Discretionary access control list (DACL) – a list of security principals; each has permissions that define access to an object
Access control entry (ACE) – an entry in a discretionary access control list
Object owner – usually the user account that created the object or a group or user who has been assigned ownership of the object
System access control list (SACL) – a file system component that defines the settings for auditing access to an object
Permission: Share and NTFS
The share permission is for the legacy FAT volume.
When share permission and NTFS permission collide, the more restricted one wins. So to reduce administrative effort, we can give full control on share permission and just tune the NTFS permission as required on a NTFS volume.
Rules to keep in mind when copying or moving files and folders within or between volumes with windows default copy:
- A file or folder copied within the same NTFS volume or to a different NTFS volume inherits permissions from the destination folder.
- A file or folder moved within the same NTFS volume retains its original permissions.
- A file or folder moved to a different NTFS volume inherits the destination folder’s permissions.
- A file or folder moved from a FAT or FAT32 volume to an NTFS volume inherits the destination folder’s permissions
- A file or folder moved or copied from an NTFS volume to a FAT or FAT32 volume loses all permission settings because FAT/FAT32 volumes don’t support permissions
To retain the source folder NTFS permission, use xcopy or robocopy.
Copy existing data via xcopy to retain the permission.
xcopy source destination /O /X /E /H /K
As the name implies, owner is the most powerful person of an object.
The owner can always change permissions on an object, even when denied all access to the object.
Ownership can be taken by the following:
- Any user with the Take ownership of files or other objects user right, which can be granted to any user. By default, the Administrators group is given the Take ownership of files or other objects user right.An administrator who wants to repair or change permissions on a file must begin by taking ownership of the file.
- Anyone or any group who has the Take ownership permission on the object in question
- A user who has the Restore files and directories user right
Ownership can be transferred in the following ways:
- The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer.
- An administrator can take ownership.
A user who has the Restore files and directories user right can assign ownership to any user or group.