home » Administration » Configuring access rights to a folder in Windows. File and folder permissions in NTFS Permission to have everything and everyone

Configuring access rights to a folder in Windows. File and folder permissions in NTFS Permission to have everything and everyone

In this article we will describe in detail how you can change the permissions to files and folders in Windows 7, as well as how to change the owner of a file or folder. This knowledge will be useful, for example, for organizing home networkto which several users are connected.

The easiest way to change the owner of a file or folder is to use Windows explorer... Let's see how you can do this.

How to change the owner of a file or folder

Click on a file or folder right click mouse and select command Propertiesand then open the tab Safety... Click on the button Additionally.

The tab will open Owner.

Click on the button Edit and a window will open ... Now select desired user or a group in the list Change owner to and click on the button OK.

Let's assume that the desired user or group is not in the list. Click on the button Other users and groups... Now in the field enter the name of the user or group.

However, the name should be entered according to special rules, which can be found by clicking on the link examples.

There is a simpler option - click on the button Additionally and then on the button Search... In the window all users and groups on your computer will be found.

It remains to select a user or group and click on the button OK... We will return to the previous window where the user of our choice will be listed.

Click on the button OK... Now the main thing - check the box and then click on the button OK... As a result, the folder or file will get a new owner.

How to change file or folder permissions

Okay, we sorted out the owners. How about access permissions? So we added a new owner, however, what if it is necessary to indicate what exactly he is allowed to do, and why he should not roll his lip? This can also be done using the tab Safety.

Right click on a file or folder and select the command Propertiesthen go to tab Safety... Select in the box Groups or users desired user / group and click the Edit.

Now in the column Allow and Deny check the boxes next to the permissions you require. For example, if you want to prevent the user from changing files or folders, select the checkbox in the column Prohibit opposite permission The change... Then click on the button Apply and the ban will take effect.

How do I enable recording?

Master's answer:

Many users with a limited account face problems that arise when writing files to removable drives... Of course, such troubles can arise if the flash drive is malfunctioning, or if there are problems with formatting.

In the case of a problem with writing to the drive being used, if the user has a limited account on the computer, you need to change the parameter that prevents writing. To do this, after loading, you need to log into the operating system with the rights and with the "Administrator" account. Now you need to change your account settings in such a way that an account with limited capabilities can copy information to removable media.

Now all that remains is to apply the changes and close the windows using the OK button. After rebooting the PC, required for the changes to take effect, log back into the operating system using your account with a limited account. Copy a file to your removable drive as a sample.

It happens that a flash drive is deliberately protected from writing. To eliminate this, carefully consider how the small switch is located on the side of the flash drive - it should be in the Unlocked position. Most often, such actions are required by drives that are used in cameras, phones, players and other devices with SD and MicroSD cards memory.

The card-reader switch also requires special attention, if it is used as an adapter for connecting a device. And this applies to microSD adapters, which are shaped like an ordinary SD card format.

Find out if your flash card is password protected? If so, then it needs to be unlocked on the device where it was placed on the block. The presence of a lock on the flash drive will not allow recording to it.

But it happens that other reasons that cannot be clarified interfere with the recording. This means that the flash drive needs to be formatted, and not just standard programs on Windows! To do this, download and install on your PC special utilitiesdeveloped by the manufacturer of the flash drive. The utilities will help you format and fix removable disk errors.


In the vastness of Russia, many firms and small enterprises do not have their own system administrator on an ongoing basis or coming from time to time. The company grows and sooner or later one shared folder on the network, where everyone can do whatever he wants, becomes small. Access control is required for different users or user groups on the MS Windows platform. Linux users and experienced admins, please do not read the article.

The best option is to hire an experienced admin and think about buying a server. An experienced admin will decide on the spot whether to raise MS Windows Server from Active Directory or use something from the Linux world.

But this article was written for those who decided to suffer on their own for now, without using modern software solutions... I will try to explain at least how to correctly implement the differentiation of rights.

Before we start, I would like to chew a couple of points:

  • Any operating system "recognizes" and "distinguishes" real people through their accounts. It should be like this: one person \u003d one account.
  • The article describes the situation when the company does not have its own administrator and has not bought, for example, MS Windows Server. Any ordinary MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This is specifically done by Microsoft to client windows did not cross the road windows servers and you haven't ruined Microsoft's business. Remember the number 10-20 and when your company has more than 10-20 people, you will have to think about buying an MS Windows Server or ask someone to bring you a free Linux Samba server that does not have such restrictions.
  • Since you do not have a competent administrator, then your usual computer with client MS Windows will pretend to be file server... You will have to duplicate user accounts from other computers on it in order to access the shared files. In other words, if PC1 has an accountant Olya with an olya account, then on this "server" (hereinafter referred to as WinServer), you need to create an olya account with the same password as on PC1.
  • People come and go. Staff turnover is everywhere and if you are that poor person who is not an admin and is assigned (forced) to support the company's IT issues, then here's some advice. Create non-personal accounts. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something similar. Is the man gone? Another will not be offended if he uses manager1. Agree, this is better than using the olya account for Semyon, since there is no one to redo it, and everything has been working for 100 years.
  • Forget such words as: "make a password for the folder". The days when a password was imposed on resources are long gone. The philosophy of working with various resources has changed. Now the user logs into his system using an account (identification), confirming himself with his password (authentication) and he is given access to all authorized resources. Once logged in and got access to everything - that's what you need to remember.
  • It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

Cooking.

In Explorer, remove the simplified access to the things we need.

  • MS Windows XP. Tools menu - Folder options - View. Uncheck Use Sharing Wizard
  • MS Windows 7. Press Alt. Tools menu - Folder options - View. Uncheck Use simple general access to files.

Create a folder on your WinServer computer that will store your wealth in the form of files of orders, contracts, and so on. For me, as an example, it will be C: \\ dostup \\. The folder must be created on a partition with NTFS.

Access over the network.

At this stage, you need share over the network (share - share) a folder for other users to work with on their computers local network.

And the most important thing! Share the folder with full permission for everyone! Yes Yes! You heard right. But what about access control?

We allow everyone to connect to the folder on the local network, BUT we will delimit access by means of security stored in the NTFS file system on which our directory is located.

  • MS Windows XP. On desired folder (C: \\ dostup \\) right click and there Properties. Access tab - Full access.
  • MS Windows 7. On the desired folder (C: \\ dostup \\) right-click and there Properties. Access tab - Advanced configuration. Check the box Share this folder... We fill in the Note. We press Resolution. The Everyone group must have the right to Full access.

Users and security groups.

You need to create the required user accounts. I remind you that if on your numerous personal computers different user accounts are used, then they must all be created on your "server" and with the same passwords. This can only be avoided if you have a competent admin and computers in Active Directory. No? Then painstakingly create your accounts.

  • MS Windows XP.
    Local Users and Groups - Users. Action menu - New user.
  • MS Windows 7. Control Panel - Administrative Tools - Computer Management.
    Local Users and Groups - Users. Menu Action - Create user.

Now it's the turn of the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

Below will be explained the "overlay" of directories and files, but now the main thing is to understand one thought. The rights to folders or files will be granted to groups that can be figuratively compared to containers. And the groups will already "transfer" the rights to the accounts included in them. That is, you need to think at the group level, and not at the level of individual accounts.

  • MS Windows XP. Control Panel - Administrative Tools - Computer Management.
  • MS Windows 7. Control Panel - Administrative Tools - Computer Management.
    Local Users and Groups - Groups. Action menu - Create group.

You need to include the required accounts in the required groups. For example, on the Accountants group, right-click and there Add to group or Properties and there is an Add button. In field Enter the names of the objects to select enter the name of the required account and click Check names... If everything is correct, then the account will be changed to the type SERVER NAME \\ account. In the picture above, the buh3 account has been coerced to WINSERVER \\ buh3.

So, the required groups have been created and the user accounts are included in the required groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

Is it worth bothering with a group if it has one account? I think it's worth it! The group gives flexibility and agility. Tomorrow you will need to give another person B the same rights as to a certain person with his account A. You just add account B to the group where there is already A and that's it!

It is much easier when permissions are assigned to groups rather than to individuals. You just have to manipulate the groups and include the necessary accounts in them.

Access rights.

It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

So we got to the stage where the magic of differentiating access rights for various groups, and through them, for users (more precisely, their accounts), takes place.

So, we have a directory at C: \\ dostup \\, which we have already made available to all employees over the network. Inside the C: \\ dostup \\ directory, for the sake of example, let's create the folders Agreements, Orders, MC accounting. Suppose there is a task to do:

  • the Agreement folder should be read-only for Accountants. Reading and writing for a group of Managers.
  • the UUCHMTs folder must be available for reading and writing for Accountants. The Group of Managers has no access.
  • the Orders folder must be read-only for Accountants and Managers.

On the Treaties folder, right-click and there Properties - the Security tab. We see that some groups and users already have access to it. These rights were inherited from parent dostup \\, and that in turn from its parent C:

We will interrupt this inheritance of rights and assign our wishlists.

Click the Advanced button - Permissions tab - button Change permissions.

First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions inherited from parent objects. We will be warned that parental permissions will not apply to this object (in this case, the Contract folder). Choice: Cancel or Remove or Add. Click Add and the rights from the parent will remain as inheritance, but the parent's rights will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Notice in the field Inherited from worth not inherited... That is, the connection parent - child torn apart.

Now carefully remove the extra rights, leaving Full access for Administrators and System. We select in turn all sorts Verified and just Users and delete with the Delete button.

Add button in this window Additional security options designed for experienced admins who can set special, special permissions. The article is aimed at the knowledge of an experienced user.

We check the box Replace all permissions of child object with permissions inherited from this object and click OK. Go back and OK again to go back to simple mind Properties.

This window will allow you to achieve what you want in a simplified way. The Modify button will display the Group Permissions window.

Click Add. In a new window, write Accountants and click "Check Names" - Ok. By default, "read" access is given in a simplified form. The checkboxes in the Allow column are automatically set to "Read and Execute", "List of folder contents", "Read". It suits us and press OK.

Now, according to our terms of reference, we need to grant read and write permissions for the Managers group. If we are in the Properties window, then again Change - Add - drive in Managers - Check names. Add the Change and Record checkboxes in the Allow column.

Now you need to check everything!

Follow the thought. We have ordered that the Treaty folder does not inherit from its parent dostup. We ordered the child folders and files inside the Agreement folder to inherit the rights from it.

We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

Therefore, if a document file is created inside the Contract directory, it will have permissions from its parent. Users with their own accounts will access such files and directories through their groups.

Go to the contracts folder and create a test file contract1.txt

Right-click on it and there Properties - Security tab - Advanced - Effective Permissions tab.

Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 received rights from his group Accountants, who have read rights to the parent folder of the Agreement, which "extends" its permissions to its child objects.

We try manager2 and see clearly that the manager gets read and write access, since it is a member of the Managers group, which gives such rights to this folder.

In absolutely the same way, by analogy with the Contract folder, access rights for other folders are superimposed, following your terms of reference.

The bottom line.

  • Use NTFS partitions.
  • When delimiting access to folders (and files), then manipulate groups.
  • Create accounts for each user. 1 person \u003d 1 account.
  • Include accounts in groups. The account can be logged in at the same time different groups... If the account is in several groups and any group allows something, then this will be allowed for the account.
  • The Deny column (Deny rights) take precedence over Allow. If an account is in several groups and some group prohibits something, and another group permits it, then this will be denied to the account.
  • Remove an account from a group if you want to revoke the access that this group gives.
  • Consider hiring an admin and don’t offend him with money.

Ask questions in the comments and ask, correct.

The video material shows a special case when you just need to deny access to a folder, using the fact that denying rules take precedence over allowing rules.

Computers running operating rooms windows systems, can work with various file systems such as FAT32 and NTFS. Without going into similarities, we can say one thing that they differ in the main - the NTFS file system allows you to configure security settings for each file or folder (directory). Those. For each file or folder, the NTFS file system stores so-called Access Control Lists (ACLs), which list all users and groups that have certain access rights to this file or folder. The FAT32 file system does not have this capability.

In the NTFS file system, each file or folder can have the following security rights:

  • Reading - Allows browsing folders and viewing a list of files and subfolders, viewing and accessing file contents;
  • Recording - Allows adding files and subfolders, writing data to a file;
  • Reading and Executing - Allows browsing folders and viewing a list of files and subfolders, allows viewing and accessing the contents of a file, as well as launching an executable file;
  • List of folder contents - Allows browsing folders and viewing only the list of files and subfolders. This permission does not give access to the contents of the file !;
  • Edit - Allows viewing content and creating files and subfolders, deleting a folder, reading and writing data to a file, deleting a file;
  • Full access - Allows viewing content, as well as creating, modifying and deleting files and subfolders, reading and writing data, and modifying and deleting a file

The rights listed above are basic. Basic rights are made up of special rights. Special rights are more detailed rights from which the basic rights are formed. Using special rights gives you a lot of flexibility when setting up access rights.

List of special access rights to files and folders:

  • Browse folders / Execute files - Allows moving through the folder structure in search of other files or folders, executing files;
  • Folder Content / Data Reading - Allows viewing the names of files or subfolders contained in a folder, reading data from a file;
  • Reading attributes - Allows viewing such attributes of a file or folder as "Read Only" and "Hidden";
  • Reading additional attributes - Allows viewing additional attributes of a file or folder;
  • File Creation / Data Writing - Allows creating files in a folder (applies only to folders), making changes to a file and overwriting existing content (applies only to files);
  • Create folders / Add data - Allows the creation of folders in a folder (applies only to folders), adding data to the end of the file, but not modifying, deleting or replacing existing data (applies only to files);
  • Writing attributes - Allows or denies the change of such attributes of a file or folder as "Read Only" and "Hidden";
  • Writing additional attributes - Allows or denies the change of additional attributes of a file or folder;
  • Removing subfolders and files - Allows deleting subfolders and files even if you do not have the "Delete" permission (applies only to folders);
  • Deleting - Allows deleting a file or folder. If the file or folder does not have Delete permission, you can still delete the object if you have the Delete Subfolders and Files permission on the parent folder;
  • Reading Permissions - Allows reading of such file or folder permissions as "Full Control", "Read" and "Write";
  • Change permissions - Allows changing such permissions to access a file or folder, such as "Full Control", "Read" and "Write";
  • Change of ownership - Allows to take possession of a file or folder;
  • Synchronization - Allows different streams to wait for files or folders and synchronize them with other streams that might be occupying them. This permission applies only to programs running in multi-threaded mode with multiple processes;

!!! All basic and special rights are both permissive and prohibitive.

All file and folder permissions are divided into two types: explicit and inherited. The inheritance mechanism implies the automatic transfer of something from the parent to the child. In a file system, this means that any file or folder can inherit its rights from the parent folder. This is a very convenient mechanism that eliminates the need to assign explicit rights for everyone again generated files and folders. Imagine that you have several thousand files and folders on some disk, how can you give them all access rights, sit and assign each one? No. The inheritance mechanism works here. We created a folder in the root of the disk, the folder automatically received exactly the same rights as the root of the disk. Changed the rights for the newly created folder. Then another subfolder was created inside the created folder. This newly created subfolder will inherit permissions from the parent folder and so on. etc.

The result of the application of explicit and inherited rights will be the actual rights to a specific folder or file. There are a lot of pitfalls. For example, you have a folder where you allow the user "Vasya" to delete files. Then you remember that in this folder there is one very important file that Vasya should not delete in any case. You set an explicit ban on an important file (special ban right "Removal")... It would seem that the job is done, the file is clearly protected from deletion. And Vasya calmly enters the folder and deletes this super-protected file. Why? Because Vasya has the rights to delete from the parent folder, which in this case are priority.

Try not to use the assignment of rights directly to files, assign rights to folders.

!!! Try to assign rights only to groups, this greatly simplifies administration. The assignment of rights to specific users is not recommended by Microsoft. Do not forget that a group can include not only users, but other groups as well.

For instance. If a computer is included in a domain, then the Domain Users group (domain users) is automatically added to its local Users group, and the Domain Admins group (domain administrators) is automatically added to the local Administrators group, and accordingly, assigning to any folder rights to a group of local users, you automatically assign rights for all users of the domain.

Do not be discouraged if everything described above is not immediately clear. Examples and independent work will quickly fix the situation!

Let's get down to specifics.

I will show all examples by example windows windows XP. In Windows 7 and above, the essence remains the same, only there are a little more windows.

So, in order to assign or change the rights to a file or a pack, you need to right-click on desired file or folder select menu item "Properties"

You should open a window with a bookmark "Safety"

If there is no such tab, then we do the following. Launch Explorer, then open the menu "Service""Folder properties…"

In the window that opens, go to the "View" tab and uncheck the parameter Use Simple File Sharing (Recommended)

That's it, now all the properties of the file nTFS systems.

Back to the bookmark "Safety".

A lot of information is available to us in the window that opens. Above is the list "Groups and users:", which lists all users and groups that have access rights to this folder (arrow 1). The lower list shows the permissions for the highlighted user / group (arrow 2). In this case, this is the SYSTEM user. In this list of permissions, you can see the base permissions. Please note that in the column "Allow" check marks are faded and not editable. This indicates that these rights are inherited from the parent folder. Once again, in this case, all the SYSTEM user rights to the folder "Working" are completely inherited from the parent folder, and the SYSTEM user has all rights ( "Full access")

Highlighting in the list the right group or user, we can see the basic rights for this group or user. Highlighting the user "Guest user ( [email protected] you can see that he has all explicit rights

And here is the group "Users (KAV-VM1 \\ Users" has combined rights, some of them are inherited from the parent folder (gray squares opposite Read and Execute, "List of folder contents", "Reading"), and the part is explicitly established - this is the right "Change" and "Record"

!!!Attention. Pay attention to the names of users and groups. The group or user affiliation is indicated in parentheses. Groups and users can be local, i.e. created directly on this computer, or can be domain. In this case, the group "Administrators" local, since the entry in brackets indicates the name of the KAV-VM1 computer, and the slash is followed by the name of the group itself. On the contrary, the user "Guest user" is a user of the btw.by domain, as indicated by the full name record [email protected]

Often, when viewing or changing rights, you can limit yourself to a window with basic rights, but sometimes this is not enough. Then you can open a window in which you change special permissions, the owner, or view the effective permissions. How to do it? Click on the button "Additionally"... This window opens

In this window in the table Permission Items lists all users who have rights to this folder. In the same way as for basic permissions, we select the desired user or group and click the button "Change"... Opens a window showing all special permissions for the selected user or group

Similar to base permissions, special permissions inherited from the parent folder will be shown in a dim gray color and will not be editable

As you may have noticed, there are several lines in the special permissions window for some users or groups.


This is because for one user or group there may be different kinds rights: explicit and inherited, allowing or denying, differing in the type of inheritance. In this case, read rights for the Users group are inherited from the parent folder, and edit rights are explicitly added.

Examples of assigning rights.

!!! All examples will come with increasing complexity. Read and deal with them in the same sequence as they go in the text. I will omit actions of the same type in the following examples to reduce the amount of text. 🙂

Example 1. Granting read-only access to a folder to a specific local security group.

First, let's create a local group, into which we'll include the entire list of users we need. It is possible without a group, but then for each user you will need to configure rights separately, and each time you need to give rights to a new person, you will need to do all the operations again. And if you grant the rights to a local group, then only one action is required to set up a new person - including this person in the local group. How to create a local security group is read in the article "Configuring local security groups".

So. We have created a local security group named Read Colleagues


to which all the necessary users have been added.

Now I set up access rights to the folder. In this example, I will make the access rights of the created group "To Colleagues for Reading" per folder "A photo".

Right click on the folder "A PHOTO" and select the menu item "Properties", go to the bookmark "Safety".

In the opened tab "Safety" the current folder rights are displayed "A PHOTO"... Having selected groups and users in the list, you can see that the rights of this folder are inherited from the parent folder (gray checkmarks in the column "Allow"). In this situation, I do not want anyone other than the newly created group to have at least some access to the folder "A PHOTO".

Therefore, I must remove the inheritance of rights and remove unnecessary users and groups from the list. I press the button "Additionally"... In the window that opens,


I uncheck the box "Inherit from parent object permissions applicable to child objects, adding them to those explicitly set in this window." ... This will open a window in which I can choose what to do with the current inherited rights.

In most cases, I advise you to click the button here "Copy"because if you choose "Delete", then the list of rights becomes empty, and you can actually take the rights from yourself. Yes, don't be surprised, it's very easy to do. And if you are not an administrator on your computer, or a user of a group Archive Operators, then it will be impossible for you to restore the rights. The situation is like a door with an automatic latch that you close while leaving the keys inside. Therefore, it is better to always press the button. "Copy", and then delete the unnecessary.

After I pressed "Copy", I again return to the previous window, only with the unchecked box.

I press "OK" and go back to the basic rights window. All rights have become available for editing. I need to leave the rights for the local group "Administrators" and user SYSTEM, and delete the rest. I select unnecessary users and groups one by one and click the button "Delete".

As a result, I get this picture.

Now I just have to add the group "To Colleagues for Reading" and assign read rights to this group.

I press the button Add, and in the standard selection window I select the local group "To Colleagues for Reading"... How to work with the selection window is described in detail in the article.

As a result of all the actions, I added the group "For colleagues for reading" to the list of basic rights, while the rights for this group were automatically set Read and Execute, "List of folder contents", "Reading".

Everything, it remains to press the button "OK" and rights are assigned. Now any user who belongs to the local security group "To Colleagues for Reading", will be able to read the entire contents of the folder "A PHOTO".

Example 2. Granting personal access to users to their subfolders in a folder.

This situation is also common in practice. For example, you have a folder for new scanned documents. A separate subfolder is created for each user in this folder. After scanning the document is taken by the user from his subfolder. The task is to assign rights so that each user can see the contents of only his subfolder and cannot access the colleague's subfolder.

For this example I will paraphrase the task a little. Suppose we have shared folder "A PHOTO", which has a subfolder for each user. It is necessary to configure the rights so that the user has all rights in his subfolder, and the subfolders of other users would be inaccessible to him.

For this setup, I completely repeat all the steps from the first example. As a result of the repetition, I get the rights for the whole group. "To Colleagues for Reading" to read to all subfolders. But my task is to make only "my" subfolder visible to the user. Therefore, in the basic rights window, I click the button "Additionally"


and go to the special rights window, in which I select the group "To Colleagues for Reading" and press the button "Change"

In the window that opens, I change the inheritance rules, instead of the value in the field "Use:" i choose value "Only for this folder".

This is the key point of this example. Value "Only for this folder" causes the group read permissions "To Colleagues for Reading" only apply to the root of the folder "A PHOTO"but not to subfolders. Thus, each user will be able to get to his folder, but he will not be able to look into the neighboring one, he does not have the right to view subfolders. If you do not give this right to the group at all, then users will not be able to get into their subfolders at all. The file system will not let them pass even to the folder "A PHOTO".

As a result, users will be able to enter the folder "A PHOTO" but they won't be able to go further into subfolders!

In the special rights window, click "OK" and exit to the previous window, now in the column "Apply to" opposite the group "To Colleagues for Reading" worth the value "Only for this folder".

Click in all windows "OK" and we leave.

Everything. Now it remains to configure personal rights for each subfolder. This will have to be done for each subfolder, the rights are personal for each user.

You have already done all the necessary actions in the first example, we will repeat the past 🙂

On a subfolder "User1" I press the right mouse button, select the menu item "Properties", go to the bookmark "Safety"... I press the button Add

and in the standard selection window I select a domain user with the name "User1".

It remains to check the box for the permissive right "Change"... In this case, a checkmark for the permissive right "Record" will be installed automatically.

Push "OK"... We leave. It remains to repeat the same steps for all subfolders.

Example 3. Granting personal access to a user to his subfolder for writing, while prohibiting changes or deletions.

I understand that it sounds hard, but I will try to explain. I call this kind of access a latch. In everyday life we \u200b\u200bhave a similar situation with the usual by mailboxinto which we throw paper letters. Those. You can throw a letter into the box, but you cannot take it out of the box. In the computer economy, this can be useful for a situation when someone writes a report to your folder. Those. the file is written by the user, but then this user cannot do anything with this file. Thus, you can be sure that the creator will no longer be able to change or delete the submitted report.

As in the previous example, we repeat all the actions, except that we do not immediately give the user full rights to his folder, initially in the basic permissions we give only read access, and press the button "Additionally"

In the window that opens, select "User1" and press the button "Change"

In the window that opens, we see the standard read permissions

In order to give the rights to the user to create files, set the permission to the right "Create Files / Write Data", but on the right "Removing subfolders and files" and "Removal" we put a ban. Leave standard inheritance "For this folder, its subfolders and files".

After pressing the button "OK" and return to the previous window, you can see significant changes. Instead of one entry for "User1" two appeared.

This is because two types of rights are set, one prohibiting, they go first in the list, the second permissive, they are second in the list. Since special rights are non-standard, in the column "Resolution" worth the value "Special"... When the button is pressed "OK" a window appears, to which windows warns that there are denying rights and that they have a higher priority. Translated, this means the same situation with a self-closing door, the keys to which are inside. I described a similar situation in the second example.

Everything. The rights are established. Now "User1" can write any file to its folder, open it, but cannot change or delete it.

What about complete analogy with a real mailbox?

To prevent the user from opening or copying the recorded file, do the following. Again, open the permitting special permissions for "User1", and in the field "Use:" change the value to "Only for this folder"

In this case, the user does not have the right to read or copy the file.

Everything. Now the analogy with a physical mailbox is almost complete. He will only be able to see the names of files, their size, attributes, but he will not be able to see the file itself.

View active rights.

I want to say right away that the ability to view the current rights for a folder or file is a complete fiction. In my opinion, such tools should provide guaranteed information. This is not the case in this case. Microsoft itself acknowledges that this tool does not consider many factors that affect the resulting entitlements, such as terms of entry. Therefore, to use such a tool is only to mislead oneself about real rights.

The case described at the very beginning of the article, with the prohibition to delete a file from a folder, in this case is very eloquent. If you simulate a similar situation and look at the rights of a file protected from deletion, you will see that the file's rights for deletion are prohibited. However, deleting this file is not difficult. Why Microsoft did this - I don't know.

If you still decide to look at the current rights, then for this you need to click the button in the basic rights window "Additionally", and in the special rights window go to the tab "Valid Permits".

Then you need to press the button "Choose" and select the required user or group in the standard selection window.

Once selected, you can see the "approximate" valid permissions.

In conclusion, I want to say that the topic is right file system NTFS is very extensive, the examples above are just a very small part of what you can do. Therefore, if you have any questions, ask them in the comments to this article. I will try to answer them.

Tweet

When opening, deleting, or otherwise manipulating files and folders, you may encounter a file access error. I will talk about how to deal with this and why it happens.

How to get full access to files and folders

First, an instruction on how to get full access to folders and files. The next chapter will be an explanation for the curious.

Open the folder where the problem file or folder is located. To get full access to their content, you need to configure file access:

1. Right-click on a locked file (or folder) without access - Properties -select the tab Safety:

2. Push the button Additionally -select the tab Owner:

3. Push the button Edit and select your username (in my case it is Dima, you will have something else), also put a daw on Replace owner of subcontainers and objects:

4. If a window appears with the text “You do not have permission to read the contents of the folder. Do you want to replace the permissions for this folder so that you have full access rights? " Yes:

5. After changing the owner of the folder, a window appears with the text “You have just become the owner of this object. You need to close and reopen the properties window for that object to see or change the permissions. " Push OK, then press again OK (in the window Additional security options).

6. In the window Properties - Safety press again Additionally, only now we are looking at the first tab of the window that opens - Permissions.Gotta push a button Change permissions:

7. Click the button Add to:

(If you are working with properties folders, not a file, check the box next to Replace all child object permissions with inherited permissions from this object.)

8. In the "Select: users or groups" window that opens, you will need to enter your username (you can see it in the "Start" menu - the name will be the very top line), click Check namesthen OK:

If you need a folder (or file) to open without restrictions by absolutely all users, i.e. not only yours, then press again Add to and enter the name " Everything"Without quotation marks (" All "in English windows versions), then press Check names and OK.

9. In the tab Permissions in turn, double-click on the lines with usernames and check the box "Full access":

This will automatically check the boxes below.

10. Then press OK, in the next window answer the warning Yes, again OKto close all windows.

Done! Full access to files and folders received! You can safely open them, change and perform other actions with them.

Conclusion: you need to take two steps: become the "owner" of a file or folder (item 3), then assign yourself access rights (item 6). Many instructions on how to get full access to files and folders mention only the first step, forgetting about the second. This is not entirely correct, because the security settings of a file / folder may be different, it is necessary to bring them back to their normal form, and not just become the "owner".

Why do you need permissions to files and folders

The mechanism of access control to files and folders is necessary for many reasons. For instance:

1. Restriction of access to information by different users.

If on one computer or in common network several (more than one) users work, it is logical to restrict access to information - some users have access to all information (most often they are administrators), others - only their own files and folders (ordinary users).

For example, at home, you can limit the rights of one user in such a way as to protect important files and folders from deletion (so that the child could not unknowingly delete important documents), while from the other (parent's profile) you could do whatever you want.

In the first chapter I showed how allow access to certain users. The same can be done limit access - the steps are the same, only in paragraph 9 other checkboxes must be checked.

2. Security of the operating system.

In Windows XP, everything is arranged quite primitively - users with administrator rights can change (and delete) any folders and files on the hard disk, including system ones, i.e. owned by Windows. In fact, any program running in the admin user profile could do with the content hard disk anything... For example, delete the boot.ini file, which will cause Windows to stop loading.

Under the rights of a limited user, where, thanks to the security settings, it was impossible to delete important system files, few people sat, preferring the administrator account. Thus, an account with administrator rights in Windows XP creates the most favorable environment for viruses.

IN Windows Vista, in Windows 7 and Windows 8 "User Account Control" (UAC for short) works: when working in an administrator account, programs launched by the user work with limited rights. That is, delete or change the system files of the program can not... Programs are able to gain more complete access by requesting it from the user using the UAC window, which I already mentioned:

If the file permissions are set correctly and UAC is enabled, viruses running in the Vista / 7/8 administrator account cannot seriously harm the system without the permission of the person sitting at the computer.

UAC useless in cases:

1. If a user is sitting at the computer, thoughtlessly pressing the "Yes" and "OK" buttons

2. If you run programs "as administrator" (right-click on the program shortcut - Run as administrator).

3. UAC is disabled.

4. For system files and folders on the hard drive are allowed full access to all users.

Programs running in a restricted account windows user Vista / 7/8 (type "Normal access"), cannot bring up the UAC window and work with administrator rights, which is quite logical.

I will repeat once again: when there is no way to elevate your rights to administrator rights, you cannot harm the operating system files protected by restricting access rights.

Reasons and solutions for file access problems

The problem is that you are trying to access files and folders created under a different account. There are two solutions: either allow all users access, or allow only those who need it by listing them. Both solutions are easy to implement following the instructions above. The only difference is that you will enter in paragraph 8 - the word "All" or listing users.

By the way, you can allow access to all, but deny access to one (several) users, while the deny setting will be a priority for the listed users.

There are many reasons for problems with accessing files. They most often appear if you have multiple accounts, multiple operating systems or computers - everywhere accounts different, when creating files and folders, the rights are also assigned different.

What can not be done with the rights of files and folders

In no case do not assign full access to files and folders on the entire hard disk with the installed operating system!

There is a myth that the operating system restricts user access to his files, so you need to assign access rights to all files on the disk. This is not true and you cannot change the rights of all files! In a system that was not "poked", access rights were not assigned manually, everything was assigned correctly!

Use my instructions only in case of real problems, not to prevent contrived ones.

Let me explain: by allowing access to system files, Windows will still work, but any virus or incorrectly working program can do very bad things. You hardly need problems.

The folders “C: \\ Windows”, “C: \\ Program files”, “C: \\ Program files (x86)”, “C: \\ Users”, “C: \\ System Volume Information”, “C: \\ ProgramData "," C: \\ Recovery "and many others. They cannot be changed, except for cases when it is necessary to perform any manipulations with the files (for example, to change windows theme), and you need to return the settings back.

Do not change the security settings "just like that", making the system defenseless against viruses and crashes! After windows installations access rights to system folders are configured correctly, do not need to change them!

Advice: if the program works correctly only if it is launched "as administrator", giving errors during normal startup - try to assign full rights to change the folder with it in "C: \\ Program files" or "C: \\ Program files (x86) "(Not the most the Program folder files, and the folder with the right program inside it!).

Very often it helps to run old games on Windows Vista / 7/8/10, which store settings files, save files inside their folder. Being launched without permission to modify their own files, such games at best cannot save game progress, at worst they close or do not start at all. It's the same with old programs.

conclusions

1. Assigning access rights is relatively easy.

2. Access rights cannot be changed without a valid purpose.

3. Changed the permissions of system files - change them back. To change rights systemic folders and files to the old ones, you can use this instruction (the method for Windows Vista should also work for Windows 7, Windows 8, 10).

4. Changing security settings is a delicate matter and the author of the article is not responsible for your actions.

Type

Related entries:

Presentation on the topicPresentation on the topic "social structure and social relations" Social stratification by Weber The rapid development and expansion of the fields of application of electronic devices is due to the improvement of the element base, - presentationThe rapid development and expansion of the fields of application of electronic devices is due to the improvement of the element base, - presentation Boolean values, operations, expressionsBoolean values, operations, expressions Presentation on the topicVon Neumann architecture presentation The history of the development of computer technology The beginning of the computer eraThe history of the development of computer technology The beginning of the computer era
New or popular