IN THIS TASK
- How to Configure Security for Files and Folders
- Users Cannot Access Files and Folders That They Should Be Able to When Logged On Locally
- Inappropriate Permission Levels When Users Access Files and Folders When Logged on Locally
- Users Cannot Access Files and Folders That They Should Be Able to Access Over the Network
- There Is No Security Tab in the Folder Properties Dialog Box
For example, you receive a call from the manager of your accounts receivable department. The manager has been working on several spreadsheets that are stored on a file server in your domain, and is concerned that employees who should not have access to these files may be able to open and edit the files. The files are in a folder that is named c:\Accounts on the server, and the folder is shared as Accounts. The share permissions on the Accounts share for members of the Domain Users group are set to Full Control. The manager wants to permit the members of the Accountants group to edit the files and add new files, and the members of the Sales group to be able to read the files but not edit them. The manager will be the only person who can make any changes to the permissions, and no one else will have access to the files.
- Log on by using your domain user name and password.
- Start Windows Explorer.
- Expand My Computer, and then click the drive that contains the folder that you want to configure.
- Right-click the folder that you want to configure, and then click Properties.
- Click the Security tab.
- Click Advanced.
- Click to clear the Allow inheritable permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box.
- In the Security dialog box that appears, click Copy.
NOTE: The inherited permissions are copied directly to the folder.
- Click OK.
- To set permissions for a group or user who is not listed in the Group or user names box, click Add.
- In the Select Users or Groups dialog box that appears, type the names of the groups or users for whom you want to set permissions. For example, Accounting, Sales, and accounts receivable manager name).
- Click OK. The groups and users you added appear in the Group or user names box.
- To grant or deny a permission in the Permissions for User or Group box, click the user or group in the Group or user names box, and then click to select the Allow or Deny check box next to the permission that you want to allow or deny. For example:
- To grant Modify permissions to the Accountants group, click Accountants, and then click to select the Allow check box next to Modify. Members of this group can add new files to the folder or edit the files in the folder.
- To grant Read & Execute, List Folder Contents, and Read permissions to the Sales group, click Sales, and then click to select the Allow check box next to these permissions.
- To grant Full Control permission to the accounts receivable manager, click accounts receivable manager name, and then click to select the Allow check box next to Full Control.
- Click OK.
The exception to this rule is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows determines if a particular user can perform a particular task. Because of this, avoid using explicit Deny permissions unless there is no other way to obtain the specific level of permissions that you need.
The exception to this is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows determines if a particular user can perform a particular task. For example, a member of a group that has Deny selected for the Read permission cannot read the file or folder, even if other permissions make it possible for this user to do so.
Avoid using explicit Deny permissions unless there is no other way to obtain the specific level of permissions that you need. Check both the share permissions and the file and folder permissions for the user and any groups of which the user is a member.
Security tab in the FolderName Properties dialog box, you may be using the FAT or FAT32 file system. You can only set file and folder permissions on volumes that are formatted with the NTFS file system. You can use the convert command to convert FAT or FAT32 volumes to use NTFS.
Article ID: 325361 - Last Review: Jan 7, 2008 - Revision: 1