What are NTFS Permissions in Windows ?

 Introduction to NTFS Permissions

You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes; they are not available on volumes formatted With file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user accesses the file or folder at the local computer or over the network.

The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders,

Standard NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folders. Table 8-1 lists the standard NTFS folder permissions that you can assign and the type of access that each provides.



Read See files and subfolders in the folder and view folder permissions, and attributes (such as Read-Only, Hidden, Archive, and System)

Write Create new files and subfolders Within the folder, change folder attributes, and view folder ownership and permissions
List Folder Contents See the names of files and subfolders in the folder

Read & Execute Move through folders to reach other files and folders, even if the u56rs do not have permission for those folders, and perform actions permitted by the Read permission and the List FoIder Contents Permission

Modify Delete the folder plus perform actions permuted  by the Write permission and the Read 8: Execute Permission

Full Control Change permissions, take ownership, and delete plus perform actions permitted by all other NTFS folder permissions


You can deny permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.

Standard NTFS File Permissions

You assign file permissions to control the access that users have to files.
Read Read the tile and view file attributes, ownership, and permissions
Write Overwrite the file, change file attributes, and view flle ownership and permissions 
Read &: Execute Run applications, plus perform the actions permitted by the Read permission
Modify Modify and delete the file, plus perform the actions permitted by the Write permission and the Read  Execute permission 
Full Control Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

How Windows  Uses Access Control Lists

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been assigned permissions for the file or folder, as well as the permissions that they have been assigned. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user cannot access the resource.

How Effective Permissions Are Calculated When Multiple Sets of NTFS Permissions Are in Effect

It is possible for multiple sets of NTFS permissions to apply to a user for a particular resource. For example, a user might be a member of two different groups, each of Which is assigned different permissions to access a resource. To assign permissions effectively, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and NTFS permissions inheritance.

What Are Effective Permissions?

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all the groups to which the user belongs. If a user is granted Read permission for a folder and is a member of a group With Write permission for the same folder, the user has both Read and Write Permissions for that folder.

To manually calculate effective NTFS permissions, first combine all allow permissions from all sources. Next, determine any deny permissions the user has. Deny permissions override allow permissions. The result is the user's effective permissions for the resource.

How File Permissions Override Folder Permissions

NTFS permissions assigned to files take priority over NTFS permissions assigned to the folder that contains the file. If you have access to a file, you can access the file if you have the Bypass Traverse Checking security permission-even if you do not have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even if you have no permission to access the folder that contains the file. In other words, if you do not have permission to access the folder containing the file you want to access, you must have the Bypass Traverse Checking security permission and you have to know the full path to the file to access it. Without permission to access the folder, you cannot see the folder, so you cannot browse for the file.

How Deny Permissions Override Allow Permissions

In addition to granting a permission, you can also specifically deny a permission (although this is not the recommended method of controlling access to resources). Denying a permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying per mission to the user blocks any other permissions the user might have
 Userl has Read permission for FolderA and is a member of Group A and Group B. Group B has Write permission for FolderA. Group A has been denied Write permission for File2.
The user can read and write to File1.The user can also read File2, but cannot write to File2 because she is a member of group A, which has been denied write permision for File2.

How NTFS Permissions Inheritance is controlled

By default, permissions that you assign to the parent folder are inherited  by and propagated to the subfolders and files contained in the parent folder.However, you can prevent permissions inheritance
By default, whatever permissions you assign to the parent folder also apply to subfolders and files contained within the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and sub folders, as well as for any new files and subfolders that are created in the foldert

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, you can change the default inheritance behavior and cause subfolders and files to not inherit permissions that have been assigned to the parent folder containing them.

The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it.