HOW TO: Control NTFS Permissions Inheritance in Windows (313398)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q313398

IN THIS TASK

SUMMARY

This step-by-step article describes how to control NTFS permissions inheritance.

The following operating systems support the Windows NT File System (NTFS):
  • Microsoft Windows XP
  • Microsoft Windows 2000
  • Microsoft Windows NT
Drives and volumes that are formatted with the NTFS file system can use NTFS file-system permissions. NTFS file-system permissions provide the administrator with the highest level of access control that is available on Windows operating systems.

When you create a folder on an NTFS partition or volume, Full Control/Everyone are the default NTFS permissions on the folder and all objects that are created in the folder. All subfolders of the parent folder have the same permissions. The reason for this is that the parent folder's permissions are inherited by all subfolders of the parent.

You can configure the default permissions inheritance behavior to allow customized permissions for subfolders and files. The administrator can then create more specific access controls.

back to the top

Control NTFS Permissions Inheritance

To control how NTFS permissions are applied:
  1. Use Windows Explorer to create a folder that is named folder1 on an NTFS volume or partition.
  2. Inside of folder1, create a second folder that is named folder2.
  3. Inside of folder2, create a third folder that is named folder3.
  4. Right-click folder1, and then click Properties.
  5. In the folder1 Properties dialog box, click the Security tab. Note that the default permissions for the folder are Everyone/Full Control. These permissions are inherited from the root folder on the partition or volume. Click to clear the Allow inheritable permissions from parent to propagate to this object check box.
  6. A Security dialog box appears. Click Copy to copy the inherited permissions to the folder and its contents. This leaves the current permissions that are applied to the object intact, but prevents permission changes from its parent folder from being inherited. Click Remove to remove all permissions from folder1. If you select this option, you must add custom permissions before you apply the changes, because no users or groups will have access to the folder until you add permissions. Click Cancel to cancel the operation. In this example, click the Copy button.
  7. After you click Copy, the individual permissions for the Everyone group are now configurable. The reason for this is that the permissions have been copied to the folder rather than inherited from its parent folder. Click Apply, and then click OK.
  8. Right-click folder2, and then click Properties. Click the Security tab. Note that the permission set is Everyone/Full Control. The Permissions boxes are unavailable because these permissions are inherited from folder1. Click Add. In the Select Users or Groups dialog box, click the local computer name in the Look in box. Double-click the Users entry, and then click OK. Click to clear the Allow inheritable permissions from parent to propagate to the object check box. Click Remove. The only permissions on folder2 are now for the local computer's Users group. Click Apply, and then click OK.
  9. Right-click folder3, and then click Properties. Click the Security tab. Note that folder3 has inherited the permissions from its parent folder, folder2. Close the folder3 Properties dialog box.
back to the top
Modification Type:MajorLast Reviewed:10/3/2003
Keywords:kbenv kbhowto kbHOWTOmaster KB313398 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.