The table below outlines the standard permissions that exist in an Access Control List (ACL) for files and folders in Windows 2000. Note that all Standard Permissions are comprised of more granular Advanced Permissions which can be viewed by clicking the Advanced button on the Security tab of a the file or folder’s properties.
Standard File Permissions:
Read and Execute
Standard Folder Permissions
Read and Execute
List Folder Contents
There are a couple of important notes that you should remember about NTFS permissions:
- By default, NTFS drives on Windows 2000 are set to allow Everyone the Full Control permission at the drive root. Some folders, such as the %systemroot% directory, have more restrictive permissions applied.
- By default, permissions in Windows 2000 are inherited. You can tell permissions have been inherited when the permission boxes are grayed out. This means permissions have been set at a higher level.
- If you wish to change permissions that have been inherited, you have to first clear the ‘Allow inheritable permissions from parent to propagate to this object’ check box. Doing so will ask you whether you wish to remove all existing permissions, or copy the existing permission (the latter takes inherited permission and simply applies them directly to the file or folder).
- When you add a new user or group to a file, they are given the ‘Read’ and ‘Read and Execute’ permissions by default (same for a folder, but includes ‘List Folder Contents’ as well).
- You can set file and folder permissions from the command line, using the Cacls.exe tool.
File permissions always override folder permissions.