Default NTFS Permissions in Windows 2000

Summary

This article lists the default permissions on a drive that has been formatted with the NTFS file system for the first time. Some of these folders are hidden by default.

More Information

The default NTFS permissions on common Windows 2000 folders on drive C are listed below. Note that this article assumes that Windows 2000 is installed on drive C. If you installed Windows 2000 on a different drive letter, substitute that drive letter for drive C in the folder locations listed below:


Default NTFS Permissions for Servers Configured as Member Servers:


C:\
(Note: Setup does not change the permissions on %systemdrive% because the Windows 2000 ACL Inheritance model would recursively try to configure all subdirectories of the root. Administrators should configure root directory security according to their own system configurations and requirements.)

C:\Program Files and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Users - Read
System - Full Control
Power Users - Change
Terminal Server User - Change

C:\Documents and Settings
Administrators - Full Control
Power Users - Read
Everyone - Read
Users - Read
System - Full Control

C:\Documents and Settings\Administrator and <subfolders>
Administrator - Full Control
Administrators - Full Control
System - Full Control

C:\Documents and Settings\All Users and <subfolders>
Administrators - Full Control
Power Users - Change
Users - Read
Everyone - Read
System - Full Control

C:\Documents and Settings\Default User and <subfolders>
Administrators - Full Control
Power Users - Read
Users - Read
Everyone - Read
System - Full Control

C:\%SystemRoot%
Administrators- Full Control
Creator/Owner - Full Control
Everyone - Read
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Addins
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Connection Wizard
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Config
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Cursors
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Debug
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Driver Cache
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Driver Cache\I386
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Fonts
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Help
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
Terminal Server User - Special (RWX)
System - Full Control

C:\%SystemRoot%\Inf
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Java and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Media
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Msagent and subfolders
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Msapps and subfolders
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Mww32 and subfolders
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Registration
Administrators - Full Control
Everyone - Read
System - Full Control

C:\%SystemRoot%\Repair
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Security and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Read
Users - Read
System - Full Control

C:\%SystemRoot%\Speech
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
Everyone - Read
System - Full Control

C:\%SystemRoot%\System32\CatRoot
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Com
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Config
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Read
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Dhcp
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Read
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Drivers and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Read
Users - Read
System - Full Control

C:\%SystemRoot%\System32\DTCLog
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\system32\export
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\GroupPolicy and <subfolders>
Administrators - Full Control
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\IAS
Administrators - Full Control
Creator/Owner - Full Control
System - Full Control

C:\%SystemRoot%\System32\Inetsrv
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Mui and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Npp
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\NtmsData
Administrators - Full Control
System - Full Control

C:\%SystemRoot%\System32\Os2 and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Ras
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Rocket
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Rpcproxy
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Setup
Everyone - Full Control

C:\%SystemRoot%\System32\ShellExt
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Spool and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Wbem and <subfolders>
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\System32\Wins
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Temp
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Special
System - Full Control

C:\%SystemRoot%\twain_32
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

C:\%SystemRoot%\Web
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control

Any other folders
Administrators- Full Control
Creator/Owner - Full Control
Power Users - Change
Users - Read
System - Full Control


Default NTFS Permissions for Servers Configured as Domain Controllers:




C:\
(Note: Setup does not change the permissions on %systemdrive% because the Windows 2000 ACL Inheritance model would recursively try to configure all subdirectories of the root. Administrators should configure root directory security according to their own system configurations and requirements.)

C:\Program Files and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\Documents and Settings
Administrators - Full Control
Everyone - Read
Users - Read
System - Full Control

C:\Documents and Settings\Administrator and <subfolders>
Administrator - Full Control
Administrators - Full Control
System - Full Control

C:\Documents and Settings\All Users and <subfolders>
Administrators - Full Control
Users - Read
Everyone - Read
System - Full Control

C:\Documents and Settings\Default User and <subfolders>
Administrators - Full Control
Users - Read
Everyone - Read
System - Full Control

C:\%SystemRoot%
Administrators- Full Control
Creator/Owner - Full Control
Everyone - Read
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Addins
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Connection Wizard
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Config
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Cursors
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Debug
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Driver Cache
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Driver Cache\I386
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Fonts
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Help
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Inf
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Java and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Media
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Msagent and subfolders
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Msapps and subfolders
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Mww32 and subfolders
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Registration
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Repair
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Security and <subfolders>
Administrators - Full Control
Server Operators - Read
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Speech
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
Everyone - Read
System - Full Control

C:\%SystemRoot%\System32\CatRoot
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Com
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Config
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Read
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Dhcp
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Read
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Drivers and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\DTCLog
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\system32\export
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\GroupPolicy and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Read
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\IAS
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
System - Full Control

C:\%SystemRoot%\System32\Inetsrv
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Mui and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Npp
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\NtmsData
Administrators - Full Control
System - Full Control

C:\%SystemRoot%\System32\Os2 and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Ras
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Rocket
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Rpcproxy
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Setup
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\ShellExt
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Spool and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Print Operators - Full Control
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Wbem and <subfolders>
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\System32\Wins
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Temp
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Special
System - Full Control

C:\%SystemRoot%\twain_32
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

C:\%SystemRoot%\Web
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

Any other folders
Administrators - Full Control
Creator/Owner - Full Control
Server Operators - Change
Authenticated Users - Read
System - Full Control

NOTE: These permissions do not apply to a drive that is converted to NTFS using the Convert utility. A converted NTFS drive consists of all files and folders with Everyone--Full Control as the default permission.

NOTE: The default permissions for the C:\ root directory, and all other hard drive root directories (for example D:\, E:\), enable Full Control for the Everyone special group, in Windows 2000.


For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

148437 Default NTFS Permissions in Windows NT
Propriétés

ID d'article : 244600 - Dernière mise à jour : 1 mars 2007 - Révision : 1

Commentaires