Manage Learn to apply best practices and optimize your operations.

Plan before you assign permissions

You need to properly plan before assigning permissions to make sure you are giving the right information to the right people.

All Windows 2000 administrators want to allow the right people access to the right information. To do that, you must understand the most basic form of security -- permissions.

Most network administrators are already familiar with the setting up of permissions to files/folders, so this article looks at the major concepts you should consider when applying permissions to files/folders. You need to do proper planning before you actually assign permissions.

One of the benefits of using Windows 2000 over Windows 98 or Me, for workstations as well as servers, is the ability to use file and folder permissions. To enable file and folder permissions, you need to use NTFS: they are not available on FAT. So when you upgrade to Windows 2000, if you are concerned about file/folder security, you must convert that FAT partition to NTFS. This is normally done during the upgrade process.

Use caution when applying the deny permission, because the deny permission takes precedence over any allow permission. All other permission is cumulative or additive. For example, if a user has been assigned the "Read" permission to a file, but is also a member of a group that has been assigned the "Write" permission, the user's effective permission to the file is "Write." If, on the other hand, a user has been assigned the "Deny Write" permission, then that user will not be able to write to the file or folder, even if he/she also belongs to a group that has been assigned Full Control.

To properly assign permissions:

  1. Calculate what permissions you are going to use for files/folders. Permissions for files/folders are "least restrictive." For example, Paul is a user that has been assigned Read permission to a file. He also is a member of the shipping group that was assigned Full Control to the same file. The result is that Paul's permission for the file will be Full Control, because the "least restrictive" permission will apply to users, and Full Control is less restrictive than Read.


  2. Then perform separate calculations for shares using the "least restrictive" rule. For example, the shipping folder is now shared. Paul is assigned change permission. The shipping group (of which Paul is a member) has been assigned Read Only permission. Based on the "least restrictive" rule this user now has Change permission to the shared folder.


Permission for files and shares are always additive or least restrictive.

What would Paul's effective permission be? It is the combined permission for Paul when he accesses files and folders within the shared folder. This is calculated using the most restrictive rule. So because Paul is accessing the file (for which he has Full Control) through the shared folder (for which he has Change permission), then his effective permission (combined permission) would be Change since this is the most restrictive between the shared folder (Change) and the file permission (Full Control). Paul has Full Control for the file and Change permission for the share folder. Therefore Paul's effective permission is Change.

Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics.

Did you like this tip? If so, (or if not) why not let us know. Send an email to us and sound off.

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.