Permissions for files and folders. Setting folder access rights in Windows Auditing Active Directory directory objects

This article ideologically continues the article. As it was said, after selecting users and (or) groups, you must specify access parameters for them. You can do this using the NTFS file system permissions discussed in the following table.

File permissions

• Reading. Allows you to read the file, as well as view its settings, such as the owner, permissions, and additional properties.
• Record. You can overwrite a file, change its settings, and view its owner's name and permissions.
• Read and execute. Read permission and right to run the executable application.
• Change. Allowed to modify and delete the file, as well as everything provided by the Read and Execute and Write permissions.
• Full access.
• Full access to the file is allowed. This means that all actions covered by all the permissions listed above are allowed. You are also allowed to take ownership of the file and change its permissions.

Folder permissions

• Reading. Allows you to view subfolders and files, as well as their properties such as owner name, permissions, and read attributes such as Read Only, Hidden, Archived, and System.
• Record. You can create and place new files and subfolders within a folder, as well as change folder settings and view its properties, such as owner name and access permissions.
• List of folder contents. Allows you to view the names of the files and subfolders contained in the folder.
• Read and execute. Allows access to files in subfolders, even if you cannot access the folder itself. In addition, the same actions are allowed as for the Read and List folder contents permissions.
• Change. All actions allowed under the Read and Read and Execute permissions are allowed, and deletion of the folder is also allowed.
• Full access. Full access to the folder is allowed. In other words, all actions covered by all the permissions listed above are allowed. Additionally, you are allowed to become the owner of the folder and change its permissions.
• Special permissions. A set of additional permissions that differ from the standard ones.

The creator of a file is always considered its owner, who has rights Full access, even if the owner account is not listed on the tab File Security. In addition to the file permissions listed above, you can choose two additional types of permissions.

• Change of owner. This type of permission allows the user to become the owner of the file. This type permissions are assigned to the group by default Administrators.
• Changing permissions. The user is able to change the list of users and groups that have access to the file, as well as change the types of file access permissions.

Information taken from the thirteenth chapter of the book "Windows 2000. Administrator's Guide." By William R. Stanek.

On volumes with the NTFS file system, you can set security permissions for files and folders. These permissions grant or deny access to files and folders. To view current permits security, do the following:

Understanding File and Folder Permissions

Table 13-3 shows the basic permissions that apply to files and folders.
The basic file permissions are Full Control, Modify, Read & Execute, Read, and Write.
The following basic permissions apply to folders: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

When setting permissions for files and folders, you should always keep the following in mind:

	To run scripts, you only need to have Read permission. Execute File permission (special Execute File permission) is optional.
	Read permission is required to access the shortcut and its associated object.
	Permission to Write to a file (special permission Write Data) without permission to Delete a file (special permission Delete) still allows the user to delete the contents of the file.
	If a user has the base Full Control permission on a folder, they can delete any files in that folder, regardless of the permissions on those files. Table 13-3 - Basic permissions for files and folders in Windows 2000 Base Resolution Meaning for folders Meaning for files Read Allows browsing of folders and viewing a list of files and subfolders Allows viewing and access to file contents Write Allows adding files and subfolders Allows writing data to a file Allows browsing of folders and viewing a list of files and subfolders; inherited by files and folders Allows viewing and accessing the contents of a file, as well as running executable file Allows browsing of folders and viewing a list of files and subfolders; only inherited by folders Not applicable Modify Allows viewing of content and creation of files and subfolders; allows folder deletion Allows reading and writing data to a file; allows file deletion Full Control Allows viewing of content, as well as the creation, modification and deletion of files and subfolders Allows reading and writing data, as well as modifying and deleting a file Basic permissions are created by combining into logical groups special permissions, which are shown in Table 13-4 (for files) and 13-5 (for folders). Specific permissions can be assigned individually using advanced settings. When learning about specific file permissions, consider the following:
	If access rights are not explicitly defined for a group or user, then access to the file is denied to them.
	When calculating a user's effective permissions, all permissions assigned to the user, as well as the groups of which the user is a member, are taken into account. For example, if the user GeorgeJ has Read access, and at the same time is a member of the Techies group, which has Modify access, then as a result, the user GeorgeJ has Modify access. If the Techies group is included in the Administrators group with Full Control, then GeorgeJ will have full control of the file. Table 13-4 – Special file permissions Special permissions Full Control Modify Read & Execute Read Write Execute File X X X Read Data X X X X X X X X X X X X Write Data X X X Append Data X X X X X X X X X Delete X X X X X X X X X Table 13-5 shows the specific permissions used to create basic folder permissions. When learning about special folder permissions, consider the following:
	When you set permissions for a parent folder, you can match the permissions elements of files and subfolders to the permissions of the current parent folder. To do this, you need to check the Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions checkbox.
	The files that are created inherit some permissions from the parent object. These permissions are shown as default file permissions. Table 13-5 - Special permissions for folders Special permissions Full Control Modify Read & Execute List Folder Contents Read Write Traverse Folder X X X X List Folder Contents X X X X X Read Attributes X X X X X Read Extended Attributes X X X X X Create Files X X X Create Folders X X X Write Attributes X X X Write Extended Attributes X X X Delete Subfolders and Files X Delete X X Read Permissions X X X X X X Change Permissions X Take Ownership X

Setting permissions for files and folders

To set permissions for files and folders, do the following:

1.	Select the file or folder and right-click.
2.	IN context menu select team Properties and in the dialog go to the tab Security, shown in Figure 13-12. Figure 13-12 – Setting basic permissions for files or folders on the Security tab
3.	On the list Name lists the users or groups that have access to the file or folder. To change permissions for these users or groups, do the following: Select the user or group for which you want to change permissions. Use a list Permissions: to set or revoke permissions. Advice. Inherited permissions checkboxes are grayed out. To override an inherited permission, change it to its opposite.
4.	To set permissions for users, contacts, computers, or groups that are not listed Name, press the button Add. A dialog box will appear as shown in Figure 13-13. Figure 13-13 – Select the users, computers and groups for which you want to allow or deny access.
5.	Use the dialog box Select Users, Computers, Or Groups to select the users, computers, or groups for which you want to set access permissions. This window contains fields described below: Look In This drop-down list allows you to view available accounts from other domains. Including a list of the current domain, trusted domains and other available resources. To see all accounts in a folder, select Entire Directory. Name This column shows existing accounts for the selected domain or resource. Add This button adds the highlighted names to the list of selected names. Check Names This button allows you to check user, computer, or group names in the list of selected names. This can be useful when names are entered manually and you want to ensure they are correct.
6.	On the list Name highlight the user, contact, computer, or group to configure, then select or clear the check boxes in the Permissions: to determine access rights. Repeat these same steps for other users, computers, or groups.
7.	When finished, press the button OK.

System resource audit

The use of auditing is The best way to track events on Windows 2000 systems. Auditing can be used to collect information related to the use of a resource. Examples of auditable events include file access, system logon, and system configuration changes. After enabling auditing of an object, entries are written to the system security log whenever an attempt is made to access this object. The security log can be viewed from the snap-in Event Viewer.

Note. To change most audit settings, you must be logged in as an Administrator or a member of the Administrators group, or have the Manage Auditing And Security Log in group policy.

Setting Audit Policies

Application of audit policies significantly improves the security and integrity of systems. Almost every computer system on a network should be configured with security logging. Setting up audit policies is available in the snap-in Group Policy. Using this component, you can set audit policies for an entire site, domain, or department. Policies can also be set for personal workstations or servers.

After selecting the required Group Policy container, you can configure audit policies as follows:

1.	As shown in Figure 13-14, you can find a node by moving down the console tree: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy. Figure 13-14 – Setting up an audit policy using the Audit Policy node in Group Policy(Group Policy).
2.	There are the following audit categories: Audit Account Logon Events tracks events related to user login and logout. Audit Account Management monitors all events related to account management, snap-in tools. Audit entries appear when user, computer, or group accounts are created, modified, or deleted. Monitors directory access events Active Directory. Audit records are created each time users or computers access the directory. Monitors login/logout events and deleted network connections. Monitors system resource usage by files, directories, shared resources, and Active Directory objects. Audit Policy Change Monitors changes to user rights assignment policies, audit policies, or trust policies. Tracks every attempt by a user to exercise a right or privilege granted to him or her. For example, the rights to archive files and directories. Note. Policy Audit Privilege Use does not track events related to system access, such as the use of the right to interactively log on to the system or to access a computer from the network. These events are monitored using policy Audit Logon Events. Audit Process Tracking tracks system processes and the resources they use. Audit System Events Monitors events when the computer is turned on, rebooted, or shut down, as well as events that affect system security or are reflected in the security log.
3.	To configure an audit policy, double-click on the desired policy, or select the command in the context menu of the selected policy Properties. After this, a dialog box will open Parameter local politics security (Properties).
4.	Check the box Define These Policy Settings. Then check or uncheck the boxes Success And Failure. Success auditing means creating an audit record for each successful event (for example, a successful login attempt). Failure auditing means creating an audit record for every failed event (such as a failed login attempt).
5.	When finished, press the button OK.

Audit of operations with files and folders

If policy is enabled Audit Object Access, you can use auditing at the level of individual folders and files. This will allow you to accurately track their usage. This feature is available only on volumes with the NTFS file system.

To set up file and folder auditing, do the following:

1.	IN Explorer (Windows Explorer) select the file or folder for which you want to set up auditing. In the context menu, select the command Properties.
2.	Go to the tab Security and then click the button Additionally (Advanced).
3.	In the dialog box, go to the tab Auditing, shown in Figure 13-15. Figure 13-15 – Setting up audit policies for separate files or folders on the Auditing tab.
4.	For audit settings to be inherited from a parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox must be selected.
5.	To allow child objects to inherit the audit settings of the current object, select the Reset audit elements for all child objects and enable transfer of inherited audit elements (Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries).
6.	Use a list Remove.
7.	Add to display a dialog box OK, a dialog box will appear Audit element for Folder or file name , shown in Figure 13-16. Note. If you want to track the actions of all users, use a special group Everyone. In other cases, select individual users or groups in any combination for auditing. Figure 13-16 – Dialog box Audit element for Folder or file name(Auditing Entry For New Folder), used to set auditing entries for a user, contact, computer, or group.
8.	Apply Onto.
9.	Check the boxes Successful and/or Failed for required audit events. Success auditing means creating an audit record for a successful event (for example, a successful file read). Failure auditing means creating an audit record for a failed event (for example, a failed attempt to delete a file). Events for auditing are the same as the special permissions (Tables 13-4 and 13-5) with the exception of offline file and folder synchronization, which cannot be audited.
10.	When finished, press the button OK. Repeat these steps to configure auditing of other users, groups, or computers.

Auditing Active Directory Directory Objects

If policy is enabled Audit Directory Service Access, you can use Active Directory object-level auditing. This will allow you to accurately track their usage.

To configure object auditing, do the following:

1.	In the snap Active Directory Users And Computers select the object container.
2.	Right-click on the object to be audited and select the command from the context menu Properties.
3.	Go to the tab Security and press the button Additionally (Advanced).
4.	Go to the tab Auditing dialog box Access Control Settings. For audit settings to be inherited from a parent object, the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox must be selected.
5.	Use a list Auditing Entries to select users, computers, or groups whose activities will be monitored. To remove an account from this list, select it and click the button Remove.
6.	To add an account, click the button Add. A dialog box will appear Select Users, Contacts, Computers, Or Groups, in which select the account to add. When you press OK, a dialog box will appear Audit element for Folder or file name(Auditing Entry For New Folder).
7.	If you need to specify objects to apply audit settings, use the drop-down list Apply Onto.
8.	Check the boxes Successful and/or Failed for required audit events. Success auditing means creating an audit record for each successful event (for example, a successful file read). Failure auditing means creating an audit record for each failure event (for example, a failed attempt to delete a file).
9.	When finished, press the button OK. Repeat these steps to set up auditing of other users, contacts, groups, or computers.

Material taken from the book "Windows 2000. Administrator's Guide". By William R. Stanek. © Microsoft Corporation, 1999. All rights reserved.

Computers running operating systems Windows systems, can work with various file systems such as FAT32 and NTFS. Without going into similarities, we can say one thing that they differ in the main thing - the NTFS file system allows you to configure security settings for each file or folder (directory). Those. for each file or folder, the NTFS file system stores so-called ACLs (Access Control Lists), which list all users and groups that have certain access rights to this file or folder. The FAT32 file system does not have this capability.

IN file system NTFS each file or folder can have the following security rights:

• Reading— Allows browsing folders and viewing a list of files and subfolders, viewing and accessing file contents;
• Record— Allows adding files and subfolders, writing data to a file;
• Read and Execute— Allows browsing of folders and viewing a list of files and subfolders, allows viewing and access to the contents of a file, as well as launching an executable file;
• List of folder contents— Allows browsing of folders and viewing only the list of files and subfolders. This permission does not provide access to the contents of the file!;
• Change— Allows viewing the contents and creating files and subfolders, deleting a folder, reading and writing data to a file, deleting a file;
• Full access- Allows viewing of content, as well as creating, modifying and deleting files and subfolders, reading and writing data, and modifying and deleting a file

The rights listed above are basic. Basic rights consist of special rights. Specific rights are more detailed rights from which basic rights are formed. Using special rights gives you a lot of flexibility when setting access rights.

List of special access rights to files and folders:

• Browse Folders/Execute Files— Allows navigation through the folder structure in search of other files or folders, execution of files;
• Folder Contents/Reading Data— Allows viewing the names of files or subfolders contained in a folder, reading data from a file;
• Reading attributes— Allows viewing of file or folder attributes such as “Read Only” and “Hidden”;
• Reading Additional Attributes— Allows viewing additional attributes of a file or folder;
• Creating Files/Writing Data— Allows creating files in a folder (applies only to folders), making changes to a file and writing over existing content (applies only to files);
• Creating folders / Adding data— Allows the creation of folders within a folder (applies only to folders), adding data to the end of the file, but not changing, deleting or replacing existing data (applicable only to files);
• Recording Attributes— Allows or prohibits changing file or folder attributes such as “Read Only” and “Hidden”;
• Writing Additional Attributes— Allows or prohibits changing additional attributes of a file or folder;
• Deleting subfolders and files— Allows deletion of subfolders and files even if there is no “Delete” permission (applies only to folders);
• Removal— Allows deletion of a file or folder. If a file or folder does not have Delete permission, the object can still be deleted if the parent folder has Delete Subfolders and Files permission;
• Reading Permissions- Allows reading permissions on a file or folder such as “Full Control”, “Read” and “Write”;
• Changing permissions— Allows you to change permissions for access to a file or folder, such as “Full Control”, “Read” and “Write”;
• Change of owner— Allows you to take ownership of a file or folder;
• Synchronization- Allows different threads to wait on files or folders and synchronize them with other threads that may occupy them. This permission only applies to programs running in multithreaded mode with multiple processes;

!!!All basic and special rights are both permissive and prohibitive.

All file and folder permissions are divided into two types: explicit and inherited. The mechanism of inheritance involves the automatic transfer of something from a parent object to a child object. In a file system, this means that any file or folder can inherit its rights from its parent folder. This is a very convenient mechanism that eliminates the need to assign explicit rights to all newly created files and folders. Imagine that you have several thousand files and folders on some disk, how can you distribute access rights to them all, sit down and assign them to each one? No. The mechanism of inheritance is at work here. We created a folder in the root of the disk, the folder automatically received exactly the same rights as the root of the disk. Changed the permissions for the newly created folder. Then, inside the created folder, they created another subfolder. This newly created subfolder will have rights inherited from the parent folder, etc. and so on.

The result of applying explicit and inherited rights will be the actual rights to a specific folder or file. There are a lot of pitfalls. For example, you have a folder in which you allow the user “Vasya” to delete files. Then you remember that in this folder there is one very important file, which Vasya should under no circumstances delete. You set an explicit ban on an important file (special ban right "Delete"). It would seem that the job is done, the file is clearly protected from deletion. And Vasya calmly goes into the folder and deletes this super-protected file. Why? Because Vasya has delete rights from the parent folder, which in this case have priority.

Try not to use assigning rights directly to files; assign rights to folders.

!!! Try to assign rights only to groups, this greatly simplifies administration. Assigning rights to specific users is not recommended by Microsoft. Don't forget that a group can include not only users, but also other groups.

For example. If the computer is included in a domain, then the “Domain Users” group is automatically added to its local “Users” group, and the “Domain Admins” group is automatically added to the local “Administrators” group, and accordingly, assigning any folder rights to the group local users, you automatically assign rights to all domain users.

Don’t be discouraged if everything described above is not immediately clear. Examples and independent work will fix the situation quickly!

Let's get down to specifics.

I will show all examples by example Windows windows XP. In Windows 7 and higher, the essence remained identical, only there were slightly more windows.

So, to assign or change rights to a file or pack, you need to right-click on required file or folder select menu item "Properties"

A window with a bookmark should open. "Safety"

If there is no such bookmark, then do the following. Launch Explorer, then open the menu "Service"—"Folder properties…"

In the window that opens, go to the “View” tab and uncheck the option "Use simple file sharing (recommended)"

That's it, now all the properties of the NTFS file system are available to you.

Returning to the bookmark "Safety".

In the window that opens, a lot of information is available to us. There is a list at the top "Groups and users:", which lists all users and groups that have access rights to this folder (arrow 1). The lower list shows permissions for the selected user/group (arrow 2). In this case it is the user SYSTEM. This list of permissions shows the basic permissions. Please note that in the column "Allow" checkmarks are faded in color and cannot be edited. This indicates that these rights are inherited from the parent folder. Once again, in this case, all rights of the SYSTEM user to the folder "Working" are completely inherited from the parent folder, and the SYSTEM user has all rights ( "Full access")

By highlighting the desired group or user in the list, we can view the basic rights for this group or user. By selecting the user "Guest user ( [email protected])» you can see that he has all rights explicit

And here is the group "Users (KAV-VM1\Users" has combined rights, some of them are inherited from the parent folder (gray squares opposite "Read and Execute", "List the contents of the folder", "Reading"), and part of it is established explicitly - this is the right "Change" And "Record"

!!!Attention. Pay attention to the names of users and groups. Group or user affiliation is indicated in brackets. Groups and users can be local, i.e. created directly on this computer, or can be domain. In this case the group "Administrators" local, since the entry in brackets indicates the name of the computer KAV-VM1, and after the slash there is the name of the group itself. On the contrary, the user "Guest user" is a user of the btw.by domain, this is indicated by the full name record [email protected]

Often, when viewing or changing rights, you can limit yourself to a window with basic rights, but sometimes this is not enough. You can then open a window where you can change specific permissions, change the owner, or view current permissions. How to do it? Click on the button "Additionally". This window opens

In this window in the table "Permission Elements" lists all users who have rights to this folder. In the same way as for basic permissions, we highlight the desired user or group and click the button "Change". A window opens showing any special permissions for the selected user or group

Similar to basic permissions, special permissions inherited from a parent folder will appear faded gray and will not be editable.

As you may have already noticed, there are several lines in the special permissions window for some users or groups.


This happens because one user or group can have different types of rights: explicit and inherited, allowing or denying, differing in the type of inheritance. In this case, read rights for the Users group are inherited from the parent folder, and edit rights are added explicitly.

Examples of assigning rights.

!!! All examples will progress with increasing complexity. Read and understand them in the same order as they appear in the text. I will omit similar actions in subsequent examples to reduce the volume of text. 🙂

Example 1: Granting read-only access to a folder to a specific local security group.

First, let's create a local group, which will include the entire list of users we need. It is possible without a group, but then you will need to configure rights for each user separately, and every time you need to give rights to a new person, you will need to do all the operations again. And if you grant rights to a local group, then setting up a new person will require only one action - including this person in the local group. How to create a local security group can be found in the article “Configuring local security groups”.

So. We have created a local security group called "Colleagues for Reading"


to which we added all the necessary users.

Now I’m setting up access rights to the folder. In this example, I will give access rights to the created group "For colleagues to read" to folder "Photo".

Right-click on the folder "PHOTO" and select a menu item "Properties", go to bookmark "Safety".

In the opened bookmark "Safety" current folder permissions are displayed "PHOTO". By highlighting groups and users in the list, you can see that the rights of this folder are inherited from the parent folder (gray checkmarks in the column "Allow"). In this situation, I don't want anyone other than the newly created group to have any access to the folder "PHOTO".

Therefore, I must remove rights inheritance and remove unnecessary users and groups from the list. I press the button "Additionally". In the window that opens,


I uncheck the box “Inherit permissions applicable to child objects from the parent object, adding them to those explicitly specified in this window.” . This will open a window in which I can choose what to do with the current inherited rights.

In most cases I recommend clicking the button here "Copy", because if you choose "Delete", then the list of rights becomes empty, and you can actually take away the rights from yourself. Yes, don't be surprised, it's very easy to do. And if you are not an administrator on your computer, or not a group user "Archive Operators", then it will be impossible for you to restore your rights. The situation is similar to a door with an automatic latch that you close while leaving the keys inside. So it's better to always press the button "Copy", and then delete what is unnecessary.

After I clicked "Copy", I return to the previous window again, only this time with the checkbox unchecked.

I press "OK" and return to the basic rights window. All rights have become available for editing. I need to leave permissions for the local group "Administrators" and user SYSTEM, and delete the rest. I select unnecessary users and groups one by one and click the button "Delete".

As a result, I get this picture.

Now all I have to do is add the group "For colleagues to read" and assign read permissions to this group.

I press the button "Add", and in the standard selection window I select the local group "For colleagues to read". How to work with the selection window is described in detail in the article.

As a result of all the actions, I added the “Colleagues for reading” group to the list of basic rights, and the rights for this group were automatically set "Read and Execute", "List the contents of the folder", "Reading".

All you have to do is press the button "OK" and rights are assigned. Now any user who belongs to the local security group "Reading for colleagues" will be able to read the entire contents of the folder "PHOTO".

Example 2: Giving users personal access to their subfolders in a folder.

This situation is also common in practice. For example, you have a folder for new scanned documents. In this folder, each user has his own separate subfolder. After scanning, the document is taken by the user from its subfolder. The task is to assign rights so that each user sees the contents of only his own subfolder and cannot access a colleague’s subfolder.

For this example, I'll rephrase the assignment a little. Let's assume we have a shared folder "PHOTO", in which there is a subfolder for each user. It is necessary to configure rights so that the user has all rights in his subfolder, and the subfolders of other users are inaccessible to him.

For this setup, I completely repeat all the steps from the first example. As a result of repetition, I get rights for the entire group "For colleagues to read" to read to all subfolders. But my task is to make only “my” subfolder visible to the user. Therefore, in the basic rights window I click the button "Additionally"

and go to the special rights window, in which I select the group "For colleagues to read" and press the button "Change"

In the window that opens, I change the inheritance rules, instead of the value in the field "Apply:" I choose the value "Only for this folder".

This is the most key point of this example. Meaning "Only for this folder" causes read permissions for the group "For colleagues to read" apply only to the root of the folder "PHOTO", but not to subfolders. Thus, each user will be able to get to his own folder, but will not be able to look into the neighboring one; he does not have the right to view subfolders. If you do not give this right to the group at all, then users will not be able to get into their subfolders at all. The file system will not allow them even into the folder "PHOTO".

As a result, users will be able to access the folder "PHOTO" but they won’t be able to go further into the subfolders!

In the special rights window, click "OK" and go to the previous window, now in the column "Apply to" opposite the group "For colleagues to read" worth the value "Only for this folder".

Click in all windows "OK" and we go out.

All. Now all that remains is to configure personal rights for each subfolder. This will have to be done for each subfolder; the rights are personal for each user.

You have already done all the necessary actions in the first example, let’s repeat what we have covered :)

On a subfolder "User1" I right-click the mouse and select the menu item "Properties", go to bookmark "Safety". I press the button "Add"

and in the standard selection window I select a domain user with the name "User1".

All that remains is to check the box for the permission right "Change". In this case, the checkbox for the allowing right "Record" will install automatically.

Click "OK". Let's go out. It remains to repeat similar steps for all subfolders.

Example 3. Providing a user with personal write access to his subfolder, while simultaneously prohibiting modification or deletion.

I understand that it sounds difficult, but I will try to explain. I call this type of access a latch. In everyday life we ​​have a similar situation with ordinary by mailbox, into which we throw paper letters. Those. You can throw a letter into a box, but you can’t take it out of the box. In computer science, this can be useful in a situation where someone writes a report to you in a folder. Those. the file is written by the user, but then this user can no longer do anything with this file. This way, you can be sure that the creator will no longer be able to change or delete the submitted report.

As in the previous example, we repeat all the steps, except that we do not immediately give the user full rights to your folder, initially in basic permissions we give only read access, and press the button "Additionally"

In the window that opens, select "User1" and press the button "Change"

In the window that opens we see standard read permissions

In order to give the user the right to create files, set the permission to the right “Creating Files/Writing Data”, and on the right "Deleting subfolders and files" And "Delete" we put a ban. We leave inheritance as standard "For this folder, its subfolders and files".

After pressing the button "OK" and returning to the previous window, you can see significant changes. Instead of one entry for "User1" two appeared.

This is because two types of rights are established, one prohibiting, they are first in the list, the other is permissive, they are second in the list. Since special rights are non-standard, in the column "Permission" worth the value "Special". When the button is pressed "OK" A window appears to which Windows warns that there are prohibiting rights and that they have higher priority. Translated, this means the same situation with a self-closing door, the keys to which are located inside. I described a similar situation in the second example.

All. Rights have been set. Now "User1" will be able to write any file to its folder, open it, but will not be able to change or delete it.

But what about complete analogy with a real mailbox?

To prevent the user from opening or copying the recorded file, you need to do the following. Again we open allowing special permissions for "User1", and in the field "Apply:" change the value to "Only for this folder"

In this case, the user does not have the right to read or copy the file.

All. Now the analogy with a physical mailbox is almost complete. He will only be able to see the names of the files, their size, attributes, but he will not be able to see the file itself.

View current rights.

I want to say right away that the ability to view the current rights for a folder or file is a complete fiction. In my opinion, such tools should provide guaranteed information. This is not the case here. Microsoft itself admits that this tool does not take into account many factors that affect the resulting rights, such as login conditions. Therefore, using such a tool is only deceiving yourself regarding real rights.

The case described at the very beginning of the article, with the ban on deleting a file from a folder, in this case is very eloquent. If you simulate a similar situation and look at the rights of a file protected from deletion, you will see that the file’s permissions to delete are prohibited. However, deleting this file is not difficult. Why Microsoft did this, I don't know.

If you still decide to look at the current rights, then to do this you need to click the button in the basic rights window "Additionally", and in the special rights window go to the tab "Valid Permits".

Then you need to press the button "Choose" and in the standard selection window select the desired user or group.

Once selected, you can see “approximate” valid permissions.

In conclusion, I want to say that the topic of NTFS file system rights is very extensive; the above examples are only a very small part of what can be done. Therefore, if you have questions, ask them in the comments to this article. I'll try to answer them.

In the vastness of Russia, many firms and small enterprises do not have their own staff system administrator on permanent basis or coming from time to time. The company is growing and sooner or later one shared folder on the network, where everyone can do whatever they want, becomes not enough. Access control is required for different users or user groups on the MS Windows platform. Linux users and experienced admins, please do not read the article.

Most the best option- hire an experienced administrator and think about buying a server. An experienced administrator will decide on the spot whether to raise MS Windows Server with Active Directory or use something from the Linux world.

But this article was written for those who have decided to suffer on their own for now, without using modern software solutions. I will try to explain at least how to correctly implement the differentiation of rights.

Before we begin, I would like to cover a couple of points:

• Any operating system“recognizes” and “distinguishes” real people through their accounts. It should be like this: one person = one account.
• The article describes the situation that the company does not have its own admin and has not purchased, for example, MS Windows Server. Any regular MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This was done by Microsoft specifically to prevent Windows clients from crossing the road. Windows servers and you didn't ruin Microsoft's business. Remember the number 10-20 and when your company has more than 10-20 people, you will have to think about buying MS Windows Server or ask someone to install free Linux for you Samba server, which has no such restrictions.
• Since you do not have a competent administrator, then your ordinary computer with a client MS Windows will pretend to be a file server. You will be forced to duplicate user accounts on it from other computers in order to access the shared files. In other words, if there is an accountant Olya in the company PC1 with an olya account, then on this “server” (hereinafter I will refer to it as WinServer) you need to create account olya with the same password as on PC1.
• People come and go. Staff turnover is everywhere, and if you are the poor person who is not an administrator and is assigned (forced) to support the company’s IT issues, then here is some advice for you. Create accounts that are not tied to a person. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something similar. Has the person left? Someone else won't be offended if they use manager1. Agree, this is better than Semyon using the olya account, since it’s broken or there’s no one to redo it and everything has been working for 100 years.
• Forget words like: “make a password for the folder.” The days when passwords were imposed on resources are long gone. The philosophy of working with various resources has changed. Now the user logs into his system using an account (identification), confirming himself with his password (authentication) and is given access to all authorized resources. Login once and have access to everything - that's what you need to remember.
• It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

Preparation.

In Explorer, remove simplified access to the things we need.

• MS Windows XP. Menu Tools - Folder Options - View. Uncheck Use the Sharing Wizard
• MS Windows 7. Press Alt. Menu Tools - Folder Options - View. Uncheck Use simple file sharing.

Create a folder on your WinServer computer that will store your wealth in the form of files of orders, contracts, and so on. For me, as an example, it will be C:\dostup\. The folder must be created on a partition with NTFS.

Network access.

At this stage you need make available over the network(share) a folder for other users to work with on their computers local network.

And the most important thing! Share the folder with full permission for everyone! Yes Yes! You heard right. But what about access control?

We allow everyone to connect to the folder via the local network, BUT we will limit access using security measures stored in the NTFS file system on which our directory is located.

• MS Windows XP. On the desired folder(C:\dostup\) with the right mouse button and there Properties. Access tab - Full access.
• MS Windows 7. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Advanced settings. Put a tick Share this folder. Fill out the Note. Click Permission. The Everyone group must have network rights Full access.

Users and security groups.

You need to create the necessary user accounts. I remind you that if on numerous of your personal computers different user accounts are used, then they all must be created on your “server” and with the same passwords. This can only be avoided if you have a competent administrator and computers in Active Directory. No? Then carefully create your accounts.

• MS Windows XP.
  Local users and groups - Users. Action menu - New user.
• MS Windows 7. Control Panel - Administration - Computer Management.
  Local users and groups - Users. Menu Action - Create user.

Now it's time for the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

The “imposition of rights” on directories and files will be explained below, but for now the main thing is to understand one idea. Rights to folders or files will be granted to groups, which can be figuratively compared to containers. And groups will already “transfer” rights to the accounts included in them. That is, you need to think at the level of groups, and not at the level of individual accounts.

• MS Windows XP. Control Panel - Administration - Computer Management.
  
• MS Windows 7. Control Panel - Administration - Computer Management.
  Local users and groups - Groups. Menu Action - Create group.

Needs to be included in necessary groups the required accounts. For example, on the Accountants group, right-click and there Add to group or Properties and there the Add button. In field Enter the names of the selected objects enter the name of the required account and click Check names. If everything is correct, the account will change to the form SERVER NAME\account_entry. In the picture above, the buh3 account has been mapped to WINSERVER\buh3.

So, the necessary groups have been created and user accounts are included in the necessary groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

Is it worth bothering with a group if there is only one account in it? I think it's worth it! The group gives flexibility and maneuverability. Tomorrow you will need to give another person B the same rights as a certain person with his account A. You will simply add account B to the group that already has A and that’s it!

It is much easier when access rights are granted to groups rather than to individuals. All you have to do is manipulate the groups and include the necessary accounts in them.

Access rights.

It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

So we’ve reached the stage where the magic of delineating access rights for different groups, and through them, users (more precisely, their accounts) actually happens.

So, we have a directory at C:\dostup\, which we have already made available to all employees over the network. Inside the C:\dostup\ directory, for the sake of example, we will create the folders Contracts, Orders, MC Accounting. Let's assume that there is a task to do:

• the Agreement folder must be read-only for Accountants. Read and write for a group of Managers.
• the AccountingMC folder must be accessible to Accountants for reading and writing. The Managers group does not have access.
• the Orders folder should be read-only for Accountants and Managers.

On the Agreement folder, right-click and there Properties - Security tab. We see that some groups and users already have access to it. These rights were inherited from the parent dostup\, and that in turn from its parent C:

We will interrupt this inheritance of rights and assign our own desired rights.

Click the Advanced button - Permissions tab - button Change permissions.

First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions that are inherited from parent objects. We will be warned that permissions from the parent will not apply to this object(in this case this is the Agreement folder). Select: Cancel or Delete or Add. Click Add and the rights from the parent will remain our inheritance, but the rights of the parent will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Note in the box Inherited from costs not inherited. That is the connection parent - child torn.

Now we carefully remove the unnecessary rights, leaving Full access for Administrators and System. We select in turn all sorts of Verified and just Users and delete it with the Delete button.

Add button in this window Additional security options is intended for experienced administrators who will be able to set special, special permissions. The article is aimed at the knowledge of an experienced user.

We tick Replace all permissions of a child object with permissions inherited from this object and click OK. Let's go back and OK again to go back to the simple Properties view.

This window will make it easier to achieve what you want. The Edit button will display the Group Permissions window.

Click Add. In the new window, write Accountants and click “Check names” - OK. By default, “read” access is given in a simplified form. The checkboxes in the Allow column are automatically set to “Read and Execute”, “List folder contents”, “Read”. We are happy with this and click OK.

Now, according to our technical specifications, we need to give read and write rights to the Managers group. If we are in the Properties window, then again Change - Add - enter Managers - Check names. Add the Change and Write checkboxes in the Allow column.

Now we need to check everything!

Follow the thought. We have ordered that the Treaty folder does not inherit rights from its parent dostup. Ordered child folders and files inside the Agreement folder to inherit rights from it.

We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

Therefore, if a document file is created inside the Agreement directory, it will have permissions from its parent. Users with their own accounts will have access to such files and directories through their groups.

Go to the Agreements folder and create a test file agreement1.txt

On it, right-click and there Properties - Security tab - Advanced - Effective permissions tab.

Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 has received rights from his Accountants group, which has read rights to the parent Agreement folder, which “extends” its permissions to its child objects.

Let's try manager2 and see clearly that the manager gets read and write access, since he is a member of the Managers group, which gives such rights for this folder.

In exactly the same way, by analogy with the Agreement folder, access rights are imposed for other folders, following your technical specifications.

Bottom line.

• Use NTFS partitions.
• When you restrict access to folders (and files), manipulate groups.
• Create accounts for each user. 1 person = 1 account.
• Include accounts in groups. An account can be a member of different groups at the same time. If an account is in several groups and one group allows something, then it will be allowed for the account.
• The Deny column (denying rights) takes precedence over Allow. If an account is in several groups and one group prohibits something, and another group allows it, then it will be prohibited for the account.
• Remove an account from the group if you want to deprive access that this group gives.
• Think about hiring an admin and don’t offend him with money.

Ask questions in the comments and ask, correct.

The video shows a special case when you just need to deny access to a folder, taking advantage of the fact that denying rules take precedence over allowing rules.

In this article we will talk in detail about how you can change access rights to files and folders in Windows 7, as well as how to change the owner of a file or folder. This knowledge will be useful, for example, for organizing home network, to which several users are connected.

The easiest way to change the owner of a file or folder is to use Windows Explorer. Let's see how this can be done.

How to change the owner of a file or folder

Right-click on the file or folder and select the command Properties, then open the tab Safety. Click the button Additionally.

A tab will open Owner.

Click the button Change and a window will open . Now select the desired user or group from the list Change owner to and click on the button OK.

Let's assume that the required user or group is not in the list. Click the button Other users and groups. Now in the field enter a user or group name.

However, you must enter your name according to special rules, which you can find out by clicking on the link examples.

There is an easier option - click on the button Additionally and then on the button Search. In the window All users and groups on your computer will be found.

All that remains is to select a user or group and click on the button OK. We will return to the previous window, where the user we selected will be indicated.

Click the button OK. Now The main thing– check the box , then click on the button OK. As a result, the folder or file will receive a new owner.

How to change permissions on files or folders

Okay, we've sorted it out with the owners. What about access permissions? Now we have added a new owner, however, what if it is necessary to indicate what exactly he is allowed to do, and why should he not roll his lip? You can also do this using the tab Safety.

Right-click on the file or folder and select the command Properties, then go to the tab Safety. Select in the field Groups or users desired user/group and click on the button Change.

Now in the column Allow and Deny Check the boxes next to the permissions you require. For example, if you need to prevent a user from changing files or folders, check the box in the column Prohibit opposite permission Change. Then click on the button Apply and the ban will come into force.