Microsoft KB Archive/308419

= How to set, view, change, or remove special permissions for files and folders in Windows XP =

Article ID: 308419

Article Last Modified on 5/7/2007

-

APPLIES TO


 * Microsoft Windows XP Professional

-



This article was previously published under Q308419



IN THIS TASK

 * INTRODUCTION
 * Permissions for files and folders
 * File and folder special permissions
 * Special permissions defined
 * Traverse Folder/Execute File
 * List Folder/Read Data
 * Read Attributes
 * Read Extended Attributes
 * Create Files/Write Data
 * Create Folders/Append Data
 * Write Attributes
 * Write Extended Attributes
 * Delete Subfolders and Files
 * Delete
 * Read Permissions
 * Change Permissions
 * Take Ownership
 * Synchronize
 * Set, view, change, or remove special permissions for files and folders
 * REFERENCES


 * Troubleshooting



INTRODUCTION
In Microsoft Windows XP, special access permissions are customizable sets of permissions. This means that you can apply special access permissions to files or folders that are located on NTFS file system volumes. This article describes how to set, view, change, or remove special permissions for files and folders.

back to the top

Permissions for files and folders
Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions consists of a logical group of special permissions that are listed and defined in the following sections.

Note This article assumes that you are using Windows XP on a domain. By default, simplified sharing is enabled in Windows XP if you are not connected to a domain. This means that the Security tab and advanced options for permissions are not available.

If you are not joined to a domain and want to view the Security tab, view the Set, view, change, or remove special permissions for files and folders section in this article.

For additional information about how to disable simplified file sharing, click the following article number to view the article in the Microsoft Knowledge Base:

307874 How to disable simplified sharing and set permissions on a shared folder in Windows XP

back to the top

Troubleshooting
If the Security tab is not available and you cannot configure special permissions for users and groups, you may be experiencing the following issues :
 * The file or folder where you want to apply special permissions is not on an NTFS drive. You can set permissions only on drives that are formatted to use NTFS.
 * Simple file sharing is turned on. By default, simplified sharing is turned on.

back to the top

File and folder special permissions
The following table describes file and folder special permissions.

IMPORTANT: Groups or users who are granted Full Control on a folder can delete any files in that folder regardless of the permissions that protect the file.

Note Although the List Folder Contents and the Read & Executefolder permissions appear to have the same special permissions, these permissions are inherited differently. List Folder Contents is inherited by folders but not files and it only appears when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.

Note In Windows XP Professional, the Everyone group does not include the Anonymous Logon group.

back to the top

Special permissions defined
You can set any or all the following special permissions on files and folders.

back to the top

Traverse Folder/Execute File
For folders: The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.

For files: The Execute File permission allows or denies access to program files that are running.

If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.

back to the top

List Folder/Read Data
The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder that you are setting the permission on is listed in the folder list.

The Read Data permission applies only to files and allows or denies the user from viewing data in files.

back to the top

Read Attributes
The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS.

back to the top

Read Extended Attributes
The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs and they may vary by program.

back to the top

Create Files/Write Data
The Create Files permission applies only to folders and allows or denies the user from creating files in the folder.

The Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS.

back to the top

Create Folders/Append Data
The Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder.

The Append Data permission applies only to files and allows or denies the user from making changes to the end of the file but not from changing, deleting, or overwriting existing data.

back to the top

Write Attributes
The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply that you can create or delete files or folders,. It includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

back to the top

Write Extended Attributes
The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

The Write Extended Attributes permission does not imply that the user can create or delete files or folders, it includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, view the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete sections in this article.

back to the top

Delete Subfolders and Files
The Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file.

back to the top

Delete
The Delete permission allows or denies the user from deleting the file or folder. If you do not have a Delete permission on a file or folder, you can delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.

back to the top

Read Permissions
The Read Permissions permission allows or denies the user from reading permissions about the file or folder, such as Full Control, Read, and Write.

back to the top

Change Permissions
The Change Permissions permission allows or denies the user from changing permissions on the file or folder, such as Full Control, Read, and Write.

back to the top

Take Ownership
The Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.

back to the top

Synchronize
The Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.

back to the top

Set, view, change, or remove special permissions for files and folders
To set, view, change, or remove special permissions for files and folders:
 * 1) Click Start, click My Computer, and then locate the file or folder where you want to set special permissions.
 * 2) Right-click the file or folder, click Properties, and then click the Security tab.
 * 3) Click Advanced, and then use one of the following steps:
 * 4) * To set special permissions for an additional group or user, click Add, and then in Name box, type the name of the user or group, and then click OK.
 * 5) * To view or change special permissions for an existing group or user, click the name of the group or user, and then click Edit.
 * 6) * To remove an existing group or user and the special permissions, click the name of the group or user, and then click Remove. If the Remove button is unavailable, click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, click Remove, and then skip steps 4 and 5.
 * 7) In the Permissions box, click to select or click to clear the appropriate Allow or Deny check box.
 * 8) In the Apply onto box, click the folders or subfolders where you want these permissions applied.
 * 9) To configure security so that the subfolders and files do not inherit these permissions, click to clear the Apply these permissions to objects and/or containers within this container only check box.
 * 10) Click OK two times, and then click OK in the Advanced Security Settings for FolderName box, where FolderName is the folder name.

CAUTION: You can click to select the '''Replace permission entries on all child objects with entries shown here that apply to child objects. Include these with entries explicitly defined here''' check box. Therefore,all subfolders and files have all their permission entries reset to the same permissions as the parent object.If you do this, after you click Apply or OK, you cannot undo this operation if you click to clear the check boxes.

Important: If you are not joined to a domain and you want to view the Security tab:
 * 1) Click Start, and then click Control Panel.
 * 2) Click Appearance and Themes, and then click Folder Options.
 * 3) Click the View tab, and then click to clear the Use simple file sharing [Recommended] check box in the Advanced settings box.

Notes:
 * The Everyone group does not include the Anonymous Logon permission in Windows XP.
 * If you click to select the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, the file or folder inherits permission entries from the parent object.
 * You can set permissions only on drives that are formatted to use NTFS.
 * If the check boxes in the Permissions box are not available, the permissions are inherited from the parent folder.
 * To change permissions, you must be the owner or have permission to change permissions by the owner.
 * Groups or users who have Full Control permissions for a folder can delete the files and the subfolders in that folder, regardless of the permissions that protect the files and the subfolders.

back to the top

