Configuring and managing file access
You can control user access to files by configuring file and folder permissions. If file permissions are supported by the file system, such as the NTFS or ReFS file systems, you can configure permissions at the volume (root folder), folder, and file levels. You can also assign permissions explicitly or you can inherit them from the higher levels.
Understanding tools for managing files and folders
You can store data as files on local storage or remote storage. To manage these files, you can use several tools in Windows 10, such as File Explorer, Command Prompt, and PowerShell. Let's learn about each of them in the following sections.
File Explorer
File Explorer is a tool that you typically use to manage files and folders. In the previous editions of Windows, File Explorer was called Windows Explorer. File Explorer provides a simple interface that is familiar to most Windows users. By using File Explorer, you can perform several functions, some of which are as follows:
- Creating files and folders
- Accessing files and folders
- Managing the properties of files and folders
- Searching for content in files and folders
- Previewing content of files and folders
If you need to manage file permissions in File Explorer, right-click the object and then select Properties. You can configure permissions on the Security tab of the Properties dialog box.
Now, we'll move on to the Command Prompt tool.
Command Prompt
You can use the Command Prompt to access files and folders. To open the Command Prompt, click on the Start menu icon and start typing cmd.
Some common commands for managing files and folders are as follows:
- cd: Changes the parent directory
- md: Creates a directory
- del: Deletes one or more files
- move: Moves one or multiple files
- dir: Displays a list of files and subdirectories in a directory
- icacls: Displays or modifies permissions by using access control lists (ACLs)
Now, let's learn about the PowerShell tool.
PowerShell
You can use PowerShell to access and manage files and folders. To open PowerShell, click on the Start menu icon and start typing PowerShell. PowerShell provides many cmdlets that you can use to manage files and folders, as follows:
- Get-Childitem: This displays a directory's list of files and subdirectories.
- Set-Location: This changes the parent directory.
- Get-Alias: This is used to view a list of all aliases.
It also includes many aliases, which are the same as the familiar tools in the Command Prompt, such as dir and cd, and you can use them instead of the PowerShell cmdlets.
To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Windows\regedit.exe file with the output in list format, run the following command:
Get-ACL C:\Windows\regedit.exe | Format-List
To modify a file or folder's ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in conjunction with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting the object that represents the file or folder's ACL, and then using the Set-ACL cmdlet to change the ACL of the target file or folder so that it matches with the values that the Get-ACL cmdlet provides.
For example, to set the ACL on the C:\Temporary folder so that it's the same as the permissions on C:\Windows, including inheritance settings, you would run the following command:
Get-ACL C:\Windows | Set-ACL C:\Temporary
With that, you've learned how to see and change the ACL via PowerShell and Command Prompt. In the next section, you will learn how to set file and folder permissions and what types of permissions there are.
Configuring file and folder permissions
You can only configure file and folder permissions on NTFS and ReFS volumes. Permissions are rules that determine which specific users can perform on a file or a folder. A file or folder's owner can grant or deny permissions to it, just like anyone with Full Control permissions can, which grants that person rights to modify permissions for that file or folder.
You assign permissions to files and folders by granting or denying a specific permission level. Typically, you assign them in groups to minimize administrative overhead. If you assign permissions to a group, every group member has the assigned permission. You can also assign permissions to individual users and computers. If you assign permissions to a group and to individual group members, they are cumulative. This means that a user has the permissions that you assign to him or her, in addition to those you assign to the group.
You can configure two types of permissions for files and folders, namely basic and advanced. The difference between these types is as follows:
- Basic permissions: This type of permission is used the most. You must work with basic permissions often and assign them to groups and users.
- Advanced permissions: This type of permission provides a finer degree of control. However, advanced permissions are more complex to document and manage than basic permissions.
You can choose which permission you want to allow or to deny on a file or folder. The basic file and folder permissions are as follows:
- Full Control: This provides complete control of the file or folder and control of permissions.
- Modify: This allows you to read a file, write changes to it, and modify permissions.
- Read & execute: This allows you to see folder content, read files, and start programs.
- Read: This allows you to read a file, but not make any changes to it.
- Write: This allows you to change folder and file content.
- Special permissions: This is a custom configuration.
Important Note
Groups or users that have the Full Control permission on a folder can delete any files in that folder, regardless of the permissions that protect the file.
You must have the Full Control permission for a folder or file to modify the permissions, except for the file and folder owners. The owner can always modify the permissions and administrators can always take ownership of files and folders to configure permissions.
The next section will be about inheritance of permissions. Permission inheritance is all about permissions that will be applied automatically to files and subfolders in a root folder.
Understanding permission inheritance
Permission inheritance allows the permissions that you set on a folder to be applied automatically to files that users create in that folder and its subfolders. This means that you can set permissions for an entire folder structure at a single point. If you must modify permissions, then you must perform the change at that single point itself.
For example, when you create a folder called Folder1, all subfolders and files created within Folder1 automatically inherit that folder's permissions. Therefore, Folder1 has explicit permissions, while all the subfolders and files within it have inherited permissions.
Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign Group1 Read permissions on a folder and Write permissions on a file in the folder, the members of Group1 can read and write in the file. If inherited and explicit permissions collide with each other, explicit permissions take precedence.
As mentioned earlier, you have two types of permissions. These types are as follows:
- Explicit permissions: When you set permissions directly on a file or a folder, the permissions are applied explicitly. You can assign permissions to the object directly by modifying the security settings in the object's properties dialog box.
- Inherited permissions: Files and folders are typically arranged in a nested structure, where a folder contains subfolders and files, and those subfolders contain files and folders. Permission inheritance allows for child objects to inherit the parent object's permissions settings.
This allows you to assign explicit permissions to a parent folder and have inheritance pass those permissions settings down to the parent folder's subfolders and files. By doing this, you can control inheritance behavior. Inherited permissions ease the task of managing permissions, and they ensure the consistency of permissions among all a container's objects.
Now that you know about the inheritance of permissions, you will learn how to configure inheritance for all objects.
Configuring inheritance for all objects
If the Allow or Deny checkboxes that are associated with each of the permissions appear shaded, then this means a file or folder has inherited permissions from one of its parent folders. There are two ways that you can make changes to inherited permissions, as follows:
- You can make changes to a parent folder that you set permissions for explicitly. The file or folder will inherit these modified permissions.
- You can choose not to inherit permissions from a parent object. You can then make changes to the permissions or remove a user or group from the permissions list of the file or folder.
All the child objects only inherit permissions that they are capable of inheriting. When you set permissions on a parent object, you can decide whether folders, subfolders, and files can inherit permissions. We can perform the following procedure to assign permissions that child objects can inherit:
- Open File Explorer.
- Right-click on a file or subfolder.
- Click the Properties | Security | Advanced button.
- In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists where the permissions are inherited from. The Applies To column lists the folders, subfolders, or files that the permissions have been applied to, as shown in the following screenshot:
- Double-click the user or group that you want to adjust permissions for.
- In the Permissions Entry for name dialog box, click the Applies to drop-down list:
- From the previous step, select one of the following options from the Applies to drop-down list: This folder only, This folder, subfolders and files, This folder and subfolders, This folder and files, Subfolders and files only, Subfolders only, or Files only.
- Click OK in the Permission Entry for name dialog box.
- After that, click OK in the Advanced Security Settings for name dialog box.
- Then, click OK in the Properties dialog box.
Important Note
If the Special permissions entry in the Permissions for User or Group box is shaded, this does not imply that this permission is inherited. Rather, this means that a special permission has been selected.If you add permissions for Creator Owner at the folder level, those permissions will apply to the user who created the file in the folder.
With that, you've learned how to modify inheritance permissions. We can also prevent inheritance to files and folders. In the next section, you will learn what the consequences of doing this are and how to configure this particular setting.
Preventing inheritance
After you've set permissions on a parent folder, new files and subfolders that users create in the folder inherit these permissions. You can block permission inheritance to restrict access to these files and subfolders. For example, you can assign all Accounting users the Modify permission to the Accounting folder. For the Invoices subfolder, you can block inherited permissions and grant only a few specific users' permissions to the folder.
Important Note
When you block permission inheritance, you have the option to convert inherited permissions into explicit permissions, or you can remove all inherited permissions. If you want to restrict a group or user, you can convert inherited permissions into explicit permissions to simplify the configuration.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following procedure:
- Open File Explorer.
- Right-click a file or subfolder.
- Click the Properties | Security | Advanced button.
- In the Advanced Security Settings for file or folder dialog box, click Disable inheritance, as shown in the following screenshot:
- Then, in the Block Inheritance dialog box, select one of the following options: Convert inherited permissions into explicit permissions on this object or Remove all inherited permissions from this object.
The following screenshot shows the previously stated options that will appear in the Block Inheritance dialog box:
- Click OK in the Advanced Security Settings for name dialog box.
- Click OK in the Properties dialog box.
In the next section, you will learn about forcing the inheritance of permissions and the effects this has on the permissions of files and folders.
Forcing permission inheritance
The Advanced Security dialog box for folders includes a Replace all child object permission entries checkbox with inheritable entries from this object. Selecting this checkbox will replace the permissions on all child objects that you can change permissions for, including child objects that had Block inheritance configured. This is useful if you need to change permissions on many subfolders and files, especially if you set the original permissions incorrectly.
You might be overwhelmed with inheritance permissions after reading the previous sections, but there is still a feature to check; that is, what the inheritance of permissions will do for a user or a group with the Effective Access feature. In the next section, you will learn what you can do with this feature.