NTFS Filesystem Permissions Primer
NTFS permissions offer a great deal of control when it comes to resources on your systems. When it comes to the old NTFS (from Windows NT) and the current NTFS (from Windows 2000, Windows Server 2003, and Windows XP), there are a lot of similarities and a few differences
Most seasoned administrators are familiar with the fact that New Technology File System (NTFS) permissions are available on every file, folder, registry key, printer, and Active Directory object. First introduced with Windows NT to replace the File Allocation Table (FAT) file system, NTFS has gone through several changes over the years. Windows 2000, Windows Server 2003, and Windows XP use the current incarnation, NTFS v5.
When it comes to the old NTFS (from Windows NT) and the current NTFS, there are a lot of similarities and a few differences. Let's take a closer look.
You can set NTFS permission to Allow or Deny. Here's a look at the standard permissions in the old NTFS:
" Full Control: Users can modify, add, move, and delete files, as well as their associated properties and directories. In addition, users can change permissions settings for all files and subdirectories.Microsoft later advanced these permissions to include the following:
" Traverse Folder/Execute File: Users can navigate through folders to reach other files or folders, even if they have no permissions for the traversed files or folders. The Traverse Folder permission takes effect only when the group or user doesn't have the Bypass Traverse Checking user right in the Group Policy snap-in. (By default, the Everyone group has the Bypass Traverse Checking user right.)
The big difference between the old NTFS and the new NTFS is the establishment of Inherited and Explicit permission precedence. While you might assume that the Deny permission takes precedence over any other permission, that isn't always the case.
Here's the hierarchy for permissions:
" Explicit DenyAs a user accesses each file, folder, registry key, printer, and Active Directory object, the system checks the permissions from top to bottom. When it meets one of these four conditions, it either grants or denies access. This allows you to set permission inheritance for an object and maintain fine control for exceptions to your general permissions policy.
NTFS permissions offer a great deal of control when it comes to resources on your systems. If you're having trouble with users not being able to access required data or objects in your Active Directory structure, look at the hierarchy for those permissions, and you'll find the problem.
|All times are GMT +5.5. The time now is 16:05.|