SEARCH

How-To Geek

How to Understand Those Confusing Windows 7 File/Share Permissions

Have you ever tried to figure out all of the permissions in Windows? There’s share permissions, NTFS permissions, access control lists, and more. Here’s how they all work together.

The Security Identifier

The Windows Operating systems use SIDs to represent all security principles. SIDs are just variable length strings of alphanumeric characters that represent machines, users and groups. SIDs are added to ACLs(Access Control Lists) every time you grant a user or group permission to a file or folder. Behind the scene SIDs are stored the same way all other data object are, in binary. However when you see a SID in Windows it will be displayed using a more readable syntax. It is not often that you will see any form of SID in Windows, the most common scenario is when you grant someone permission to a resource, then their user account is deleted, it will then show up as a SID in the ACL. So lets take a look at the typical format in which you will see SIDs in Windows.

The notation that you will see takes a certain syntax, below are the different parts of a SID in this notation.

  1. An ‘S’ prefix
  2. Structure revision number
  3. A 48-bit identifier authority value
  4. A variable number of 32-bit sub-authority or relative identifier (RID) values

Using my SID in the image below we will break up the different sections to get a better understanding.

The SID Structure:

‘S’ – The first component of a SID is always an ‘S’. This is prefixed to all SIDs and is there to inform Windows that what follows is a SID.
’1′ – The second component of a SID is the revision number of the SID specification, if the SID specification was to change it would provide backwards compatibility. As of Windows 7 and Server 2008 R2 the SID specification is still in the first revision.
’5′ – The third section of a SID is called the Identifier Authority. This defines in what scope the SID was generated. Possible values for this sections of the SID can be:

  1. 0 – Null Authority
  2. 1 – World Authority
  3. 2 – Local Authority
  4. 3 – Creator Authority
  5. 4 – Non-unique Authority
  6. 5 – NT Authority

’21′ – The forth component is sub-authority 1, the value ’21′ is used in the forth field to specify that the sub-authorities that follow identify the Local Machine or the Domain.
’1206375286-251249764-2214032401′ – These are called sub-authority 2,3 and 4 respectively. In our example this is used to identify the local machine, but could also be the the identifier for a Domain.
’1000′ – Sub-authority 5 is the last component in our SID and is called the RID (Relative Identifier), the RID is relative to each security principle, please note that any user defined objects, the ones that are not shipped by Microsoft will have a RID of 1000 or greater.

Security Principles

A security principle is anything that has a SID attached to it, these can be users, computers and even groups. Security principles can be local or be in the domain context. You manage local security principles through the Local Users and Groups snap-in, under computer management. To get there right click on the computer shortcut in the start menu and choose manage.

To add a new user security principle you can go to the users folder and right click and choose new user.

If you double click on a user you can add them to a Security Group on the Member Of tab.

To create a new security group, navigate to the Groups folder on the right hand side. Right click on the white space and select new group.

Share Permissions and NTFS Permission

In Windows there are two types of file and folder permissions, firstly there are the Share Permissions and secondly there are NTFS Permissions also called Security Permissions. Take note that when you share a folder by default the “Everyone” group is given the read permission. Security on folders is usually done with a combination of Share an NTFS Permission if this is the case it is essential to remember that the most restrictive always applies, for example if the share permission is set to Everyone = Read(which is the default), but the NTFS Permission allow users to make a change to the file, the Share Permission will take preference and the users will not be allowed to make changes. When you set the permissions the LSASS(Local Security Authority) controls access to the resource. When you logon you are given an access token with your SID on it, when you go to access the resource the LSASS compares the SID that you added to the ACL (Access Control List) and if the SID is on the ACL it determines whether to allow or deny access. No matter what permissions you use there are differences so lets take a look to get a better understanding on when we should use what.

Share Permissions:

  1. Only apply to users who access the resource over the network. They don’t apply if you log on locally, for example through terminal services.
  2. It applies to all files and folders in the shared resource. If you want to provide a more granular sort of restriction scheme you should use NTFS Permission in addition to shared permissions
  3. If you have any FAT or FAT32 formatted volumes, this will be the only form of restriction available to you, as NTFS Permissions are not available on those file systems.

NTFS Permissions:

  1. The only restriction on NTFS Permissions is that they can only be set on a volume that is formatted to the NTFS file system
  2. Remember that NTFS are cumulative that means that a users effective permissions are the result of combining the user’s assigned permissions and the permissions of any groups the user belongs to.

The New Share Permissions

Windows 7 bought along a new “easy” share technique. The options changed from Read, Change and Full Control to. Read and Read/Write. The idea was part of the whole Home group mentality and makes it easy share a folder for non computer literate people. This is done via the context menu and shares with your home group easily.

If you wanted to share with someone who is not in the home group you could always choose the “Specific people…” option. Which would bring up a more “elaborate” dialog. Where you could specify a specific user or group.

There is only two permission as previously mentioned, together they offer an all or nothing protection scheme for your folders and files.

  1. Read permission is the “look, don’t touch” option. Recipients can open, but not modify or delete a file.
  2. Read/Write is the “do anything” option. Recipients can open, modify, or delete a file.

The Old School Way

The old share dialog had more options and gave us the option to share the folder under a different alias, it allowed us to limit the number of simultaneous connections as well as configure caching. None of this functionality is lost in Windows 7 but rather is hidden under an option called “Advanced Sharing”. If you right click on a folder and go to its properties you can find these “Advanced Sharing” settings under the sharing tab.

If you click on the “Advanced Sharing” button, which requires local administrator credentials, you can configure all the settings that you were familiar with in previous versions of Windows.

If you click on the permissions button you’ll be presented with the 3 settings that we are all familiar with.

  1. Read permission allows you to view and open files and subdirectories as well as execute applications. However it doesn’t allow any changes to be made.
  2. Modify permission allows you to do anything that Read permission allows, it also add the ability to add files and subdirectories, delete subfolders and change data in the files.
  3. Full Control is the “do anything” of the classic permissions, as it allows for you to do any and all of the previous permissions. In addition it gives you the advanced changing NTFS Permission, this only applies on NTFS Folders

NTFS Permissions

NTFS Permission allow for very granular control over your files and folders. With that said the amount of granularity can be daunting to a newcomer. You can also set NTFS permission on a per file basis as well as a per folder basis. To set NTFS Permission on a file you should right click and go to the files properties where you’ll need to go to the security tab.

To edit the NTFS Permissions for a User or Group click on the edit button.

As you may see there are quite a lot of NTFS Permissions so lets break them down. First we will have a look at the NTFS Permissions that you can set on a file.

  1. Full Control allows you to read, write, modify, execute, change attributes, permissions, and take ownership of the file.
  2. Modify allows you to read, write, modify, execute, and change the file’s attributes.
  3. Read & Execute will allow you to display the file’s data, attributes, owner, and permissions, and run the file if its a program.
  4. Read will allow you to open the file, view its attributes, owner, and permissions.
  5. Write will allow you to write data to the file, append to the file, and read or change its attributes.

NTFS Permissions for folders have slightly different options so lets take a look at them.

  1. Full Control allows you to read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
  2. Modify allows you to read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
  3. Read & Execute will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder.
  4. List Folder Contents will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder
  5. Read will allow you to display the file’s data, attributes, owner, and permissions.
  6. Write will allow you to write data to the file, append to the file, and read or change its attributes.

Summary

In summary, user names and groups are representations of an alphanumeric string called a SID(Security Identifier), Share and NTFS Permissions are tied to these SIDs. Share Permissions are checked by the LSSAS only when being accessed over the network, while NTFS Permissions are only valid on the local machines. I hope that you all have a sound understanding of how file and folder security in Windows 7 is implemented. If you have any questions feel free to sound off in the comments.

Taylor Gibb is a Microsoft MVP and all round geek, he loves everything from Windows 8 to Windows Server 2012 and even C# and PowerShell. You can also follow him on Google+

  • Published 09/16/11

Comments (26)

  1. Mark

    Yeah, I have a question. How do I turn it all OFF! I’m the only user and the Admin, so I’d like to turn it all off. It’s a real pain.

  2. jim

    Mark: Turn what off? Filesharing?

  3. Anton Kovalenko

    It’s not Windows 7 fileshare and permissions, it’s NT…

  4. Josh

    Hi! I was wondering how I edit the user list and add other machines from my LAN (all admins) so there is no need to enter passwords to access and write to shared disks. It’s not intuitive to me.

  5. Mark

    Turn off all the permissions, the take control crap, the run as administrator stuff and the registry permissions. It’s all designed to keep the noobs from screwing up. But what about those of us that are aware of what we are doing and choose to do it? Why not just allow me to share files on my home network with a simple command? Why do I have to jump through hoops to get stuff done? It’s realy been a pain going to W7 from XP.

    I’m done raving now………………

  6. Steve

    I’m pretty sure he means the “click to continue” that keeps coming up every time you want to run some files/programs etc. I’m the same way….I’m the only user and so I’m the admin as well and I would like to get rid of that “click to continue” also.

  7. Chris

    Amen, Mark ! Why the h*ll after all these years there isn’t a slimmed-down, basic Windows OS version that acknowledges a single entity (the new owner) as the be-all, end-all Administrator with full rights to everything on the system HE now OWNS by right of purchase and eliminate about 5-kazillion unecessary of code ?!?

    I DON”T need a galaxy of file and user permissions to wade through and I DON’T need 75 ways to open/delete/write to/print a file…

    What I NEED is a quick and easy way to get some work accomplished which is why I find myself using my iPad more and more and leaving this Windows PC lid-down but running in case I need to connect remotely…

    Please, Microsoft, STOP

  8. Steve

    Well said Mark. I 2nd the motion exactly.

  9. Mark

    I had to make the switch to W7 to use Acad 2012, and after 10 years with XP, this has been one freakin’ nightmare. I’ve got it all working using Classic Shell, tips from here and VG. This OS change has taken over a month to get setup the way I want. I’ll tell you now, I’m not going to W8 until W7 is no longer supported. No way, no how. I’m hoping that MS will eventually catch on and make an Administrator version without the crap-ola, but I’m not holding my breath.

    As Chris said, “PLEASE, MIcrosoft, STOP!!!!!!!

  10. Mark

    PS: They can shove the resource eating, screen space robbing ribbon interface as well………………

  11. john

    hi there can anyone tell me why i dont see the local users and groups tab. i click manage after right clicking the computer button and i dont see it. help me please, anyone. thank you

  12. dlgn

    It already is possible to get rid of click to continue. Just open the click to continue window and there will be a shortcut to the options. HTG has already written quite a few articles about this, by the way.

  13. CK

    From a home, or small office setting, I totally sympathize with many of the comments here, about having a clear way of managing & sharing. I believe the homegroup idea is a step in that direction, but like most things from microsoft, they tend to be half-baked until they go thru a few revisions.

    But as an outsource IT worker for small & medium businesses, please understand that your perspective for simplicity isn’t the only perspective. I need to have the granular control that the article talks about. You add in domains & group policy, and the complexity goes up, because the amount of control goes up.

    Yes, it can be confusing, but as long as I can do what I need to do, I’ll learn it, as will any IT worker who wants to do their job properly. If the capability to do what I need to do isn’t there, because it’s been abandoned for the sake of simplicity, then you’ve created a host of other problems.

    MS has a ton of environments to support, so you can’t make everyone happy. But I acknowledge there is plenty of room for improvement.

  14. Josh

    Has anyone got any insight on how to include other users from other machines informs permissions list to avoid needing to log in for a share?

  15. Eric

    List Folder Contents lets you traverse directories and list files’ attributes and such, as you said. However, you can’t “run” (execute) those files. Well actually, you can “double click” the file, and if Windows doesn’t give you an ‘access denied’, the associated program will. Try it if you don’t believe me.

    List Folder Contents is a great tool for giving users with limited access to certain folders deeper in your directory structure without allowing them access to the rest of the files and folders. I know, some will say, “Just put their stuff in another location”, but some folks don’t have that option with their directory structure.

  16. Eric

    @Josh: Normally your workstations would need to be in a Windows Domain or Domains for what you’re asking to work. However, It may be possible to do what you’re asking with Windows 7 Homegroups. It’s a kind of simplistic way to set up shares, but it seems like it will accomplish your intent; sharing out folders from one computer to other computers in the Homegroup. Sort of like a blanket approach. If you want more granularity, I’m not sure if the Homegroup option can cover it. One test might be to set up the Homegroup with another computer, then check the NTFS permissions on the folders being shared out to see if they include any users or groups prefaced by the other workstation’s name. Ex. HOMEPC1\user1 – Read/Write

    http://windows.microsoft.com/en-US/windows7/help/homegroup-from-start-to-finish

  17. Wayne

    Homegroup Sharing has made things very easy in my household. Fast efficient sharing without a lot of hassle.

  18. Norman

    If you guys are complaining about the full rights. The first thing you need to do is to be the ADMINISTRATOR not the STANDARD USER..

    How to disable those Clicking continue? Turn off your user account control settings

    Click START

    Click the PICTURE

    Click Change User Account Control Settings

    Note: If you are using vista Just uncheck the box, click okay the restart the computer. For win7 move down the slide bar at the very bottom, Then restart the computer.

    This option is for advanced user only. If your a noob and doesn’t want to messed up your computer PLEASE. Dont do it!.

  19. Hey Mark

    Do you like 10 year old cars better than new ones too? Some people can’t handle change – your over-the-top rants put you in that category. 10 years with XP lol…. kicking and screaming, we’ll drag you into the present.

  20. Homegroups?

    All you f-ing whiners and complainers. Why use Homegroups at all? I happily share files, etc without even looking at Homegroups… just share the standard way – just like in XP, just like in Win2k, Vista…. JUST LIKE IT’S BEEN ALL ALONG, MARK.

    Your own stupidity is no excuse anymore, grow up.

  21. Mark

    Look guys, I been using Windows since it appeared. I installed XP the day it was released and I avoided the cluster f**k that was Vista. All I’m looking for is an version that is a good reliable OS without the bells, whistles, and protection crap. And yes, I know all about the Homepoop and all the elaborate garbage that has been thrust upon us. I just don’t need it. If you sheeple want to go with the MS flow, have at it. The are a herd of others that feel the same as I do, as well.

    BTW, @ Homegroup…. FO!

  22. ga4a

    this is all so confusing. Why can’t it just be one window to show what folder you wanna share and other folder to locate and give permission to certain computers. It was real pain in the ass for me to figure it out myself

  23. PDL

    I do not think the home version of windows supports this, at not how it is written if at all.

  24. Hugo

    OK I don’t have Local Users and Groups in my “options” of Computer Management is that because I’m running Win 7 Home Prem??

    Hugo

  25. conga

    “To create a new security group, navigate to the Groups folder on the right hand side.”

    It’s on the left on my system :)

  26. Rico

    This article was disappointing. I was hoping I’d come away with a better understanding of file sharing in Win 7, but more specifically, I was hoping to find a simple way of sharing files and folders so that other network users don’t continually get Access Denied messages. No such luck, however, so the search continues.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!