Microsoft KB Archive/229891

{|
 * width="100%"|

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server

-

SUMMARY
In Windows 2000, there are default access rights that are set for users and groups on NTFS partitions. This article describes how to edit and view file and folder default access control rights.

MORE INFORMATION
The rights for folders and files that can be configured:


 * FILE LIST DIRECTORY: this permits listing the contents of a directory
 * FILE ADD FILE: this permits creating a file within the directory
 * FILE ADD SUBDIRECTORY: this permits creating a subdirectory
 * FILE READ EA: this permits reading extended attributes on a file
 * FILE WRITE EA: this permits writing extended attributes on a file
 * FILE TRAVERSE: this permits traversing past the directory to open a file or subdirectory under it
 * FILE READ ATTRIBUTES: this permits reading standard file attributes.
 * FILE WRITE ATTRIBUTES: this permits writing standard file attributes.

To edit and view file and folder default access control rights, use any of the following methods:

Using the Ldp.exe Tool
To use the Ldp.exe tool included in the Microsoft Windows 2000 Resource Kit, select the security principle (object) of reference, such as cn=Administrator, cn=users,dc=company, dc=Com, and so on. On the Browse menu, click the Security Descriptor for the object of reference to provide the default access control list and the system access control list in a low-level format.

Using the Cacls.exe Tool
Using Cacls.exe, you can view or change the settings of a folder or file. Note that although you can set permissions on a file or folder basis, this does not affect the default settings for folder and file creation.

Using the Active Directory Users and Computers Management Console
To use the Active Directory Users and Computers Management Console to edit default security properties:
 * 1) Start the Active Directory Users and Computers Management Console, verify that Advanced Features are enabled on the View menu, and if needed, enable them.
 * 2) Select the OU, Group, or User you want to edit.
 * 3) View the properties for the object, and then click the Security Tab.
 * 4) From this list, users and groups rights can be edited to add or remove access rights for folder or file creation. The permissions for the users can be changed to provide further granularity in access control for the group or user. By clicking Advanced, further access rights can be viewed for security principals. The Permission tab provides a location to add security principals and edit their access rights. Inheritance is also controlled from this tab.

Using the Adsiedit Tool
In the Adsiedit tool, you can obtain access to the Default security properties page for any of the containers under the Domain Naming Context. Also, access rights can be defined for computers. Additional query words: 2000

Keywords : kbnetwork kbtool

Version : WINDOWS:2000

Platform : WINDOWS

Issue type : kbhowto
 * }