Windows Vista : Permissions and Security (part 1) - Set Permissions for a File or Folder

3/19/2013 3:16:35 AM

Setting the permissions for a file or folder allows you to permit some users to read or change your files while restricting access to others. Problem is, if you rely on Vista's defaults, anyone will be able to read your files and no one will be able to change them.

So, before you start messing with permissions, you'll need to turn off Simple File Sharing. Open Control Panel and then Folder Options, choose the View tab, and turn off the Use Sharing Wizard option at the end of the Advanced Settings list. Click OK when you're done.

Note that permissions can only be used on files and folders stored on NTFS volumes.

1. Set Permissions for a File or Folder

Shockingly, Microsoft actually took default permissions seriously when designing Windows Vista. In previous versions of Windows, everyone with an account on your PC had access to every file on your hard disk; if you wanted to protect your private data, you had to take matters into your own hands. In Vista, defaults are set to protect your private data from other users, and to protect Windows operating system files from all users.

Of course, no progress is without its price. Some of Vista's defaults are so restrictive that they can break certain software not expressly written for Vista.

To give someone access to your files, or to further restrict access, you'll need to mess with his or her permissions. Of course, it gets a little confusing when you realize that there are two different Permissions windows for any given object (file, folder, printer, etc.).

Object permissions

Right-click any file, folder, drive, Registry key, or printer, select Properties, and choose the Security tab to view or change the permissions for the selected object(s). These settings affect how the object is accessed by users on your machine (including you).

Share permissions

Right-click any file, folder, drive, or printer, select Properties, choose the Sharing tab, click Advanced Sharing, and then click the Permissions button to view or change the share permissions for the selected object(s). These settings affect whether users on other PCs on your network can read or write to your shared files or print to your shared printers.

Fortunately, all Permissions windows look and work the same; the only difference is their scope. Figure 1 shows a typical Permissions window.

Figure 1. The standard Permissions window allows you to permit or deny access to other users on your computer or in your workgroup

Typically, a single entry, "Everyone," will appear at the top of the list. In the example in Figure 8-4, only five single users are shown here. Any user not in the list will not be allowed to view or modify the object.

Permissions protect files from other user accounts only. If you walk away from your PC while you're logged in, for example, someone else sitting down at your keyboard will have full access to all your files, regardless of permissions or even encryption. This is why—when your PC is in a public place, anyway—it's a good idea to use the "On resume, display logon screen" option in the Screen Saver Settings window.

Select any user in the list, and then use the checkboxes in the list below to modify the permissions for that user. In this example, members of the Everyone group are allowed to read the selected file, but not allowed to write to it. Although this window only shows the permissions for one user or group at a time, you can click Advanced to see a better overview, as shown in Figure 2.

In some cases, when you attempt to remove or modify permissions in the standard Permissions window (Figure 1), Windows will complain about the fact that the object is inheriting permissions. The reason is the Inherit from parent option in the Advanced Security Settings dialog shown in Figure 2.

Figure 2. Open the Advanced Security Settings window to see all users and permissions for an object at once

1.1. Inheritance and ownership

Inheritance can be confusing at first, but it does save time in the long run. Essentially, if you set the permissions of a folder, those permissions will propagate to all of the files and subfolders contained therein (although Windows will usually ask you whether or not you want this to happen). When the permissions for a "parent" folder trickle down to a "child" folder or file, that child object is said to "inherit" the permissions of its parent folder. Furthermore, the child's inherited permissions are locked, at least until you turn off the aforementioned Inherit from parent option.

The Auditing tab in the Advanced Security Settings window allows you to log access activity relating to the selected object. Before auditing will work, you'll need to set up an auditing policy by opening the Group Policy window (gpedit.msc). Then, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, and double-click any entry in the right pane (such as Audit logon events or Audit privilege use) to instruct Windows to start keeping track of those events. Later on, open the Event Viewer (eventvwr.msc) to view the corresponding logs. Note that settings in the Auditing tab also obey the inheritance scheme just discussed.

The Owner tab is used to assume ownership of one or more objects, and can be the source of a lot of frustration when wrestling with permissions. One of the means by which Vista maintains its lock on important operating system files and Registry keys is through ownership; by default, all these system-level objects are owned by a user named "Creator Owner." (See the upcoming sidebar, "What's the Creator Owner Account?," for details.) To make any changes to these objects, you must first assume ownership by selecting your own name in the list, turning on the Replace owner on subcontainers and objects option, and clicking OK in all the open Permissions windows.

Another time when you'd use the Owner tab is when you need to share documents between two Windows installations on the same PC ; in most cases, Windows won't let you access such files until you "take ownership" using the Owner tab of this window.

For another way to manage ownership of files and folders, see the "Take Ownership from the Command Line" sidebar, next.

Take Ownership from the Command Line

It's a real pain to dig down through all those windows to take ownership of a file, only to have to close them all, and then reopen them to subsequently change the permissions. If you're comfortable with the Command Prompt or you need a way to take ownership from script , there are a few useful tools included with Vista for this purpose.

To assume ownership of a file or folder, use the takeown command. Open a Command Prompt window, and at the prompt, type:

takeown /f "c:\full_path\myfile.ext"

where c:\full_path\myfile.ext is the full path and filename to take ownership of. Add the /r option—only if you're specifying a folder name—to also take ownership of all the folders and files contained therein. Type takeown /? for more options.

Next, to set Full Access permissions on the file or folder, use the cacls command, like this:

cacls "c:\full_path\myfile.ext" /G your_username:F

where your_username is, obviously, your username.

And for those familiar with Unix, there's a chown (change ownership) command-line utility (written for NT but works in Vista) available for free at

Finally, the Effective Permissions tab is a troubleshooting tool that lets you view the selected object's permissions as they pertain to a single user. This is most useful when dealing with groups of users.

1.2. Add new users to the Permissions window

Typically, a single entry, Everyone, will appear at the top of the Group or user names list in the Permissions window. (Here, Everyone literally means all users and groups in perpetuity.) More than likely, though, you'll want to eliminate the Everyone entry and add only those users (such as yourself) whom you need to specifically grant access to your stuff.

Start by deleting any unwanted users by selecting them and clicking Remove. Then, click Add to open the Select Users or Groups window, as shown in Figure 3.

Figure 3. New users and groups are added to a Permissions list with this rather confusing dialog

The first time you use this tool, you'll probably expect to see a list of all the users on your PC; unfortunately, Microsoft in its infinite wisdom decided it would be easier for you to type each user's account name by hand. To add a user, type one or more names in the Enter the object names to select field; separate multiple names with semicolons.

In the example in Figure 3, notice that the third entry, SCHOOLBUS\Wendell, is unlike the others. While Seth and Munchie are users on the PC (or in the corporate domain to which this computer belongs), this third entry shows how you'd specify a user account on a different machine; in this case, the user Wendell on the computer SCHOOLBUS is to be added. The only time you'd likely need to do this is if Wendell needed to access your shared files remotely , and you didn't want to create an account for Wendell on your own PC.

So, why, in the Select User or Groups window, can you not actually select a user or group? Why aren't all the user and group names on your PC listed in here? Why all the typing? The reason is that this window was originally designed to accommodate a company-wide network with thousands of users, and since Microsoft hasn't made a single change to this interface in at least seven years, you'll need to go elsewhere to get a list of users. 

When you click OK, Windows will verify the user and group names you've entered, and if all is well, will add them to the Permissions window. Mistype a name, and you won't be allowed to leave. (To verify your entries without closing the window, click Check Names.)

When you've added a new user to the Permissions window (shown previously in Figure 1), highlight the user, and selectively click the checkmarks in the Allow or Deny columns.

Deny entries take precedence over any Allow entries. Say a user named Surly is part of a group named Duff. If you deny read access to the Duff group, and then allow read access to the Surly account, Surly still won't be able to read the files.

Depending on the type of object you've selected, you may see any number of different types of entries here, such as Full Control, Read, Write and Modify. After playing with the checkmarks, you'll notice that there is quite a bit of redundancy in this list; for example, Modify is an umbrella term that includes Read & Execute, Read, and Write.

For more control over permissions, click Advanced to show the Advanced Security Settings window (shown earlier in Figure 2), select the user with whom you want to work, and click Edit. The Permission Entry window shown in Figure 4 allows you to fine-tune permissions and allow only those permissions that are absolutely necessary for the object. When settings most permissions day-to-day, you won't ever need to use this tool.

Figure 4. The Permission Entry window lets you fine-tune permissions

When you're done choosing permissions, click OK. If you're modifying the permissions for a folder, Windows may or may not prompt you to have your changes propagated to all subfolders and files.

1.3. How permissions affect software

In most cases, you'll want to set permissions to protect your files and folders from unauthorized access. But some permissions are necessary to get certain programs to work.

For example, if you're writing a CGI or ASP program for the IIS web server , you'll need to set the permissions of your files to give the Internet Guest Account full access. The Internet Guest Account user account name is based on the machine name: for a system named SERVER, you'd enter SERVER\IUSR_SERVER into the Select Users or Groups dialog (as shown earlier in Figure 3).

  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 3) - Configuring the Windows Time Service, NetBIOS and WINS in an AD Domain
  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 2) - Configuring DNS for AD
  •  Windows Server 2003 : TCP/IP for AD Transport, Access, and Support (part 1) - AD/DNS Dependencies, How AD Uses DNS
  •  HP Envy X2 Review - A Hybrid Tablet-Laptop Failing To Bring Up A Complete Package (Part 2)
  •  HP Envy X2 Review - A Hybrid Tablet-Laptop Failing To Bring Up A Complete Package (Part 1)
  •  Windows 7 : Designing a Client Hardware Platform (part 2) - Boot from VHD
  •  Windows 7 : Designing a Client Hardware Platform (part 1)
  •  Windows 7 : Designing and Managing a Licensing Strategy (part 1) - Volume Licensing Activation Methods
  •  How To Transfer Data From SSD To HDD
  •  9 Interesting Apps For Windows 8
    Most View
    Edifier M1380 Speakers - Can You Really Expect Better Audio Quality?
    Huawei Ascend Mate - A Powerhouse Phone With Prominent Battery Life (Part 3)
    Toshiba Satellite U925t Review (Part 2)
    Delete & Recover Data (Part 2) - Recovering Files Using Disk Digger
    Build Mobile Websites and Apps for Smart Devices : Design for Mobile - Establish a Style
    The 50 Best Headphones You Can Buy (Part 3)
    How To Lock Windows By Image Password
    Group Test: AMD FX-8350, FX-8320, FX-6300 And FX-4300 - All Vishera Processors (Part 1)
    Arduino Lenoardo - A Bargain Microcontroller
    OpenGL on Windows : Full-Screen Rendering, Double Buffering
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs