Lesson 1: Understanding NTFS Permissions Page 2 of 4

Write Create new files and subfolders within the folder, change folder attributes, and view
folder ownership and permissions

You can deny folder permission to a user account or group. To deny all access to a user account or group for a
folder, deny the Full Control permission.

NTFS File Permissions

You assign file permissions to control the access that users have to files. Table 9.2 lists the standard NTFS file
permissions that you can assign and the type of access that each provides.

Table 9.2 NTFS File Permissions

NTFS File
Allows the User To
Permission

Full Control Change permissions and take ownership, plus perform the actions permitted by all
other NTFS file permissions

Modify Modify and delete the file plus perform the actions permitted by the Write permission
and the Read & Execute permission

Read & Execute Run applications plus perform the actions permitted by the Read permission

Read Read the file, and view file attributes, ownership, and permissions

Write Overwrite the file, change file attributes, and view file ownership and permissions

Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all
user accounts and groups that have been granted access for the file or folder, as well as the type of access that
they have been granted. When a user attempts to gain access to a resource, the ACL must contain an entry, called
an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the
type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the
ACL, the user cannot gain access to the resource.

Multiple NTFS Permissions

You can assign multiple permissions to a user account by assigning permissions for a resource to an individual
user account and to each group of which the user is a member. You need to understand the rules and priorities
that are associated with how NTFS assigns and combines multiple permissions. You also need to understand NTFS
permission inheritance.

Permissions Are Cumulative

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual
user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a
member of a group with Write permission for the same folder, the user has both Read and Write permission for
that folder.

File Permissions Override Folder Permissions

NTFS file permissions take priority over NTFS folder permissions. A user with access to a file will be able to gain
access to the file even if he or she does not have access to the folder containing the file. A user can gain access to
the files for which he or she has permissions by using the full Universal Naming Convention (UNC) or local path to
open the file from its respective application, even though the folder in which it resides will be invisible if the user
has no corresponding folder permission. In other words, if you do not have permission to access the folder
containing the file you want to access, you must know the full path to the file to access it. Without permission to

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09b.ht 11/24/2003
Lesson 1: Understanding NTFS Permissions Page 3 of 4

access the folder, you cannot see the folder, so you cannot browse for the file you want to access.

NOTE
The Traverse Folder/Execute File special permission allows or denies moving through
folders to reach other files or folders, even if the user has no permissions for the
traversed folders. This permission takes effect only when the group or user is not
granted the Bypass Traverse Checking user right in the Group Policy snap-in. For more
information on special permissions, see Lesson 3. For more information on user rights,
see Chapter 13, "Administering a Security Configuration."

Deny Overrides Other Permissions

You can deny permission to a user account or group for a specific file, although this is not the recommended way
to control access to resources. Denying permission overrides all instances where that permission is allowed. Even
if a user has permission to gain access to the file or folder as a member of a group, denying permission to the user
blocks any other permission that the user might have (see Figure 9.1).

Figure 9.1 Multiple NTFS permissions

In Figure 9.1, User1 has Read permission for FolderA and is a member of Group A and Group B. Group B has Write
permission for FolderA. Group A has been denied Write permission for File2.

User1 can read and write to File1. The user can also read File2, but she cannot write to File2 because she is a
member of Group A, which has been denied Write permission for File2.

NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and
files that are contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure
9.2.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09b.ht 11/24/2003
Lesson 1: Understanding NTFS Permissions Page 4 of 4

Figure 9.2 Permissions inheritance

Understanding Permissions Inheritance

Files and subfolders can inherit permissions from their parent folder. Whatever permissions you assign to the
parent folder can also apply to subfolders and files that are contained within the parent folder, depending on the
inheritance option set for a given object. When you assign NTFS permissions to give access to a folder, you assign
permissions for the folder and for any existing files and sub folders, as well as any new files and subfolders that
are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that
are contained within the folder by setting an inheritance option set for a given object. That is, the subfolders and
files will not inherit permissions that have been assigned to the parent folder containing them.

If you prevent permissions inheritance for a folder, that folder becomes the top parent folder. Permissions
assigned to this folder will be inherited by the subfolders and files that it contains.

Lesson Summary

In this lesson you learned how NTFS permissions are used to specify which users and groups can gain access to
files and folders, and what these permissions allow users to do with the contents of the files or folders. NTFS
permissions are only available on NTFS volumes. You also learned that the folder permissions are Full Control,
Modify, Read & Execute, List Folder Contents, Read, and Write. The file permissions are similar to the folder
permissions. The file permissions are Full Control, Modify, Read & Execute, Read, and Write.

You learned about applying NTFS permissions. NTFS stores an ACL with every file and folder on an NTFS volume.
The ACL contains a list of all user accounts and groups that have been granted access for the file or folder, as well
as the type of access that they have been granted.

You also learned that you can assign multiple permissions to a user account by assigning permissions to the
individual user account and to each group of which the user is a member. You learned that NTFS file permissions
take priority over NTFS folder permissions.

Finally, you learned how permissions that you assign to the parent folder are inherited by and propagated to the
subfolders and files that are contained in the parent folder by setting an inheritance option set for a given object.
When permissions inheritance is prevented for a folder, the folder at which you prevent inheritance becomes the
new parent folder. Permissions assigned to this folder will be inherited by the subfolders and files that are
contained within it. Permissions inheritance can also be prevented for a file.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09b.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 1 of 11

[Previous] [Next]

Lesson 2: Assigning NTFS Permissions

There are certain guidelines you should follow for assigning NTFS permissions. Assign permissions according to
group and user needs; this includes allowing or preventing permissions inheritance from parent folders to
subfolders and files that are contained in the parent folder. This lesson presents guidelines for planning NTFS
permissions and then walks you through the steps of assigning NTFS permissions.

After this lesson, you will be able to

„ Plan what permissions to assign to users or groups for applications and data
folders

„ Assign NTFS folder and file permissions to user accounts and groups

Estimated lesson time: 60 minutes

Planning NTFS Permissions

If you take the time to plan your NTFS permissions and follow a few guidelines, you will find that NTFS
permissions are easy to manage. Use the following guidelines when you assign NTFS permissions:

1. To simplify administration, group files into application, data, and home folders. Centralize home and public
folders on a volume that is separate from applications and the operating system. Doing so provides the
following benefits:

„ You assign permissions only to folders, not to individual files.

„ Backup is less complex because there is no need to back up application files, and all home and
public folders are in one location.

2. Allow users only the level of access that they require. If a user only needs to read a file, assign the Read
permission to his or her user account for the file. This reduces the possibility of users accidentally modifying
or deleting important documents and application files.

3. Create groups according to the access that the group members require for resources, and then assign the
appropriate permissions to the group. Assign permissions to individual user accounts only when necessary.

4. When you assign permissions for working with data or application folders, assign the Read & Execute
permission to the Users group and the Administrators group. This prevents application files from being
accidentally deleted or damaged by users or viruses.

5. Turn off the permissions inheritance option at the home directory level. This allows the user to consider
permissions for each file or folder in the home directory.

6. When you assign permissions for public data folders, assign the Read & Execute permission and the Write
permission to the Users group, and the Full Control permission to CREATOR OWNER identity group. The
user who creates a file is by default the creator and owner of the file. After you create a file, you may grant
another user permission to take ownership of the file. The person who takes ownership would then become
the owner of the file. If you assign the Read & Execute permission and the Write permission to the Users
group, and the Full Control permission to CREATOR OWNER, users have the ability to read and modify
documents that other users create and the ability to read, modify, and delete the files and folders that they
create.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 2 of 11

7. Deny permissions only when it is essential to deny specific access to a specific user account or group.

8. Encourage users to assign permissions to the files and folders that they create and educate them about
how to do so.

Setting NTFS Permissions

By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group.
You should change this default permission and assign other appropriate NTFS permissions to control the access
that users have to resources. Be careful if you assign permissions to the Everyone group and enable the Guest
account. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user
automatically gets all rights and permissions that you have assigned to the Everyone group.

Assigning or Modifying Permissions

Administrators, users with the Full Control permission, and the owners of files and folders (CREATOR OWNER) can
assign permissions to user accounts and groups.

z To assign or modify NTFS permissions for a file or a folder

1. Right-click the file or folder for which you want to assign permissions, then click Properties.

2. In the Security tab (see Figure 9.3) of the Properties dialog box for the file or folder, configure the options
that are described in Table 9.3.

Figure 9.3 Security tab of the Properties dialog box for the Data folder

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 3 of 11

Table 9.3 Security Tab Options

Option Description

Name Select the user account, group, or special entity for which you want
to change permissions or that you want to remove from the list.

Permission To allow a permission, select the Allow check box. To deny a

permission, select the Deny check box.

Add Opens the Select Users, Computers, Or Groups dialog box, which
you use to select user accounts and groups to add to the Name list.

Remove Removes the selected user account, group, or special entity and the
associated permissions for the file or folder.

Advanced Opens the Access Control Settings For dialog box, which you use to
add, remove, view, or edit special permissions for selected user
accounts and groups.

Allow Inheritable Permissions From Specifies whether permissions for this object will be affected by
Parent To Propogate To This Object inheritance.

Preventing Permissions Inheritance

By default, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the
Security tab in the Properties dialog box by a check in the Allow Inheritable Permissions From Parent To Propagate
To This Object check box. If the check boxes under Permissions are shaded, then the file or folder has inherited
permissions from the parent folder. To prevent a subfolder or file from inheriting permissions from a parent folder,
clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. If you clear this check
box, you are prompted to select one of the options described in Table 9.4.

Table 9.4 Preventing Permissions Inheritance Options

Option Description

Copy Copy the permissions from the parent folder to the current folder and then deny subsequent
permissions inheritance from the parent folder.

Remove Remove the permissions that are assigned to the parent folder and retain only the permissions
that you explicitly assign to the file or folder.

Cancel Cancel the dialog box and restore the check mark in the Allow Inheritable Permissions From
Parent To Propagate To This Object check box.

Practice: Planning and Assigning NTFS Permissions

In this practice you plan NTFS permissions for folders and files based on a business scenario. Then you apply NTFS
permissions for folders and files on your computer based on a second scenario. Finally, you test the NTFS
permissions that you set up to make sure that they are working properly.

Exercise 1: Planning NTFS Permissions

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 4 of 11

In this exercise you plan how to assign NTFS permissions to folders and files on a computer running Windows
2000 Server, based on the scenario described in the next section.

Scenario

The default NTFS folder and file permissions are Full Control for the Everyone group. Figure 9.4 shows the folder
and file structure used for this practice. You need to review the following security criteria and record the changes
that you should make to the NTFS folder and file permissions to meet the security criteria.

Figure 9.4 Folder and file structure for practice

To plan NTFS permissions, you must determine the following:

„ What groups to create and what built-in groups to use

„ What permissions users will require to gain access to folders and files

„ Whether or not to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check
box for the folder or file for which you are assigning permissions

Keep the following general guidelines in mind:

„ NTFS permissions that are assigned to a folder are inherited by all of the folders and files that it contains.
To assign permissions for all of the folders and files in the Apps folder, you need only assign NTFS
permissions to the Apps folder.

„ To assign more restrictive permissions to a folder or file that is inheriting permissions, you must either deny
the unwanted permissions or block inheritance by clearing the Allow Inheritable Permissions From Parent To
Propagate To This Object check box.

The decisions that you make are based on the following criteria:

„ In addition to the default built-in groups, the following groups have been created in the domain:

„ Accounting

„ Managers

„ Executives

„ Administrators require the Full Control permission for all folders and files.

„ All users will run programs in the WordProc folder, but they should not be able to modify the files in the
WordProc folder.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 5 of 11

„ Only members of the Accounting, Managers, and Executives groups should be able to read documents in
the Spreadsh and Database application folders by running the associated spreadsheet and database
applications, but they should not be able to modify the files in those folders.

„ All users should be able to read and create files in the Public folder.

„ All users should be prevented from modifying files in the Public\Library folder.

„ Only USER81 should be able to modify and delete files in the Public\Manuals folder.

When you apply custom permissions to a folder or file, which default permission entry should you remove?

Complete Table 9.5 to plan and record your permissions.

Table 9.5 Permissions Planning Table for Exercise 1

Path User Account or Group NTFS Permissions Block Inheritance (Yes/No)

Apps

Apps\WordProc

Apps\Spreadsh

Apps\Database

Public

Public\Library

Public\Manuals

Exercise 2: Assigning NTFS Permissions for the Data Folder

In this exercise you assign NTFS permissions for the C:\Data folder (where C:\ is the name of your system drive)
based on the scenario described next.

Before beginning the following exercises, create the users and groups listed in Table 9.6.

Table 9.6 Users and Groups for Exercise 2

Group User Account

Managers USER81 (member of Print Operators)

Sales User82 (member of Sales and Print Operators)

Sales User83 (member of Managers and Print Operators)

Create the following folders (where C:\ is the name of your system drive):

„ C:\Data

„ C:\Data\Managers

„ C:\Data\Managers\Reports

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 6 of 11

„ C:\Data\Sales

Scenario

The permissions that you assign are based on the following criteria:

„ All users in the domain should be able to read documents and files in the Data folder.

„ All users in the domain should be able to create documents in the Data folder.

„ All users in the domain should be able to modify the contents, properties, and permissions of the
documents that they create in the Data folder.

z To remove permissions from the Everyone group

1. Log on to your domain as Administrator.

2. Right-click My Computer, then click Explore.

3. Expand the Local Disk (C:), right-click the C:\Data folder, then click Properties.

Windows 2000 displays the Data Properties dialog box with the General tab active.

4. Click the Security tab to display the permissions for the Data folder.

Windows 2000 displays the Data Properties dialog box with the Security tab active.

What are the existing folder permissions?

Notice that the current allowed permissions cannot be modified.

5. Under Name, select the Everyone group, then click Remove.

What do you see?

6. Click OK to close the message box.

7. Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box to block
permissions from being inherited.

Windows 2000 displays the Security message box, prompting you to copy the currently inherited
permissions to the folder or remove all permissions for the folder except those that you explicitly specify.

8. Click Remove.

What are the existing folder permissions?

Answers

z To assign permissions to the Users group for the Data folder

1. In the Data Properties dialog box, click Add.

Windows 2000 displays the Select Users, Computers, Or Groups dialog box.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 7 of 11

2. In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.

The Look In list allows you to select the computer or domain from which to select user accounts, groups, or
computers when you assign permissions. You should specify your domain to select from the user accounts
and groups that you created.

3. In the Name column, select Users, then click Add.

Users is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.

In the box at the bottom of the Select Users, Computers, Or Groups dialog box, you can also type the name
of the object you want. You can type multiple names by separating them with semicolons. If the object
exists in a Windows 2000 domain or global catalog, you can type the first few characters of the name and
then click Check Names. Windows 2000 either completes the name if there are no similar names, or
prompts you to choose a name from a list of similar names.

4. Click OK to return to the Data Properties dialog box.

What are the existing allowed folder permissions?

5. Make sure that Users is selected, and then next to Write, select the Allow check box.

6. Click Apply to save your changes.

Answers

z To assign permissions to the CREATOR OWNER group for the Data folder

1. In the Security tab of the Data Properties dialog box, click Add.

Windows 2000 displays the Select Users, Computers, Or Groups dialog box.

2. In the Look In list at the top of the Select Users, Computers, Or Groups dialog box, select your domain.

3. In the Name list, select CREATOR OWNER, then click Add.

CREATOR OWNER is listed in the box at the bottom of the Select Users, Computers, Or Groups dialog box.

4. Click OK to return to the Data Properties dialog box.

What are the existing allowed folder permissions?

5. Make sure that CREATOR OWNER is selected, and next to Full Control, select the Allow check box, then click
Apply to save your changes.

What do you see?

6. Click Advanced to display the additional permissions.

Windows 2000 displays the Access Control Settings For Data dialog box.

7. Under Name, select CREATOR OWNER.

What permissions are assigned to the CREATOR OWNER group and where do these permissions apply?
Why?

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 8 of 11

8. Click OK.

9. On the Data Properties dialog box, click OK, then log off your domain.

Answers

z To test the folder permissions that you assigned for the Data folder

1. Log on to your domain as USER81, then start Windows Explorer.

2. Expand the C:\Data directory.

3. In the Data folder, attempt to create a text file named User81.txt.

Were you successful? Why or why not?

4. Attempt to perform the following tasks for the file that you just created, and then record those tasks that
you are able to complete.

„ Open the file

„ Modify the file

„ Delete the file

5. Close all applications, then log off Windows 2000.

Answers

Exercise 3: Assigning NTFS Permissions

In this exercise you assign NTFS permissions to the Data, Managers, Reports, and Sales folders based on the
scenario described in the following section.

Scenario

Assign the appropriate permissions to folders as listed in Table 9.7.

Table 9.7 Folder Permissions for Exercise 3

Folder Name User Account or Group Permissions

C:\Data Users group Read & Execute

Administrators group Full Control

C:\Data\Managers Users group Read & Execute

Managers group Full Control
Administrators group Modify

C:\Data\Managers\Reports Users group Read & Execute

Administrators group Full Control
User82 Modify

C:\Data\Sales Users group Read & Execute

Administrators group Full Control
Sales group Modify

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 9 of 11

z To assign NTFS permissions for a folder

1. Log on to your domain as Administrator, then start Windows Explorer.

2. Expand the Local Disk (C:).

3. Right-click the folder for which you are modifying permissions, then click Properties.

Windows 2000 displays the Properties dialog box for the folder with the General tab active.

4. In the Properties dialog box for the folder, click the Security tab.

5. In the Security tab, if you need to modify the inherited permissions for a user account or group, clear the
Allow Inheritable Permissions From Parent To Propagate To This Object check box, and then when
prompted to copy or remove inherited permissions, click Copy.

6. To add permissions to user accounts or groups for the folder, click Add.

Windows 2000 displays the Select User, Computer, Or Group dialog box.

7. Make sure that your domain appears in the Look In list at the top of the Select Users, Computers, Or
Groups dialog box.

8. In the Name column, type the name of the appropriate user account or group, based on the preceding
scenario, then click Add.

Windows 2000 displays the user account or group under Name at the bottom of the dialog box.

9. Repeat Step 8 for each user account or group that is listed for the folder in the preceding scenario.

10. Click OK to return to the Properties dialog box for the folder.

11. If the Properties dialog box for the folder contains user accounts and groups that are not listed in the
preceding scenario, select the user account or group, then click Remove.

12. For all user accounts and groups that are listed for the folder in the preceding scenario, under Name, select
the user account or group, and then under Permissions, select the Allow check box or the Deny check box
next to the appropriate permissions that are listed for the folder in the preceding scenario.

13. Click OK to apply your changes, and close the Properties dialog box for the folder.

14. Repeat this procedure for each folder for which you are assigning permissions as specified in the preceding
scenario.

15. Log off Windows 2000.

Exercise 4: Testing NTFS Permissions

In this exercise you log on using various user accounts and test NTFS permissions.

z To test permissions for the Reports folder while logged on as USER81

1. Log on as USER81, then start Windows Explorer.

2. In Windows Explorer, expand the C:\Data\Managers\Reports directory.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 10 of 11

3. Attempt to create a file in the Reports folder.

Were you successful? Why or why not?

4. Log off Windows 2000.

Answers

z To test permissions for the Reports folder while logged on as User82

1. Log on as User82, then start Windows Explorer.

2. Expand the C:\Data\Managers\Reports directory.

3. Attempt to create a file in the Reports folder.

Were you successful? Why or why not?

4. Log off Windows 2000.

Answers

z To test permissions for the Sales folder while logged on as Administrator

1. Log on to your domain as Administrator, then start Windows Explorer.

2. Expand the C:\Data\Sales directory.

3. Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

4. Close Windows Explorer, and then log off Windows 2000.

Answers

z To test permissions for the Sales folder while logged on as USER81

1. Log on as USER81, then start Windows Explorer.

2. Expand the C:\Data\Sales directory.

3. Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

Answers

z To test permissions for the Sales folder while logged on as User82

1. Log on as User82, then start Windows Explorer.

2. Expand the C:\Data\Sales directory.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Lesson 2: Assigning NTFS Permissions Page 11 of 11

3. Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

4. Close all applications, then log off Windows 2000.

Answers

Lesson Summary

In this lesson you learned that by default, when you format a volume with NTFS, the Full Control permission is
assigned to the Everyone group. You learned that you should change this default permission and assign other
appropriate NTFS permissions to control the access that users have to resources. You learned that Administrators,
the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and
groups to control access to files and folders. You learned how to assign or modify NTFS permissions for a file or a
folder by using the Security tab of the Properties dialog box for the file or folder.

You also learned that by default, subfolders and files inherit permissions that you assign to their parent folder, and
you learned how to disable this feature so that subfolders and files do not inherit the permissions assigned to their
parents. In the practice exercises, you created some folders, assigned NTFS permissions, and then tested the
permissions you set up to determine if you set them up correctly.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09c.ht 11/24/2003
Chapter 4 -- Implementing Active Directory Page 1 of 1

[Previous] [Next]

Chapter 4
Implementing Active Directory

About This Chapter

The success of your Microsoft Windows 2000 implementation depends on your Active Directory plan. This chapter
assists you in planning your Active Directory implementation. It also walks you through the steps of installing
Active Directory using the Active Directory Installation Wizard. Finally, this chapter shows you how to implement
an OU structure and provides procedures for setting OU properties.

Before You Begin

To complete the lessons in this chapter, you must have

„ Completed the Setup procedures located in "About This Book"

„ Knowledge about the difference between a workgroup and a domain

„ Knowledge about the difference between a domain controller and a member server

„ Experience using Microsoft Management Consoles (MMCs)

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch04a.ht 11/24/2003
Lesson 4: Copying and Moving Files and Folders Page 1 of 4

[Previous] [Next]

Lesson 4: Copying and Moving Files and Folders

When you copy or move files and folders, the permissions you set on the files or folders might change. There are
rules that control how and when permissions change. It is important that you understand how and when
permissions change during a copy or move. This lesson explains what happens to permissions when a folder or file
is copied or moved.

After this lesson, you will be able to

„ Describe the effect on NTFS file and folder permissions when files and folders
are copied

„ Describe the effect on NTFS file and folder permissions when files and folders
are moved

„ List the required permissions for copying or moving files and folders

Estimated lesson time: 15 minutes

Copying Files and Folders

When you copy files or folders from one folder to another folder, or from one volume to another volume,
permissions change, as shown in Figure 9.7.

Figure 9.7. Copying files or folders between folders or volumes

When you copy a file within a single NTFS volume or between NTFS volumes

„ Windows 2000 treats it as a new file. As a new file, it takes on the permissions of the destination folder or
volume.

„ You must have Write permission for the destination folder to copy files and folders.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09e.ht 11/24/2003
Lesson 4: Copying and Moving Files and Folders Page 2 of 4

„ You become the CREATOR OWNER.

NOTE
When you copy files or folders to non-NTFS volumes, the folders and files lose their
NTFS permissions because FAT volumes do not support NTFS permissions.

Moving Files and Folders

When you move a file or folder, permissions might or might not change, depending on where you move the file or
folder (see Figure 9.8).

Figure 9.8 Moving files or folders between folders or volumes

Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume

„ The folder or file retains the original permissions.

„ You must have the Write permission for the destination folder to move files and folders into it.

„ You must have the Modify permission for the source folder or file. The Modify permission is required to
move a folder or file because Windows 2000 deletes the folder or file from the source folder after it is
copied to the destination folder.

„ You become the CREATOR OWNER.

Moving Between NTFS Volumes

When you move a file or folder between NTFS volumes

„ The folder or file inherits the permissions of the destination folder.

„ You must have the Write permission for the destination folder to move files and folders into it.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09e.ht 11/24/2003
Lesson 4: Copying and Moving Files and Folders Page 3 of 4

„ You must have the Modify permission for the source folder or file. The Modify permission is required to
move a folder or file because Windows 2000 deletes the folder or file from the source folder after it is
copied to the destination folder.

„ You become the CREATOR OWNER.

NOTE
When you move files or folders to FAT volumes, the folders and files lose their NTFS
permissions because FAT volumes do not support NTFS permissions.

Practice: Copying and Moving Folders

In this practice you see the effects of permissions and ownership when you copy and move folders.

z To create a folder while logged on as a user

1. While you are logged on as User83, in Windows Explorer, in C:\ (where C:\ is the name of your system
drive), create a folder named Temp1.

What are the permissions that are assigned to the folder?

Who is the owner? Why?

2. Close all applications, then log off Windows 2000.

Answers

z To create a folder while logged on as Administrator

1. Log on to your domain as Administrator, then start Windows Explorer.

2. In C:\ (where C:\ is the name of your system drive), create the following two folders: Temp2 and Temp3.

What are the permissions for the folders that you just created?

Who is the owner of the Temp2 and Temp3 folders? Why?

3. Remove the Everyone group, then assign the permissions shown in Table 9.11 to the Temp2 and Temp3
folders. You will have to clear the Allow Inheritable Permissions From Parent To Propagate To This Object
check box. To assign permissions for a group, click Add, select the group(s) from the Select Users,
Computers, Or Groups dialog box, click Add, then click OK. Set the appropriate permissions for the group(s)
on the Properties dialog box.

Answers

Table 9.11 Folder Permissions for Practice

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09e.ht 11/24/2003
Lesson 4: Copying and Moving Files and Folders Page 4 of 4

Folder Assign These Permissions

C:\Temp2 Administrators: Full Control

Users: Read & Execute

C:\Temp3 Backup Operators: Read & Execute

Users: Full Control

z To copy a folder to another folder within a Windows 2000 NTFS volume

1. Copy C:\Temp2 to C:\Temp1.

2. Select C:\Temp1\Temp2, then compare the permissions and ownership with C:\Temp2.

Who is the owner of C:\Temp1\Temp2 and what are the permissions? Why?

3. Close all applications, then log off Windows 2000.

Answers

z To move a folder within the same NTFS volume

1. Log on to your domain as User83.

2. Select C:\Temp3, then move it to C:\Temp1.

What happens to the permissions and ownership for C:\Temp1\Temp3? Why?

3. Close all applications, then log off Windows 2000.

Answers

Lesson Summary

In this lesson you learned that when you copy or move files and folders, the permissions you set on the files or
folders might change. You also learned that there are rules that control how and when permissions change. For
example, when you copy files or folders from one folder to another folder, or from one volume to another volume,
permissions change. Windows 2000 treats the file or folder as a new file or folder, and therefore it takes on the
permissions of the destination folder. You must have Write permission for the destination folder to copy files and
folders. When you copy a file, you become the CREATOR OWNER of the file. When you move a file or folder within
a single NTFS volume, the file or folder retains the original permissions. However, when you move a file or folder
between NTFS volumes, the file or folder inherits the permissions of the destination folder.

In the practice portion of this lesson you observed the effects of permissions and ownership when you copy and
move folders.

mk:@MSITStore:C:\Program%20Files\MSPress\BooksOnline\Microsoft%20.../ch09e.ht 11/24/2003