Changing ownership of files and folders

When a user creates a file or folder, Windows 2003 automatically assigns Full Control permissions to the creator/owner. Full Control allows the user to assign permissions to other users for the files he or she creates.

If the ownership of a file or folder needs to change, you can replace the existing owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions "Take Ownership" to be able to take ownership of a file or folder. Users who have the "Restore files and directories" privilege can assign ownership to any user or group.

Moving and copying protected files

Moving and copying NTFS protected files is similar to moving and copying a compressed file. When you copy a protected file to a folder on the same, or a different volume, it inherits the permissions of the target folder.

However, when you move a protected file to a different location on the same volume, the file retains its access permission setting as though it is an explicit permission.

When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely changed and that is why it retains the ACL (Access Control List).

Troubleshooting access to files and shared folders

A problem with a user accessing shared folders is often caused by underlying network connectivity problems. Make sure you check basic network connectivity first, before looking at NTFS permissions.

Then check:

  • Windows shares allowing minimum access
  • User rights recently denied to groups
  • Permission changes assigned to parent folders

In a large environment with many users and groups, it is important to maintain a structured user and group design and folder hierarchy.

Permissions for other objects

The permission descriptions in the previous section described permissions relative to files and folders. There is a different set of permissions for Registry keys, printers, and Active Directory objects.

To view or set permissions for an object, in Windows Explorer, right-click the object and choose Properties. In the Properties dialog box, the security tab lists the standard permissions.

To see the power and control that NTFS provides for access control, it is best to investigate the permissions of an OU (Organizational Unit) within Active Directory. The figure below shows permissions for a typical OU.

There may be over 10,000 individual advanced permissions that you can set for an OU. You can see a partial listing below.