Windows XP Determining a User’s Effective Permissions

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

To determine a user's permissions to a specific file or folder, you add up all the allowed permissions for the username and for all groups in which the user is a member, and then subtract the permissions that have been explicitly denied for both the username and groups.

If permission has not been specified for either the username or group, it will not be added to the allowed permissions list. If it has been allowed for one group, and not specified for another, and the user is a member of both groups, then the user will have that permission, as it has not been explicitly denied.

Allow, Deny, or Unset?
An Allow selection is a definite yes. It can be overturned by a Deny selection, which is a definite no. A permission that has not been specified just "goes along with the crowd". If another group allows a permission, then that's okay. If another group denies a permission, that's okay too. If a permission is not specified for a username, or for any groups in which that user is a member, then that permission will not be granted.

The allowed permissions include: Traverse Folder / Execute File, List Folder / Read Data, and Write Extended Attributes. The denied permissions include: Create Folders / Append Data, Write Attributes, Delete Subfolders and Files, and Take Ownership. The unselected permissions include: Read Attributes, Read Extended Attributes, Create Files / Write Data, Delete, Read Permissions, and Change Permissions.

So from this we can summarize that every user accessing this folder will have both allow and deny permissions set. If permissions are granted to a user (or to a group he is a member of) explicitly, the user will also have those permissions.

Let's put this into action. We have a user, George, who is a member of two groups - the Sales group and the Marketing group. George, as an individual, has neither been allowed nor denied Read permission on the Information folder. The Sales Group has no specified Read permission, but the Marketing group does.

George          Not specified
Sales            Not specified
Marketing      Read (allow)

George, as a member of the Marketing group, has Read permission on the Information Folder.
Let's change the scenario a bit. George still has no specified permission on his individual user account. The Marketing group still has a specified Read permission on the folder. The Sales group, however, has had Read permission denied.

George              Not specified
Sales Read        (deny)
Marketing Read  (allow)

George will NOT have Read permission to the folder. Although his user account did not specifically deny Read permission, and his membership in Marketing allowed it, the Sales group was denied Read permission, which removed it from George.

If George, Marketing and Sales all have the Read permission not specified, then the Read permission was never specifically allowed, so no Read permission will be granted.

Optimize access to files and folders
There is a rule when organizing files and folders so that they can be accessed easily - keep it simple. Give your files names that will be recognizable by users. Document1.doc is not going to be very helpful to other people who need to access your data. It won't even help you a week down the road, when you can't remember what it is! Organize your files by placing them in folders, and give the folders user-friendly names as well.

Make sure that the permissions you have given to the groups and users that will access your information work together. Deny access only when it is imperative that users or groups DO NOT have access to the information, such as financial data or human resource information.

Indexing Service
A great way to optimize access to files and folders is to use the Indexing Service to index your folders. This was a new feature in Windows 2000 Professional and has been extended to Windows XP. It works similar to the Office Fast Find service and the Index Server that came with the Windows NT 4.0 Option Pack.

This feature will index the files on your volumes and network shares, and provide you with a quick retrieval of that file. You can perform searches against the index from the Search function, the Indexing Service query form, or from a Web browser.

The Indexing Service is available under the Computer Management console. This service, by default, is set to not start with Windows XP. You must start the service in order to use it.

Once the Indexing Service has started, it will populate its default catalog. The default catalog (System) includes the Documents and Settings directory and the boot partition, and does not include the Default User's Application Data, Local Settings, and Temporary Internet Files directories.

With the populated catalog, you can then perform a search on the catalog. This will allow you to locate any file that, for example, contains the words "Windows XP".

The initial setup of the Indexing Service is not optimal, but functional. You can add folders to include or exclude in the catalog. This is done in three ways. The first method is to modify the catalog's directories.

The second is to modify the folder's advanced attributes to permit or deny the Indexing Service to index the folder.

Disk Quotas
Another new feature in Windows XP is disk quotas. Disk quotas are used to specify exactly how much disk space each user is allowed on an NTFS volume. They cannot be used on FAT or FAT32 volumes. You can create a specific quota that applies to all users on your network or you can create individual disk quotas on the user-by-user basis. The exception to this is the built in Administrator account, to which quotas cannot be applied.

There are some things of which you should be aware before you implement disk quotas. As previously mentioned, disk quotas are available only on NTFS volumes. Quotas are applied on a volume basis.

Even if you have three volumes on one physical hard drive, the quotas must be set up on each volume individually. The usage of disk space is calculated on file and folder ownership and actual file size. When a user takes ownership of a folder, the uncompressed size of that folder is added to the total disk usage for that individual, even if the folder is compressed. As well, if the user decides to install an application on a volume were quotas have been implemented, the application will calculate the available free space based on the quota for that user rather than the actual free space available on that drive.

Disk quotas must be configured on a per volume basis. To enable the quota, access the Quota tab on the volume's property page. On this tab, you can then specify the parameters to be used for that volume. Here is the list of each of these options:

• Enable quota management
When this option is selected, quota management is enabled for about NTFS volume.

• Deny disk space to users exceeding quota limit
When this option is selected, users will receive an "out of disk space" error when they exceed their quota.

• Do not limited disk usage / limit disk space
Either disk space will not be limited or disk space will be limited to the amount specified in the "limit disk space to" text box. This amount can be specified in kilobytes, megabytes, gigabytes, terabytes, petabytes, and exabytes.

• Set warning level to
Users will receive a warning when they approach their limit of disk space.

• Select the quota logging options for this volume
You can choose to log events related to disk quotas, specifically, logging when user exceeds their quota limited, or warning level.

By following what is set in, a quota of 500 KB will apply to all new users for the volume F. They will be warned at 400 KB that they are approaching their quota limit. Unfortunately, these settings may not be optimal for some users, such as graphic artists who could fill that space in seconds.

NOTE: If you are going to restrict disk usage and deny space to users exceeding their limit, it is highly recommended that you set a warning level lower than the disk limit.

You can view current entries and grant users and groups different quota levels through the Quota Entries button.

Windows XP Determining a User's Effective PermissionsPop Quiz Questions and Answers:
1. What command line utility do you use to compress files or folders on an NTFS partition?
Answer: The compression utility, done through Windows Explorer or through the command line utility "compact.exe", is an extension of the NTFS system, and as such can only be used on NTFS partitions. This compression method is dynamic; once a file is compressed, it will automatically decompress for you to use the file, and then recompress when you are finished.

2. What command line utility can you use on a FAT partition to compress files?
Answer: "Compress.exe", a command line utility, is used to create compressed copies of one or more files, in the same fashion WinZip does. In order to use a file on which you have used COMPRESS.EXE, you will need to use EXPAND.EXE, another command line utility available from the resource kit.

3. When you copy a file from a compressed folder to an uncompressed folder within the same NTFS partition, what happens with the file's compression attributes?
Answer: When you copy a file, you are actually creating a new file with the same data as the original. The compression attribute of the new file will be the same as the target folder. In the scenario mentioned above, the new file would be uncompressed.

4. How can you determine a user's effective permissions to a specific file or folder?
Answer: To determine a user's permissions to a specific file or folder, you add up all the allowed permissions for the username and for all groups in which the user is a member, and then subtract the permissions that have been explicitly denied for both the username and groups.

5. What is the default setting for the Indexing Service under Windows XP Professional?
Answer: The Indexing Service, available under the Computer Management console, by default is set to not start with Windows XP Professional. You must start the service in order to use it.

Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc.

Article Rating (5 stars):
  • article full star
  • article full star
  • article full star
  • article full star
  • article full star
Rate this Article:
  • Article Word Count: 1712
  • |
  • Total Views: 4340
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |