Permissions can be set on Files and Folders with CACLS
Permissions can be None, Read, Change or Full
'Full' being the same as 'Change'' plus the right to administer e.g. grant additional users rights to read the file.
Permissions can be assigned to individual users or to groups.
If a user has no rights to the files in a folder the security tab in the GUI will not appear (if you have no rights to even list the file names then you have no rights to list the security attributes either.)
Ownership of a file will override all access permissions - administrators can take ownership of any file. SUBINACL can change ownership from the command line.
Newly created files will be owned by the account used to create them (unless the account is an administrator).
There are 4 types of group: Local Machine, Local Domain, Global Domain, Universal
Control Panel - admin tools - computer management - local users
( not available on a Domain Controller )
or from the command line... NET localgroup
Control Panel - admin tools - Active directory users and computers - Users
or from the command line... NET localgroup /domain NET group /domain
A recommended arrangement is to assign file and print permissions with one set of groups (Resources), and assign user membership with a separate set of groups (Teams), then assign rights by making each team group a member of the relevant resource group(s).
- No duplication of file ACLs no matter how many teams are granted access to the folder - this reduces the size of the File Allocation Table - less fragmentation of the FAT will improve fileserver performance.
- Avoid problems where an ACL change fails because some files are open/in use, with this arrangement, most administrative changes can be made by adding and removing Users from Team groups rather than editing ACL's on disk.
- You can view/audit all permissions in Active Directory without having to search through millions of file ACLs - this makes auditing easier.
“Of manners gentle, of affections mild; In wit a man, simplicity a child” - Alexander Pope
Groups - Local Domain groups, Global and Universal groups
Built-in Groups - Built-In Users and Security Groups
Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance (slow logon times)
Q909264 - Naming conventions in Active Directory for computers, domains, sites, and OUs