Win XP Solution - Your reliable guide to Windows XP

Troubleshooting NTFS Permission in Windows XP Professional

When you assign or modify NTFS permissions to files and folders, problems might arise. When you copy or move files and folders, the permissions you set on the files or folders might change. Specific rules control how and when permissions change. Understanding these rules helps you solve permissions problems. Troubleshooting these problems is important to keep resources available for the appropriate users and protected from unauthorized users.

Copying Files and Folders

When you copy files or folders from one folder to another or from one volume to another, permissions change, When you copy a file within a single NTFS volume or between NTFS volumes, the following happen:

Windows XP Professional treats it as a new file. As a new file, it takes on the permissions of the destination folder.

You must have Write permission for the destination folder to copy files and folders.

You become the creator and owner.

When you copy files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

Moving Files and Folders

When you move a file or folder, permissions might or might not change, depending on where you move the file or folder.

Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume, the following features are implemented:

The file or folder retains the original permissions.

You must have the Write permission for the destination folder to move files and folders into it.

You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows 2000 deletes the file or folder from the source folder after it is copied to the destination folder.

You become the creator and owner.

Moving between NTFS Volumes

When you move a file or folder within NTFS volumes, the following features are implemented:

The file or folder inherits the permissions of the destination folder.

You must have the Write permission for the destination folder to move files and folders into it.

You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows XP Professional deletes the file or folder from the source folder after it is copied to the destination folder.

You become the creator and owner.

Note

When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

Troubleshooting Permissions Problems

There are some cases when the user will experience problems after assigning and modifying the NTFS Permissions. The table below gives some scenarios which will explain the cause and the solution for the same.

Problem	Solution
A user can't gain access to a file or folder.	If the file or folder was copied moved to or another NTFS volume, the permissions might have changed.
	Check the permissions that are assigned to the user account and to groups to which the user belongs. The user might not have permission or might be denied access either individually or as a member of a group.
You add a user account to a group to give that user access to a file or folder, but the user still can't gain access.	For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again or close all network connections to the computer on which the file or folder resides and then make new connections.
A user with Full Control permission to a folder deletes a file in the folder, although that user doesn't have permission to delete the file, itself. You want to stop the user it from being able to delete more files.	You have to clear the special access permission, the Delete Subfolders And Files check box for that folder to prevent users with Full Control of the folder from being able to delete files in.

Avoiding Permissions Problems

The following list provides the best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems as well as give you hints where NTFS Permissions should be implemented.

Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.

Assign all permissions at the folder level, not at the file level. Group files in a separate folder for which you want to restrict user access, and then assign restricted access to that folder.

For all application-executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group. Damage to application files is usually a result of accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions.

Assign Full Control to CREATOR OWNER for public data folders so that users can delete and modify files and folders that they create. Doing so gives the user who creates the file or folder full access to only the files or folders that he or she creates in the public data folder.

For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Everyone group. This gives users full access to the files that they create, but members of the Everyone group can only read files in the folder and add files to the folder.

Use long, descriptive names if the resource will be accessed only at the computer. If a folder will eventually be shared, use folder names and filenames that are accessible by all client computers.

Allow permissions rather than denying permissions. If you don't want a user or group to access a particular folder or file, don't assign permissions. Denying permissions should be an exception, not a common practice.

Option	Description
Copy	Copy the permission entries that were previously applied from the parent to the child and then deny subsequent permissions inheritance from the parent folder.
Remove	Remove the permission entries that were previously applied from the parent to the child and retain only the permissions that you explicitly assign here.
Cancel	Cancel the dialog box.

Guidelines for implementing NTFS Permissions

The following guidelines are very important to understand the best way of implementing NTFS Permissions.

To simplify administration, group files into application, data, and home folders. Centralize home and public folders on a volume that is separate from applications and the operating system. This provides the following benefits:Permissions are assigned only to folders, not to individual files and Backup is less complex because you don't need to back up application files, and all home and public folders are in one location.

Allow users only the level of access that they require. If a user only needs to read a file, assign the Read permission to his or her user account for the file. This reduces the possibility of users accidentally modifying or deleting important documents and application files.

Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.

When you assign permissions for working with data or application folders, assign the Read & Execute permission to the Users group and the Administrators group. This prevents application files from being accidentally deleted or damaged by users or viruses.

When you assign permissions for public data folders, assign the Read & Execute permission and the Write permission to the Users group and the Full Control permission to the CREATOR OWNER. By default, the user who creates a file is also the owner of the file. The owner of a file can grant another user permission to take ownership of the file. The person who takes ownership would then become the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users group and the Full Control permission to the CREATOR OWNER, users have the ability to read and modify documents that other users create and the ability to read, modify, and delete the files and folders that they create.

Deny permissions only when it is essential to deny specific access to a specific user account or group.

Encourage users to assign permissions to the files and folders that they create and educate them about how to do so.

Best viewed with 1024 x 768 px Resolution
Developed in association with K K Webtech P Ltd.