File system permissions are an essential method of securing one's private data. In Windows, you can set permissions on NTFS-formatted partitions/drives; other file systems, such as FAT/FAT32/exFAT do not support access restrictions, aka Access Control Lists (ACL).
See this tutorial to convert your FAT/FAT32 drive to NTFS without losing any data.
Best security practices include protecting whole folders instead of individual files and enforcing security inheritance on subfolders. If there are many users and many folders requiring different permissions, it is recommended to grant access using user groups, not individual users. In most cases, basic access rights work the best; the usage of advanced ones can easily create frustration and end up with losing access to required resources.
One should never try changing permissions of the whole system drive (the drive/partition where Windows is installed); or system folders or their subfolders, such as Windows, Program Files/Program Files (x86) or ProgramData. Always have a backup ready in case something goes awfully wrong.
Windows XP Home Edition does not support setting file system access restrictions, even on NTFS-formatted drives. Windows XP Professional and all newer editions and versions of Windows have the required tools built in. You can use the keyboard shortcut Windows Key+Break/Pause to check the version and edition of Windows.
To see the Security tab in Windows XP Professional, you must disable simple file sharing first. Launch Windows Explorer using the keyboard shortcut Windows Key+E (or double-click My Computer), open Tools menu and click Folder Options.
Later versions of Windows (Vista, 7, 8 and 8.1) have the Security tab visible at all times.
Open View tab, scroll to the bottom of the Advanced settings list and clear the Use simple file sharing (Recommended) check box. Click OK to apply the changes.
Folder options are described in more detail here.
In Windows XP Home Edition, you can still make your own user profile folder (including the My Documents folder) private by opening Windows Explorer, navigating to C:\Documents and Settings folder, right-clicking your user folder and clicking Properties. Then open the Sharing tab and turn on the Make this folder private option.
As said before, it is strongly recommended to apply permissions to folders, not individual files. The main reason is security inheritance - by default, all items inherit Access Control Lists (ACL) from the folder they are in (if the Read & Execute option is enabled). So if you change Access Control Entries (ACE aka user access to a file), the permissions might stay effective only until the next time you modify and save the file. After saving, the file inherits permissions of its parent folder and the item might not be private enough or accessible anymore.
This limitation gives you an opportunity to organize files into different folders and apply security to these folders. The bright side of this is that you can then locate and manage your files in an easier way.
To view or modify file/folder permissions in Windows, locate and right-click it in Windows/File Explorer and click Properties. The keyboard equivalent is to use shortcut Alt+Enter on a selected item.
File or folder properties window opens. Click to open the Security tab and you can see the currently effective permissions. The top part of the window (Group or user names) lists users and groups that have been granted or denied some sort of access to the item; the bottom part (Permissions for <selected group or user>) lists the selected user's/group's basic access rights to the item.
In Windows XP, you can select a user or a group (aka principal) and change its permissions right away; in Windows Vista and newer, you must first click the Edit button (all items in the bottom half of the window are grayed out/disabled by default).
The basic access rights to an item/object are as follows:
- Full Control - can create items; see, open, read, write, delete the item; modify access rights and attributes and take ownership of the item. Selecting the box enables all other options.
- Modify - can create items; see, open, read, write and delete the item; view access rights and modify attributes. Activating the option enables all checkboxes below it.
- Read & Execute - can see, open/launch and read the item. Selecting the option enables the List folder contents and Read items.
- List folder contents - applies to folders only, same rights as Read & Execute, but applies to sub-folders only (not to files in these).
- Read - can see, open and view permissions and attributes of the item. The most basic right.
- Write - can create items; see, open, read, write, synchronize and delete the item. Viewing permissions and attributes is also allowed.
- Special permissions - customized rights that fall out of the scope of basic rights.
Please avoid using the Deny check boxes, as these override granted permissions. Windows always uses the most restrictive permissions!
If you enable the Read & Execute option of a folder, all sub-folders and files will inherit permissions from it. Disabling it and using the List folder contents option instead will enforce the rights to sub-folders only, excluding files. The latter allows independent access rights to individual files within folders and sub-folders.
To add a user or a group, click the Add... button in the top half of the item properties window.
To delete an Access Control Entry (ACE), click the Remove button. Be careful - you do not want to remove your own access rights! If you've accidentally removed your own right, click the Cancel button and start over.
This example lists usual permissions to a user profile folder: Administrators group, SYSTEM and the user account itself have full control of the folder and its subfolders and files. No other accounts should be listed here.
User profiles are stored in subfolders of the C:\Users\ folder in Windows Vista, 7, 8/8.1 and 10; and in subfolders of the C:\Documents and Settings\ folder in Windows XP.
The Select Users or Groups dialog opens. Here you can either type in the names of groups or users (separated by semicolon) and click the Check Names button for verification, or click the Advanced button to enable listing of all available group and user names.
If you have a local network (HomeGroup, Workgroup, Domain), you can also choose users from other Windows PC-s on the same network using the Location button. You might have to enter user name and password (use administrative accounts only) for the remote PC first.
After using the Advanced button, click Find Now.
The list of all users and groups appears. You can either select one item at a time or hold down the Shift key to select concurrent items or hold down Ctrl key to select non-adjacent items.
After selecting the required users or groups, click OK.
Click OK back in the Select Users or Groups window to add the selected item(s) to Access Control List.
By default, the added users and groups will receive the Read & Execute, List Folder Contents and Read permissions. You can adjust the rights by selecting or deselecting available checkboxes for each added account.
Click OK after you're done adjusting the access permissions.
There are special accounts available in Windows. You should use these with caution and only if you fully understand what kind of access they allow or deny.
- Anonymous Logon - network users that have not specified user name and password. This applies best to web servers and is not recommended while securing or sharing folders and files.
- Authenticated Users - any user who has successfully logged on with user name and password. This does not include the Guest account even if it is password-protected.
- Creator Owner and Creator Group - identifies the user or group who created the selected file or folder. You can use these entries for protected folders to allow deleting temporary files that many programs such as Microsoft Word or Microsoft Excel automatically create after opening a document. The owner can read, modify and delete such items, but other non-administrative users cannot erase these accidentally.
- Dialup - users who access the computer over a dial-up (modem) connections.
- Everyone - any user who accesses the computer, including Guest account. Anonymous Logon is excluded.
- HomeUsers - available in Windows 7, 8, 8.1 and 10 only, all members of the HomeGroup that this PC has joined. If the computer is not in a HomeGroup, the item is not visible.
- Interactive - any user who has logged on locally (not over the network).
- Network - any user who has logged on over the network (not locally). This excludes users who have logged on over a Remote Desktop connection.
- Remote Interactive Logon - any user who has logged on over Remote Desktop Connection (not locally or over a direct network connection).
- SID numbers without friendly names, such as S-1-15-3-1024... - only in Windows 8, 8.1 and 10, capability SIDs are used as "un-forgeable token of authority that grants a Windows component or a Universal Windows Application access to resources such as documents, cameras, locations, and so forth". Never remove these SIDs from Registry and file system entries!
You are the administrator and you have a folder that you want to share with other users on this computer. However, non-administrative users should not be able to delete documents other than their own.
- Add Administrators group with Full Control permission. This includes your own account.
- Add Users group with Read & Execute and Write permissions. This gives ordinary (limited) users permission to open and modify all files, but not to delete these.
- Add Creator Owner account with Full Control permission. This means that anyone who creates a new file or folder can also delete it. Other non-administrative users cannot delete the item.
- Add special SYSTEM account with Full Control permission. This ensures that files can be properly backed up, defragmented, etc by scheduled tasks.
If you want users to be able to delete or move any document, give the Users group Read & Execute and Modify permissions. The latter also includes Write permission.
The previous section covered basic permissions that are normally fine for everyday use. Advanced settings include more granular control over access rights of folders, sub-folders and files; and cover inheritance, ownership, and permission testing.
As usual, right-click the object (file or folder) you want to customize and choose Properties. Then open Security tab and click Advanced in the bottom half of the window.
In Windows XP, editable list of permission entries appears right away. In Windows Vista, 7, 8, 8.1 and 10, you must click the Change Permissions button first to modify the listed rights. This will open a separate window.
You are now able to add or remove permissions from the Access Control List (ACL) using the corresponding buttons.
To change advanced rights for a user or a group, click its entry and then click Edit.
For folders, you can choose how the permissions affect items in it using the Apply onto (Windows XP), Apply to (Windows Vista and 7) or Applies to (Windows 8 and 8.1) combo box. The entries speak for themselves, This folder, subfolder and files is selected by default. This enforces the listed rights to each and every file, sub-folder and all files in all sub-folders. Using such granularity, you can create different access rights for files in the current folder, for subfolders and their files, etc.
For clarity, try avoiding advanced permissions and use different top-level folders for items that require different permissions.
For files, this option is disabled.
To change advanced permissions, tick or clear the appropriate check boxes.
In Windows 8/8.1 and 10, you must click the Show advanced permissions link on the right first (see the image above).
In case all these options are grayed out, there must be a line on the top of the window that warns about inherited rights. You cannot change the access rights unless you disable inheritance for the object.
Inheritance eases the creation of security settings so that you do not have to apply the same permissions to each and every subfolder. All you need to do is to create Access Control List (ACL) for the parent folder and all subfolders and files will inherit these automatically. That is, if the inheritance is enabled (it is by default) and the Read & Execute option (discussed earlier in this article) for the folder is enabled.
To break the inheritance for a folder or a file, clear the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8, 8.1 and 10, click the Disable inheritance button.
A warning dialog will appear. In Windows XP, click Copy; in Windows Vista and 7, click Add. In Windows 8/8.1 and 10, click Convert inherited permissions into explicit permissions on this object.
This will disable inheritance, turn the previously inherited rights into explicit rights and save you some time by keeping the default permission entries (you do not have to start creating access rights from the scratch).
Now you have a set of default permissions that you can modify as you like. As always, I suggest using basic access rights instead of advanced permissions. Just click OK to close the Advanced Security Settings window and define the ACL in the folder or file properties window.
If required, you can also replace all access rights of subfolders and files by enabling the Replace permission entries on all child objects with entries shown here that apply to child objects (Windows XP) or Replace all child object permissions with inheritable permissions from this object (Windows Vista and later) option.
Then click OK.
This will spawn another warning window, click Yes. Please be aware that this will remove all customized access rights of subfolders and files.
To re-enable inheritance, put a check mark in the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8/8.1 and 10, click the Enable inheritance button.
This will add access rights from the parent folder, but your customized permissions will also remain intact.
In its simplest form, the owner is the user who created the file or the folder. In Windows XP, the owner has full permissions to the item; later versions of Windows grant full access only if the Creator Owner or Creator Group account is included in basic or advanced permissions.
To change an object's ownership, you must either have Full Control permissions to it or your user account must be a member of the Administrators group.
In Windows XP, Vista and 7, open the Owner tab of Advanced Security Settings window. The current owner is listed in the Current owner of this item (Windows XP), Current Owner (Windows Vista and 7) or Owner (Windows 8, 8.1 and 10) field.
Just like in access rights part, Windows XP allows modifications right away; Windows Vista and 7 users must first click the Edit button, and Windows 8/8.1/10 users must click the Change link.
Now you can select a different administrative account or group in Windows Vista and 7, or click Change again in Windows 8/8.1 or 10 to select one from a list.
To replace the owner of all subfolders and files also, enable the Replace owner on subcontainers and objects option. In Windows XP, this will grant full access rights to the selected user or group.
In Windows XP, Vista and 7, close and re-open all Properties windows to see new access rights. Windows Vista and 7 will pop up an informative dialog about this.
Windows 8 and 8.1 will close the windows automatically, so you must re-open these.
In case you connect an NTFS-formatted drive from another computer, and you cannot even see the amount of free space on the drive (a bunch of access denied errors for every action you try), follow these steps:
- Caution: never try this on a system drive (the drive where Windows is installed, usually drive letter C:\) - this can make Windows unbootable.
- Take ownership of the whole drive, but select a user account with administrator rights instead of a security group. Ignore error messages while the owner of all objects on the drive is being changed. Close the open drive properties window, if necessary.
- Re-open properties of the drive, go to Security tab, grant Full Control permissions to the same user account you used before and click OK.
- The drive is accessible now, give Full Control rights to SYSTEM account and Administrators group.
If you go back to the original computer, you must repeat the steps above to access the drive.
Windows also has the Effective Permissions (Windows XP, Vista and 7) or Effective Access (Windows 8, 8.1 and 10) tab that allows verifying that a user or a group has all required permissions. This is mostly intended for complex environments with many groups and users, but it is also good for home users.
Click the Select button in Windows XP, Vista or 7. Windows 8/8.1 and 10 users should click the Select a user link instead.
The Select User or Group window opens. Either type the name of the user or group and click Check Names to verify the account, or click Advanced and then Find Now to list all available accounts.
In Windows XP, Vista and 7, the list of effective access rights appears. In Windows 8/8.1 and 10, you must click the View effective access button first.
Before trying any of these advanced tools, make sure you have a full, recent backup of your device in case something goes very wrong.
You must be a member of the Administrators group in order to run these commands.
Pay very close attention to spaces in the commands.
You can right-click or touch and hold inside the Command Prompt window to find the Paste command. In Windows 10's Command Prompt, keyboard shortcut Ctrl+V works, too.
In Windows XP, open Run dialog using keyboard shortcut WINDOWS KEY+R or by opening the Start menu and clicking Run. Type cmd and click OK.
In Windows Vista, 7 and 10, open Start menu and type cmd into the Search box. Right-click cmd.exe or Command Prompt and select Run as administrator. This will open the so-called elevated command prompt.
In Windows 8 and 8.1, open Start screen and type "cmd". Right-click or tap and hold Command Prompt and choose Run as administrator.
If necessary, click Continue or Yes in the User Account Control prompt. After this, a black Command Prompt window will open.
If you have a folder, drive or file with such permissions that you cannot use the Security tab for modifying user access, you can use the takeown command instead.
Never run this command on important system folders such as C:\Windows, C:\Program Files, C:\Program Files (x86) or C:\ProgramData! See the icacls tool for restoring default permissions of system folders.
For example, to take ownership of a folder named "NoAccess" on drive C:, type or copy-paste the following command inside elevated Command Prompt window. Please note that the path to a folder is usually enclosed in quotes or double quotes.
takeown /F "C:\NoAccess" /R /A /D Y
The /R switch means that the command runs recursively, or applies to every subfolder and file inside the NoAccess folder.
The /A switch gives ownership to the Administrators group, not your current user account. This is always the preferred method. You can skip the /A switch for files or private folders only.
The /D Y switch suppresses prompts for subfolders if your user account does not have the list folder permission for one or more subfolders; the ownership is taken automatically then.
Press Enter key once to run the command.
To take ownership of a whole drive, find out its drive letter in Windows/File Explorer (drive letter T: is used in this example) and then run the following command:
takeown /F T:\ /R /A /D Y
Similarly, taking ownership of a file means finding out its full path in Windows/File Explorer and using it in the takeown command. Since Windows Vista, you can locate the file in Windows Explorer, press and hold down the Shift key, right-click the file and choose the Copy as path command. Then just type
takeown /F , (include a space after "/F"!) right-click inside Command Prompt window and paste the full path. Either add the /A switch followed by the Enter key, or press Enter if you want your user account to be the owner of the file.
Please note that you cannot use the /R and /D Y switches as files do not have subfolders.
takeown /F "C:\Users\margus\Downloads\MicrosoftFixit50202.msi"
After this, open Windows/File Explorer and try modifying permissions for the item.
In case some malware has fiddled with access rights to a system folder or registry, you can restore the default permissions using Command Prompt. See the previous section on how to open elevated Command Prompt if you have not already done so.
Do not run the following commands unless your computer has a specific problem with permissions.
First, fix permissions to registry and important system services by copying and pasting (right-click inside Command Prompt to paste) the following command:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
Press Enter key once to reset Registry and essential services' permissions, and apply defaults to Event Logs and Local Security Policy. The same command works in Windows XP, Vista, 7, 8/8.1 and 10.
Ignore errors that might appear during the command.
To repair permissions/access rights of important system folders, use the icacls tool.
If Windows is installed on a drive other than C:, find out the correct path to Windows installation folder with the
cd /D %windir% command: this changes the active path to the correct drive and folder, for example, C:\Windows. Please skip the last character, ">" by default.
Run the following commands:
icacls "C:\Windows" /reset /T /C /Q- replace "C:\Windows" with the correct path if Windows is installed to a non-default location.
icacls "C:\Program Files" /reset /T /C /Q- replace "C:" with correct drive letter if necessary.
icacls "C:\Program Files (x86)" /reset /T /C /Q- only required on 64-bit Windows Vista or newer; replace "C:" with correct drive letter if necessary.
icacls "C:\ProgramData" /reset /T /C /Q- only on Windows Vista and newer; replace "C:" with correct drive letter if necessary.
You might see many "Access is denied" while the commands run, please ignore these. To finish the repair process, a restart is required.