8-3Lesson 1 Introduction to NTFS Permissions
You can deny permission to a user account or group. To deny all access to a user
account or group for a folder, deny the Full Control permission.
Standard NTFS File Permissions
You assign file permissions to control the access that users have to files. Table 8-2 lists
the standard NTFS file permissions that you can assign and the type of access that each
provides.
Table 8-2 NTFS File Permissions
This NTFS File
Permission Allows the User to
Read Read the file and view file attributes, ownership, and permissions
Write Overwrite the file, change file attributes, and view file ownership and
permissions
Read & Execute Run applications, plus perform the actions permitted by the Read
permission
Modify Modify and delete the file, plus perform the actions permitted by the Write
permission and the Read & Execute permission
Full Control Change permissions and take ownership, plus perform the actions
permitted by all other NTFS file permissions
How Windows XP Professional Uses Access Control Lists
NTFS stores an access control list (ACL) with every file and folder on an NTFS vol-
ume. The ACL contains a list of all user accounts and groups that have been assigned
permissions for the file or folder, as well as the permissions that they have been
assigned. When a user attempts to gain access to a resource, the ACL must contain an
entry, called an access control entry (ACE), for the user account or a group to which
the user belongs. The entry must allow the type of access that is requested (for exam-
ple, Read access) for the user to gain access. If no ACE exists in the ACL, the user can-
not access the resource.
How Effective Permissions Are Calculated When Multiple Sets of NTFS
Permissions Are in Effect
It is possible for multiple sets of NTFS permissions to apply to a user for a particular
resource. For example, a user might be a member of two different groups, each of
which is assigned different permissions to access a resource. To assign permissions
effectively, you must understand the rules and priorities by which NTFS assigns and
combines multiple permissions and NTFS permissions inheritance.
What Are Effective Permissions?
A user’s effective permissions for a resource are the sum of the NTFS permissions
that you assign to the individual user account and to all the groups to which the user
belongs. If a user is granted Read permission for a folder and is a member of a group
with Write permission for the same folder, the user has both Read and Write permis-
sions for that folder.
!
Exam Tip To manually calculate effective NTFS permissions, first combine all allow permis-
sions from all sources. Next, determine any deny permissions the user has. Deny permis-
sions override allow permissions. The result is the user’s effective permissions for the
resource.
How File Permissions Override Folder Permissions
NTFS permissions assigned to files take priority over NTFS permissions assigned to the
folder that contains the file. If you have access to a file, you can access the file if you
have the Bypass Traverse Checking security permission—even if you do not have
access to the folder containing the file. You can access the files for which you have per-
missions by using the full Universal Naming Convention (UNC) or local path to open
the file from its respective application, even if you have no permission to access the
folder that contains the file. In other words, if you do not have permission to access the
folder containing the file you want to access, you must have the Bypass Traverse
Checking security permission and you have to know the full path to the file to access
it. Without permission to access the folder, you cannot see the folder, so you cannot
browse for the file.
See Also The Bypass Traverse Checking security permission is described further in Lesson 2,
“Assigning NTFS Permissions and Special Permissions.”
How Deny Permissions Override Allow Permissions
In addition to granting a permission, you can also specifically deny a permission
(although this is not the recommended method of controlling access to resources).
Denying a permission overrides all instances in which that permission is allowed. Even
if a user has permission to access a file or folder as a member of a group, denying per-
mission to the user blocks any other permissions the user might have (see Figure 8-1).
In Figure 8-1, User1 has Read permission for FolderA and is a member of Group A and
Group B. Group B has Write permission for FolderA. Group A has been denied Write
permission for File2.
Bạn đang xem 8 - - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 - 270 PHẦN 4 DOC