attributes * * *
Write Extended Attributes * * *
Delete Subfolders and Files *
Delete * *
Read Permissions * * * * * *
Change Permissions *
Take Ownership *
Synchronize * * * * * *