INTRODUCTION
In Microsoft Windows XP, special access permissions are customizable sets of permissions. This means that you can apply special access permissions to files or folders that are located on NTFS file system volumes. This article describes how to set, view, change, or remove special permissions for files and folders.
back to the top
Permissions for files and folders
Folder permissions include
Full Control,
Modify,
Read & Execute,
List Folder Contents,
Read, and
Write. Each of these permissions consists of a logical group of special permissions that are listed and defined in the following sections.
Note This article assumes that you are using Windows XP on a domain. By default, simplified sharing is enabled in Windows XP if you are not connected to a domain. This means that the
Security tab and advanced options for permissions are not available.
If you are not joined to a domain and want to view the
Security tab, view the
Set, view, change, or remove special permissions for files and folders section in this article.
For additional information about how to disable simplified file sharing, click the following article number to view the article in the Microsoft Knowledge Base:
307874
How to disable simplified sharing and set permissions on a shared folder in Windows XP
Troubleshooting
If the
Security tab is not available and you cannot configure special permissions for users and groups, you may be experiencing the following issues :
- The file or folder where you want to apply special permissions is not on an NTFS drive. You can set permissions only on drives that are formatted to use NTFS.
- Simple file sharing is turned on. By default, simplified sharing is turned on.
back to the top
File and folder special permissions
The following table describes file and folder special permissions.
|
| Traverse Folder/Execute File | yes | yes | yes | yes | no | no |
| List Folder/Read Data | yes | yes | yes | yes | yes | no |
| Read Attributes | yes | yes | yes | yes | yes | no |
| Read Extended Attributes | yes | yes | yes | yes | yes | no |
| Create Files/Write Data | yes | yes | no | no | no | yes |
| Create Folders/Append Data | yes | yes | no | no | no | yes |
| Write Attributes | yes | yes | no | no | no | yes |
| Write Extended Attributes | yes | yes | no | no | no | yes |
| Delete Subfolders and Files | yes | no | no | no | no | no |
| Delete | yes | yes | no | no | no | no |
| Read Permissions | yes | yes | yes | yes | yes | yes |
| Change Permissions | yes | no | no | no | no | no |
| Take Ownership | yes | no | no | no | no | no |
| Synchronize | yes | yes | yes | yes | yes | yes |
IMPORTANT: Groups or users who are granted
Full Control on a folder can delete any files in that folder regardless of the permissions that protect the file.
Note Although the
List Folder Contents and the
Read & Executefolder permissions appear to have the same special permissions, these permissions are inherited differently.
List Folder Contents is inherited by folders but not files and it only appears when you view folder permissions.
Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.
Note In Windows XP Professional, the
Everyone group does not include the
Anonymous Logon group.
back to the top
Special permissions defined
You can set any or all the following special permissions on files and folders.
back to the top
Traverse Folder/Execute File
For folders: The
Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders.
Traverse Folder takes effect only when the group or user is not granted the
Bypass Traverse Checking user right. The
Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the
Everyone group is given the
Bypass Traverse Checking user right.
For files: The
Execute File permission allows or denies access to program files that are running.
If you set the
Traverse Folder permission on a folder, the
Execute File permission is not automatically set on all files in that folder.
back to the top
List Folder/Read Data
The
List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The
List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder that you are setting the permission on is listed in the folder list.
The
Read Data permission applies only to files and allows or denies the user from viewing data in files.
back to the top
Read Attributes
The
Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS.
back to the top
Read Extended Attributes
The
Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs and they may vary by program.
back to the top
Create Files/Write Data
The
Create Files permission applies only to folders and allows or denies the user from creating files in the folder.
The
Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS.
back to the top
Create Folders/Append Data
The
Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder.
The
Append Data permission applies only to files and allows or denies the user from making changes to the end of the file but not from changing, deleting, or overwriting existing data .
back to the top
Write Attributes
The
Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as
read-only or
hidden. Attributes are defined by NTFS.
The
Write Attributes permission does not imply that you can create or delete files or folders,. It includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, see
Create Files/Write Data,
Create Folders/Append Data,
Delete Subfolders and Files, and
Delete.
back to the top
Write Extended Attributes
The
Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
The
Write Extended Attributes permission does not imply that the user can create or delete files or folders, it includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, view the
Create Files/Write Data,
Create Folders/Append Data,
Delete Subfolders and Files, and
Delete sections in this article.
back to the top
Delete Subfolders and Files
The
Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the
Delete permission is not granted on the subfolder or file.
back to the top
Delete
The
Delete permission allows or denies the user from deleting the file or folder. If you do not have a
Delete permission on a file or folder, you can delete the file or folder if you are granted
Delete Subfolders and Files permissions on the parent folder.
back to the top
Read Permissions
The
Read Permissions permission allows or denies the user from reading permissions about the file or folder, such as
Full Control,
Read, and
Write.
back to the top
Change Permissions
The
Change Permissions permission allows or denies the user from changing permissions on the file or folder, such as
Full Control,
Read, and
Write.
back to the top
Take Ownership
The
Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.
back to the top
Synchronize
The
Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.
back to the top
Set, view, change, or remove special permissions for files and folders
To set, view, change, or remove special permissions for files and folders:
- Click Start, click My Computer, and then locate the file or folder where you want to set special permissions.
- Right-click the file or folder, click Properties, and then click the Security tab.
- Click Advanced, and then use one of the following steps:
- To set special permissions for an additional group or user, click Add, and then in Name box, type the name of the user or group, and then click OK.
- To view or change special permissions for an existing group or user, click the name of the group or user, and then click Edit.
- To remove an existing group or user and the special permissions, click the name of the group or user, and then click Remove. If the Remove button is unavailable, click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, click Remove, and then skip steps 4 and 5.
- In the Permissions box, click to select or click to clear the appropriate Allow or Deny check box.
- In the Apply onto box, click the folders or subfolders where you want these permissions applied.
- To configure security so that the subfolders and files do not inherit these permissions, click to clear the Apply these permissions to objects and/or containers within this container only check box.
- Click OK two times, and then click OK in the Advanced Security Settings for FolderName box, where FolderName is the folder name.
CAUTION: You can click to select the
Replace permission entries on all child objects with entries shown here that apply to child objects. Include these with entries explicitly defined here check box. Therefore,all subfolders and files have all their permission entries reset to the same permissions as the parent object.If you do this, after you click
Apply or
OK, you cannot undo this operation if you click to clear the check boxes.
Important: If you are not joined to a domain and you want to view the
Security tab:
- Click Start, and then click Control Panel.
- Click Appearance and Themes, and then click Folder Options.
- Click the View tab, and then click to clear the Use simple file sharing [Recommended] check box in the Advanced settings box.
Notes:
- The Everyone group does not include the Anonymous Logon permission in Windows XP.
- If you click to select the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, the file or folder inherits permission entries from the parent object.
- You can set permissions only on drives that are formatted to use NTFS .
- If the check boxes in the Permissions box are not available, the permissions are inherited from the parent folder.
- To change permissions, you must be the owner or have permission to change permissions by the owner.
- Groups or users who have Full Control permissions for a folder can delete the files and the subfolders in that folder, regardless of the permissions that protect the files and the subfolders.
back to the top