SUMMARY

This step-by-step article describes how to configure security for files and folders on a network in Windows Server 2003. This may be useful to protect data from unauthorized access.

For example, you receive a call from the manager of your accounts receivable department. The manager has been working on several spreadsheets that are stored on a file server in your domain, and is concerned that employees who should not have access to these files may be able to open and edit the files. The files are in a folder that is named c:\Accounts on the server, and the folder is shared as Accounts. The share permissions on the Accounts share for members of the Domain Users group are set to Full Control. The manager wants to permit the members of the Accountants group to edit the files and add new files, and the members of the Sales group to be able to read the files but not edit them. The manager will be the only person who can make any changes to the permissions, and no one else will have access to the files.

back to the top

How to Configure Security for Files and Folders

To configure file and folder security:

1. Log on by using your domain user name and password.
2. Start Windows Explorer.
3. Expand My Computer, and then click the drive that contains the folder that you want to configure.
4. Right-click the folder that you want to configure, and then click Properties.
5. Click the Security tab.
6. Click Advanced.
7. Click to clear the Allow inheritable permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box.
8. In the Security dialog box that appears, click Copy.
   

NOTE: The inherited permissions are copied directly to the folder.

1. Click OK.
2. To set permissions for a group or user who is not listed in the Group or user names box, click Add.
3. In the Select Users or Groups dialog box that appears, type the names of the groups or users for whom you want to set permissions. For example, Accounting, Sales, and accounts receivable manager name).
4. Click OK. The groups and users you added appear in the Group or user names box.
5. To grant or deny a permission in the Permissions for User or Group box, click the user or group in the Group or user names box, and then click to select the Allow or Deny check box next to the permission that you want to allow or deny. For example:
   • To grant Modify permissions to the Accountants group, click Accountants, and then click to select the Allow check box next to Modify. Members of this group can add new files to the folder or edit the files in the folder.
   • To grant Read & Execute, List Folder Contents, and Read permissions to the Sales group, click Sales, and then click to select the Allow check box next to these permissions.
   • To grant Full Control permission to the accounts receivable manager, click accounts receivable manager name, and then click to select the Allow check box next to Full Control.
6. Click OK.

back to the top

Troubleshooting

Users Cannot Access Files and Folders That They Should Be Able to When Logged On Locally

Access permissions are combined with any permissions that are assigned directly to the user and those that are assigned to any groups of which the user is a member.

The exception to this rule is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows determines if a particular user can perform a particular task. Because of this, avoid using explicit Deny permissions unless there is no other way to obtain the specific level of permissions that you need.

back to the top

Inappropriate Permission Levels When Users Access Files and Folders When Logged on Locally

For example, users can write instead of just read when they are logged on locally. By default, permissions are inherited from the folder that contains the object. If you experience inappropriate permission levels, look for both inherited permissions that are incorrect for the shared resource and for group memberships that may grant different levels of permissions.

back to the top

Users Cannot Access Files and Folders That They Should Be Able to Access Over the Network

When you access data over the network, both share permissions and file and folder permissions apply. Share access permissions are combined with any permissions that are assigned directly to the user and those that are assigned to any groups of which the user is a member.

The exception to this is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows determines if a particular user can perform a particular task. For example, a member of a group that has Deny selected for the Read permission cannot read the file or folder, even if other permissions make it possible for this user to do so.

Avoid using explicit Deny permissions unless there is no other way to obtain the specific level of permissions that you need. Check both the share permissions and the file and folder permissions for the user and any groups of which the user is a member.

back to the top

There Is No Security Tab in the Folder Properties Dialog Box

If you do not see the Security tab in the FolderName Properties dialog box, you may be using the FAT or FAT32 file system. You can only set file and folder permissions on volumes that are formatted with the NTFS file system. You can use the convert command to convert FAT or FAT32 volumes to use NTFS. back to the top