Data Network Resource
       Earn on the Web

19. NTFS Permissions

These protect local files and folders as well as remotely protect them and are often called local permissions. NTFS permissions consist of the following:

  • Read (R)
  • Write (W) - Change attributes.
  • Execute (X) - Run a file if it is an executable.
  • Delete (D)
  • Change Permission (P)
  • Take Ownership (O)

The person who creates a file or folder becomes the owner.

Standard permissions are made up of a combination of the individual permissions and they are listed as follows:

  • No Access (no individual permissions)
  • Read (RX)
  • List (RX) - folders only
  • Add (WX) - folders only
  • Add and Read (RWX) - folders only
  • Change (RWXD)
  • Full Control (All permissions)

File permissions take precedence over the permissions assigned to the folder that the file resides in. Even if the user has 'No Access' to a folder. Typing the complete UNC or local path to the file will allow access.

You can combine shared folder permissions with NTFS permissions for greater security. For example, if the group Everyone has full control over files on a particular NTFS volume but only read permission to the folder, then the group Everyone has only read access to the file. The most restrictive permission is the effective one.


  • Remove Full Control Permission from the Everyone Group.
  • Assign Full control permission to the Administrators group.
  • Assign Creator Owner Full Control to Data Folders.
  • Encourage users to assign NTFS permissions to their files.
  • Centralise home folders.

On NTFS volumes the %Username% variable automatically assigns Full Control permission to home folders.

Assigning NTFS permissions is achieved by right-clicking on the folder or file, clicking Properties, selecting the Security tab and clicking Permissions. You have the option to change permissions on all subdirectories or just the files within the folder only. he Name box displays the groups and users together with both their folder permissions and their file permissions within the folder. The Type of Access box allows you to change the permissions for the group or user selected.

If you wish to create Special Access Permissions then you select Special Directory Access or Special File Access in the Type of Access box. Here you can select the individual permissions.

By default the Administrators group can take ownership of a file. An owner cannot assign ownership to someone else they can only give permission for someone else to take ownership.

In order for a user to copy files between NTFS volumes, they must have Add permission for the destination folder. In order to move a file, the user must not only have Add permission for the destination folder but also Delete permission for the current folder.

Files copied either within an NTFS volume or between NTFS volumes, inherits the permissions of the destination folder. Files moved within an NTFS volume retain their permissions, but if they are moved between NTFS volumes they inherit the permissions of the destination folder.

Recommendations for permission usage:

  • Assign NTFS permissions before sharing the resource.
  • Make executable files read only for all users.
  • Use the %Username% variable for all home folders.
  • Assign the Creator Owner Full control to data folders.
  • Use long names only if the resource is accessed locally.

Valid HTML 4.01 Transitional

Earn on the Web    

All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.