Understanding ACLs in NTFS File System

Each folder and each file on an NTFS-formatted volume has an ACL (also known as DACL, for discretionary access control list, and commonly called NTFS permissions). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users.

To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object, as shown below. Different permissions can be set for each user, as you can see by selecting each one.


To make changes to the settings for any user or group in the list, or to add or remove a user or group in the list, click Edit. (Use caution. Setting NTFS permissions without understanding the full consequences can lead to unexpected and unwelcome results, including a complete loss of access to files and folders. The permission-setting capabilities of the Sharing wizard provide far greater flexibility and power than were possible in the basic Windows XP interface. Before you delve into the inner workings of NTFS permissions on the Security tab, be sure to try the Share With command or the Sharing tab, both of which invoke the Sharing wizard unless it has been disabled.)

The access granted by each permission type is as follows:

●  Full Control Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.

●  Modify Allows the user to read, change, create, and delete files, but not to change permissions or take ownership of files.

●  Read & Execute Allows the user to view files and execute programs.

●  List Folder Contents (folders only) Provides the same permissions as Read & Execute, but can be applied only to folders.

●  Read Allows the user to list the contents of a folder, read file attributes, read permissions, and synchronize files.

●  Write Allows the user to create files, write data, read attributes and permissions, and synchronize files.

●  Special Permissions The assigned permissions don’t match any of the preceding permission descriptions. To see precisely which permissions are granted, click Advanced.

0/Post a reply/Replies

Previous Post Next Post