Site search
Logo

NTFS permissions in Windows

By , winhelp.us logo. Last updated: 2019-06-04

How to modify file and folder access permissions on NTFS drives in Windows XP, Vista, 7, 8, 8.1 and 10

File system permissions are an essential method of securing one's private data. In Windows, you can set permissions on NTFS-formatted partitions/drives; other file systems, such as FAT/FAT32/exFAT do not support access restrictions, aka Access Control Lists (ACL).
See this tutorial to convert your FAT/FAT32 drive to NTFS without losing any data.

Best security practices include protecting whole folders instead of individual files and enforcing security inheritance on subfolders. If there are many users and many folders requiring different permissions, it is recommended to grant access using user groups, not individual users. In most cases, basic access rights work the best; the usage of advanced ones can easily create frustration and end up with losing access to required resources.

One should never try changing permissions of the whole system drive (the drive/partition where Windows is installed); or system folders or their subfolders, such as Windows, Program Files/Program Files (x86) or ProgramData. Always have a backup ready in case something goes awfully wrong.

Windows XP considerations

Windows XP Home Edition does not support setting file system access restrictions, even on NTFS-formatted drives. Windows XP Professional and all newer editions and versions of Windows have the required tools built in. You can use the keyboard shortcut Windows Key+Break/Pause to check the version and edition of Windows.

To see the Security tab in Windows XP Professional, you must disable simple file sharing first. Launch Windows Explorer using the keyboard shortcut Windows Key+E (or double-click My Computer), open Tools menu and click Folder Options.
Later versions of Windows (Vista, 7, 8 and 8.1) have the Security tab visible at all times.
Windows XP Professional, Windows Explorer. To enable file system security options, click Tools and then click Folder Options.

Open View tab, scroll to the bottom of the Advanced settings list and clear the Use simple file sharing (Recommended) check box. Click OK to apply the changes.
Folder options are described in more detail here.
Windows XP Professional, Windows Explorer, Folder Options, View tab. To enable file system security options, disable the 'Use simple file sharing' option.

In Windows XP Home Edition, you can still make your own user profile folder (including the My Documents folder) private by opening Windows Explorer, navigating to C:\Documents and Settings folder, right-clicking your user folder and clicking Properties. Then open the Sharing tab and turn on the Make this folder private option.
Windows XP Home Edition, Windows Explorer, user folder properties. To deny other users' access to your private files, open Sharing tab and enable the 'Make this folder private' option.

Changing or viewing basic file or folder permissions in Windows

As said before, it is strongly recommended to apply permissions to folders, not individual files. The main reason is security inheritance - by default, all items inherit Access Control Lists (ACL) from the folder they are in (if the Read & Execute option is enabled). So if you change Access Control Entries (ACE aka user access to a file), the permissions might stay effective only until the next time you modify and save the file. After saving, the file inherits permissions of its parent folder and the item might not be private enough or accessible anymore.

This limitation gives you an opportunity to organize files into different folders and apply security to these folders. The bright side of this is that you can then locate and manage your files in an easier way.

To view or modify file/folder permissions in Windows, locate and right-click it in Windows/File Explorer and click Properties. The keyboard equivalent is to use shortcut Alt+Enter on a selected item.

File or folder properties window opens. Click to open the Security tab and you can see the currently effective permissions. The top part of the window (Group or user names) lists users and groups that have been granted or denied some sort of access to the item; the bottom part (Permissions for <selected group or user>) lists the selected user's/group's basic access rights to the item.

In Windows XP, you can select a user or a group (aka principal) and change its permissions right away; in Windows Vista and newer, you must first click the Edit button (all items in the bottom half of the window are grayed out/disabled by default).
Windows XP Professional, folder properties, Security tab. The top part lists users and groups that have an ACE to the folder; the bottom half lists permissions of the selected user or group. Windows 7, folder properties, Security tab. The top part lists users and groups that have an ACE to the folder; the bottom half lists permissions of the selected user or group. Windows 7, folder permissions, Security tab. You can now modify access rights.

The basic access rights to an item/object are as follows:

  • Full Control - can create items; see, open, read, write, delete the item; modify access rights and attributes and take ownership of the item. Selecting the box enables all other options.
  • Modify - can create items; see, open, read, write and delete the item; view access rights and modify attributes. Activating the option enables all checkboxes below it.
  • Read & Execute - can see, open/launch and read the item. Selecting the option enables the List folder contents and Read items.
  • List folder contents - applies to folders only, same rights as Read & Execute, but applies to sub-folders only (not to files in these).
  • Read - can see, open and view permissions and attributes of the item. The most basic right.
  • Write - can create items; see, open, read, write, synchronize and delete the item. Viewing permissions and attributes is also allowed.
  • Special permissions - customized rights that fall out of the scope of basic rights.

Please avoid using the Deny check boxes, as these override granted permissions. Windows always uses the most restrictive permissions!

If you enable the Read & Execute option of a folder, all sub-folders and files will inherit permissions from it. Disabling it and using the List folder contents option instead will enforce the rights to sub-folders only, excluding files. The latter allows independent access rights to individual files within folders and sub-folders.

To add a user or a group, click the Add... button in the top half of the item properties window.
To delete an Access Control Entry (ACE), click the Remove button. Be careful - you do not want to remove your own access rights! If you've accidentally removed your own right, click the Cancel button and start over.

This example lists usual permissions to a user profile folder: Administrators group, SYSTEM and the user account itself have full control of the folder and its subfolders and files. No other accounts should be listed here.
User profiles are stored in subfolders of the C:\Users\ folder in Windows Vista, 7, 8/8.1 and 10; and in subfolders of the C:\Documents and Settings\ folder in Windows XP.
Windows XP Professional, folder properties, Security tab. The top part lists users and groups that have an ACE to the folder; the bottom half lists permissions of the selected user or group.

The Select Users or Groups dialog opens. Here you can either type in the names of groups or users (separated by semicolon) and click the Check Names button for verification, or click the Advanced button to enable listing of all available group and user names.
If you have a local network (HomeGroup, Workgroup, Domain), you can also choose users from other Windows PC-s on the same network using the Location button. You might have to enter user name and password (use administrative accounts only) for the remote PC first.
Windows XP Professional, Select Users or Groups. Click 'Advanced' to look for available users and groups.

After using the Advanced button, click Find Now.
Windows XP Professional, Select Users or Groups, Advanced. Click Find Now.

The list of all users and groups appears. You can either select one item at a time or hold down the Shift key to select concurrent items or hold down Ctrl key to select non-adjacent items.
After selecting the required users or groups, click OK.
Windows XP Professional, Select Users or Groups, Advanced. Select necessary users and groups. Then click OK.

Click OK back in the Select Users or Groups window to add the selected item(s) to Access Control List.
Windows XP Professional, Select Users or Groups. Click OK to add the selected users or groups.

By default, the added users and groups will receive the Read & Execute, List Folder Contents and Read permissions. You can adjust the rights by selecting or deselecting available checkboxes for each added account.
Click OK after you're done adjusting the access permissions.
Windows XP Professional, folder properties, Security tab. Select a user or a group from above and then adjust its access rights in the bottom part of the window.

There are special accounts available in Windows. You should use these with caution and only if you fully understand what kind of access they allow or deny.

  • Anonymous Logon - network users that have not specified user name and password. This applies best to web servers and is not recommended while securing or sharing folders and files.
  • Authenticated Users - any user who has successfully logged on with user name and password. This does not include the Guest account even if it is password-protected.
  • Creator Owner and Creator Group - identifies the user or group who created the selected file or folder. You can use these entries for protected folders to allow deleting temporary files that many programs such as Microsoft Word or Microsoft Excel automatically create after opening a document. The owner can read, modify and delete such items, but other non-administrative users cannot erase these accidentally.
  • Dialup - users who access the computer over a dial-up (modem) connections.
  • Everyone - any user who accesses the computer, including Guest account. Anonymous Logon is excluded.
  • HomeUsers - available in Windows 7, 8, 8.1 and 10 only, all members of the HomeGroup that this PC has joined. If the computer is not in a HomeGroup, the item is not visible.
  • Interactive - any user who has logged on locally (not over the network).
  • Network - any user who has logged on over the network (not locally). This excludes users who have logged on over a Remote Desktop connection.
  • Remote Interactive Logon - any user who has logged on over Remote Desktop Connection (not locally or over a direct network connection).
  • SID numbers without friendly names, such as S-1-15-3-1024... - only in Windows 8, 8.1 and 10, capability SIDs are used as "un-forgeable token of authority that grants a Windows component or a Universal Windows Application access to resources such as documents, cameras, locations, and so forth". Never remove these SIDs from Registry and file system entries!
Basic example

You are the administrator and you have a folder that you want to share with other users on this computer. However, non-administrative users should not be able to delete documents other than their own.

  1. Add Administrators group with Full Control permission. This includes your own account.
  2. Add Users group with Read & Execute and Write permissions. This gives ordinary (limited) users permission to open and modify all files, but not to delete these.
  3. Add Creator Owner account with Full Control permission. This means that anyone who creates a new file or folder can also delete it. Other non-administrative users cannot delete the item.
  4. Add special SYSTEM account with Full Control permission. This ensures that files can be properly backed up, defragmented, etc by scheduled tasks.

If you want users to be able to delete or move any document, give the Users group Read & Execute and Modify permissions. The latter also includes Write permission.

Advanced options of file system permissions in Windows

The previous section covered basic permissions that are normally fine for everyday use. Advanced settings include more granular control over access rights of folders, sub-folders and files; and cover inheritance, ownership, and permission testing.

As usual, right-click the object (file or folder) you want to customize and choose Properties. Then open Security tab and click Advanced in the bottom half of the window.
Windows XP Professional, folder properties, Security tab. To view detailed options, click Advanced.

In Windows XP, editable list of permission entries appears right away. In Windows Vista, 7, 8, 8.1 and 10, you must click the Change Permissions button first to modify the listed rights. This will open a separate window.
Windows 7, folder properties, Advanced Security Settings, Permissions tab. To edit the listed access rights, click Change Permissions.

You are now able to add or remove permissions from the Access Control List (ACL) using the corresponding buttons.
To change advanced rights for a user or a group, click its entry and then click Edit.
Windows XP Professional, folder properties, Advanced Security Settings, Permissions tab. To change advanced rights for the selected user or group, click Edit.

For folders, you can choose how the permissions affect items in it using the Apply onto (Windows XP), Apply to (Windows Vista and 7) or Applies to (Windows 8 and 8.1) combo box. The entries speak for themselves, This folder, subfolder and files is selected by default. This enforces the listed rights to each and every file, sub-folder and all files in all sub-folders. Using such granularity, you can create different access rights for files in the current folder, for subfolders and their files, etc.
For clarity, try avoiding advanced permissions and use different top-level folders for items that require different permissions.
For files, this option is disabled.
Windows XP Professional, folder properties, Advanced Security Settings, Permissions Entry window. Use the Apply onto combo box to select how deep the access rights go. Windows 8, folder properties, Advanced Security Settings, Permissions Entry window. Use the Applies to combo box to select how deep the access rights go.

To change advanced permissions, tick or clear the appropriate check boxes.
In Windows 8/8.1 and 10, you must click the Show advanced permissions link on the right first (see the image above).
Windows 8, folder properties, Advanced Security Settings, Permissions Entry window. Use check boxes to grant appropriate rights for the selected user or group.

In case all these options are grayed out, there must be a line on the top of the window that warns about inherited rights. You cannot change the access rights unless you disable inheritance for the object.

Enabling or disabling inherited permissions

Inheritance eases the creation of security settings so that you do not have to apply the same permissions to each and every subfolder. All you need to do is to create Access Control List (ACL) for the parent folder and all subfolders and files will inherit these automatically. That is, if the inheritance is enabled (it is by default) and the Read & Execute option (discussed earlier in this article) for the folder is enabled.

To break the inheritance for a folder or a file, clear the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8, 8.1 and 10, click the Disable inheritance button.
Windows XP Professional, folder properties, Advanced Security Settings, Permissions tab. To disable ACL inheritance, clear the 'Inherit from parent the permission entries the apply to child objects' box. Windows 8, folder properties, Advanced Security Settings, Permissions tab. To disable ACL inheritance, click Disable inheritance.

A warning dialog will appear. In Windows XP, click Copy; in Windows Vista and 7, click Add. In Windows 8/8.1 and 10, click Convert inherited permissions into explicit permissions on this object.
This will disable inheritance, turn the previously inherited rights into explicit rights and save you some time by keeping the default permission entries (you do not have to start creating access rights from the scratch).
Windows XP Professional, Security warning about disabling inheritance. Click Copy to convert inherited rights into explicit rights. Windows 7, Windows Security warning about disabling inheritance. Click Add to convert inherited rights into explicit rights. Windows 8, Block Inheritance warning about disabling inheritance. Click 'Convert inherited permissions into explicit permissions on this object'.

Now you have a set of default permissions that you can modify as you like. As always, I suggest using basic access rights instead of advanced permissions. Just click OK to close the Advanced Security Settings window and define the ACL in the folder or file properties window.

If required, you can also replace all access rights of subfolders and files by enabling the Replace permission entries on all child objects with entries shown here that apply to child objects (Windows XP) or Replace all child object permissions with inheritable permissions from this object (Windows Vista and later) option.
Then click OK.
Windows XP Professional, folder properties, Advanced Security Settings, Permissions tab. To replace access rights of all subfolders and files, turn on the 'Replace permission entries on all child objects with entries shown here that apply to child objects' option.

This will spawn another warning window, click Yes. Please be aware that this will remove all customized access rights of subfolders and files.
Windows XP Professional, Security warning removing explicitly defined permissions. Click Yes to enable inheritance on subfolders and files. Windows 8, Windows Security warning replacing explicitly defined permissions. Click Yes to enable inheritance on subfolders and files.

To re-enable inheritance, put a check mark in the Inherit from parent the permission entries that apply to child objects (Windows XP) or Include inheritable permissions from this object's parent (Windows Vista and 7). In Windows 8/8.1 and 10, click the Enable inheritance button.
This will add access rights from the parent folder, but your customized permissions will also remain intact.

Viewing or changing the owner of a folder or a file

In its simplest form, the owner is the user who created the file or the folder. In Windows XP, the owner has full permissions to the item; later versions of Windows grant full access only if the Creator Owner or Creator Group account is included in basic or advanced permissions.
To change an object's ownership, you must either have Full Control permissions to it or your user account must be a member of the Administrators group.

In Windows XP, Vista and 7, open the Owner tab of Advanced Security Settings window. The current owner is listed in the Current owner of this item (Windows XP), Current Owner (Windows Vista and 7) or Owner (Windows 8, 8.1 and 10) field.
Just like in access rights part, Windows XP allows modifications right away; Windows Vista and 7 users must first click the Edit button, and Windows 8/8.1/10 users must click the Change link.
Windows XP Professional, folder properties, Advanced Security Settings, Owner tab. Windows 7, folder properties, Advanced Security Settings, Owner tab. Click Edit to change the owner. Windows 8, folder properties, Advanced Security Settings Click Change to modify the owner.

Now you can select a different administrative account or group in Windows Vista and 7, or click Change again in Windows 8/8.1 or 10 to select one from a list.
To replace the owner of all subfolders and files also, enable the Replace owner on subcontainers and objects option. In Windows XP, this will grant full access rights to the selected user or group.
Windows 7, folder properties, Advanced Security Settings, Owner tab. Select an administrative account or group and click OK to change the owner. Windows 8, folder properties, Advanced Security Settings. Select an administrative account or group using the Change link.

In Windows XP, Vista and 7, close and re-open all Properties windows to see new access rights. Windows Vista and 7 will pop up an informative dialog about this.
Windows 8 and 8.1 will close the windows automatically, so you must re-open these.
Windows 7, Windows Security, you will need to close and reopen this object's properties before you can view or change permissions. Click OK.

Because NTFS permissions can be circumvented by experienced users this way, it is always better to set up either Encrypting File System or use VeraCrypt to keep your most sensitive data protected.

In case you connect an NTFS-formatted drive from another computer, and you cannot even see the amount of free space on the drive (a bunch of access denied errors for every action you try), follow these steps:

  • Caution: never try this on a system drive (the drive where Windows is installed, usually drive letter C:\) - this can make Windows unbootable.
  • Take ownership of the whole drive, but select a user account with administrator rights instead of a security group. Ignore error messages while the owner of all objects on the drive is being changed. Close the open drive properties window, if necessary.
  • Re-open properties of the drive, go to Security tab, grant Full Control permissions to the same user account you used before and click OK.
  • The drive is accessible now, give Full Control rights to SYSTEM account and Administrators group.

If you go back to the original computer, you must repeat the steps above to access the drive.

Checking effective access rights for a group or a user

Windows also has the Effective Permissions (Windows XP, Vista and 7) or Effective Access (Windows 8, 8.1 and 10) tab that allows verifying that a user or a group has all required permissions. This is mostly intended for complex environments with many groups and users, but it is also good for home users.

Click the Select button in Windows XP, Vista or 7. Windows 8/8.1 and 10 users should click the Select a user link instead.
Windows XP Professional, folder properties, Advanced Security Settings, Effective Permissions tab. Click Select to choose a user or a group. Windows 8, folder properties, Advanced Security Settings, Effective Access tab. Click 'Select a user' to choose a user or a group.

The Select User or Group window opens. Either type the name of the user or group and click Check Names to verify the account, or click Advanced and then Find Now to list all available accounts.
Click OK.
Windows XP Professional, Select User or Group. Type a user or group name and click Check Names. Then click OK.

In Windows XP, Vista and 7, the list of effective access rights appears. In Windows 8/8.1 and 10, you must click the View effective access button first.
Windows XP Professional, folder properties, Advanced Security Settings, Effective Permissions tab. Effective access rights for the selected user or group. Windows 8, folder properties, Advanced Security Settings, Effective Access tab. After choosing a user or group, click View effective access. Windows 8, folder properties, Advanced Security Settings, Effective Access tab. List of effective access rights.

Using Command Prompt for modifying permissions (for advanced users only)

Before trying any of these advanced tools, make sure you have a full, recent backup of your device in case something goes very wrong.

You must be a member of the Administrators group in order to run these commands.

Pay very close attention to spaces in the commands.
You can right-click or touch and hold inside the Command Prompt window to find the Paste command. In Windows 10's Command Prompt, keyboard shortcut Ctrl+V works, too.

In Windows XP, open Run dialog using keyboard shortcut WINDOWS KEY+R or by opening the Start menu and clicking Run. Type cmd and click OK.
In Windows Vista, 7 and 10, open Start menu and type cmd into the Search box. Right-click cmd.exe or Command Prompt and select Run as administrator. This will open the so-called elevated command prompt.
In Windows 8 and 8.1, open Start screen and type "cmd". Right-click or tap and hold Command Prompt and choose Run as administrator.
Windows XP, Run dialog. To open Command Prompt, type 'cmd' and click OK. Windows Vista, Start menu. To open elevated Command Prompt, type 'cmd', right-click the result and click Run as administrator. Windows 8, Start screen, Apps search. To run Command Prompt with elevated rights, type 'cmd' into Search box. Right-click Command Prompt and click 'Run as administrator' in App bar.

If necessary, click Continue or Yes in the User Account Control prompt. After this, a black Command Prompt window will open.

Taking ownership of an item with takeown

If you have a folder, drive or file with such permissions that you cannot use the Security tab for modifying user access, you can use the takeown command instead.

Never run this command on important system folders such as C:\Windows, C:\Program Files, C:\Program Files (x86) or C:\ProgramData! See the icacls tool for restoring default permissions of system folders.

For example, to take ownership of a folder named "NoAccess" on drive C:, type or copy-paste the following command inside elevated Command Prompt window. Please note that the path to a folder is usually enclosed in quotes or double quotes.

takeown /F "C:\NoAccess" /R /A /D Y

The /R switch means that the command runs recursively, or applies to every subfolder and file inside the NoAccess folder.
The /A switch gives ownership to the Administrators group, not your current user account. This is always the preferred method. You can skip the /A switch for files or private folders only.
The /D Y switch suppresses prompts for subfolders if your user account does not have the list folder permission for one or more subfolders; the ownership is taken automatically then.

Press Enter key once to run the command.

To take ownership of a whole drive, find out its drive letter in Windows/File Explorer (drive letter T: is used in this example) and then run the following command:

takeown /F T:\ /R /A /D Y

Similarly, taking ownership of a file means finding out its full path in Windows/File Explorer and using it in the takeown command. Since Windows Vista, you can locate the file in Windows Explorer, press and hold down the Shift key, right-click the file and choose the Copy as path command. Then just type takeown /F , (include a space after "/F"!) right-click inside Command Prompt window and paste the full path. Either add the /A switch followed by the Enter key, or press Enter if you want your user account to be the owner of the file.
Please note that you cannot use the /R and /D Y switches as files do not have subfolders.

For example, takeown /F "C:\Users\margus\Downloads\MicrosoftFixit50202.msi"

After this, open Windows/File Explorer and try modifying permissions for the item.

Restoring default permissions to registry, services and system folders with secedit and icacls

In case some malware has fiddled with access rights to a system folder or registry, you can restore the default permissions using Command Prompt. See the previous section on how to open elevated Command Prompt if you have not already done so.

Do not run the following commands unless your computer has a specific problem with permissions.

First, fix permissions to registry and important system services by copying and pasting (right-click inside Command Prompt to paste) the following command:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Press Enter key once to reset Registry and essential services' permissions, and apply defaults to Event Logs and Local Security Policy. The same command works in Windows XP, Vista, 7, 8/8.1 and 10.
Ignore errors that might appear during the command.

To repair permissions/access rights of important system folders, use the icacls tool.
If Windows is installed on a drive other than C:, find out the correct path to Windows installation folder with the cd /D %windir% command: this changes the active path to the correct drive and folder, for example, C:\Windows. Please skip the last character, ">" by default.

Run the following commands:

  • icacls "C:\Windows" /reset /T /C /Q - replace "C:\Windows" with the correct path if Windows is installed to a non-default location.
  • icacls "C:\Program Files" /reset /T /C /Q - replace "C:" with correct drive letter if necessary.
  • icacls "C:\Program Files (x86)" /reset /T /C /Q - only required on 64-bit Windows Vista or newer; replace "C:" with correct drive letter if necessary.
  • icacls "C:\ProgramData" /reset /T /C /Q - only on Windows Vista and newer; replace "C:" with correct drive letter if necessary.

You might see many "Access is denied" while the commands run, please ignore these. To finish the repair process, a restart is required.

The article NTFS permissions in Windows appeared first on www.winhelp.us

 

Ctrl+F searches in the contents







Next: Encrypting File System in Windows
Previous: Data security in Windows