HOW TO

HOW TO: Set, View, Change, or Remove Special Permissions for Files and Folders (Q308419)

The information in this article applies to:

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

IN THIS TASK

SUMMARY

Permissions for Files and Folders

Special Permissions Defined

Traverse Folder/Execute File

List Folder/Read Data

Read Attributes

Read Extended Attributes

Create Files/Write Data

Create Folders/Append Data

Write Attributes

Write Extended Attributes

Delete Subfolders and Files

Delete

Read Permissions

Change Permissions

Take Ownership

Synchronize

Set, View, Change, or Remove Special Permissions for Files and Folders

Troubleshooting
REFERENCES

SUMMARY

In Windows XP, you can apply special access permissions to files or folders that are located on NTFS file system volumes. Special access permissions are customizable sets of permissions. This article describes how to set, view, change, or remove special permissions for files and folders.

back to the top

Permissions for Files and Folders

Folder permissions include Full Control , Modify , Read & Execute , List Folder Contents , Read , and Write . Each of these permissions consist of a logical group of special permissions that are listed and defined in the following sections.

NOTE : This article assumes that you are using Windows XP on a domain. By default, simplified sharing is enabled in Windows XP if you are not connected to a domain, which means that the Security tab and advanced options for permissions are not available.

If you are not joined to a domain and want to view the Security tab, view the Set, View, Change, or Remove Special Permissions for Files and Folders section in this article.

File and Folder Special Permissions

The following table describes file and folder special permissions.

Special Permissions	Full Control	Modify	Read & Execute	List Folder Contents	Read	Write
Traverse Folder/Execute File	yes	yes	yes	yes	no	no
List Folder/Read Data	yes	yes	yes	yes	yes	no
Read Attributes	yes	yes	yes	yes	yes	no
Read Extended Attributes	yes	yes	yes	yes	yes	no
Create Files/Write Data	yes	yes	no	no	no	yes
Create Folders/Append Data	yes	yes	no	no	no	yes
Write Attributes	yes	yes	no	no	no	yes
Write Extended Attributes	yes	yes	no	no	no	yes
Delete Subfolders and Files	yes	no	no	no	no	no
Delete	yes	yes	no	no	no	no
Read Permissions	yes	yes	yes	yes	yes	yes
Change Permissions	yes	no	no	no	no	no
Take Ownership	yes	no	no	no	no	no
Synchronize	yes	yes	yes	yes	yes	yes

IMPORTANT : Groups or users who are granted Full Control on a folder can delete any files in that folder, regardless of the permissions that protect the file.

NOTE : Although List Folder Contents and Read & Execute appear to have the same special permissions, these permissions are inherited differently. List Folder Contents is inherited by folders but not files, and it only appears when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions.

NOTE : In Windows XP Professional, the Everyone group does not include the Anonymous Logon group.

back to the top

Special Permissions Defined

You can set any or all of the following special permissions on files and folders.

back to the top

Traverse Folder/Execute File

For folders : The Traverse Folder permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies only to folders). Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right which checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.

For files : The Execute File permission allows or denies program files the are running (applies only to files).

Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files in that folder.

back to the top

List Folder/Read Data

The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission affects only the contents of that folder and does not affect whether the folder that you are setting the permission on is listed. This applies only to folders.

The Read Data permission allows or denies viewing data in files (applies only to files).

back to the top

Read Attributes

The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by the NTFS file system.

back to the top

Read Extended Attributes

The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

back to the top

Create Files/Write Data

The Create Files permission allows or denies the user from creating files in the folder (applies only to folders).

The Write Data permission allows or denies the user from making changes to the file and overwriting existing content (applies only to files).

back to the top

Create Folders/Append Data

The Create Folders permission allows or denies the user from creating folders in the folder (applies only to folders).

The Append Data permission allows or denies the user from making changes to the end of the file but not changing, deleting, or overwriting existing data (applies only to files).

back to the top

Write Attributes

The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden . Attributes are defined by the NTFS file system.

The Write Attributes permission does not imply creating or deleting files or folders, it includes only the permission to make changes to the attributes of a file or folder. To allow or deny create or delete operations, see Create Files/Write Data , Create Folders/Append Data , Delete Subfolders and Files , and Delete .

back to the top

Write Extended Attributes

The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

The Write Extended Attributes permission does not imply that the user can create or delete files or folders, it includes only the permission to make changes to the attributes of a file or folder. To allow or deny create or delete operations, view the Create Files/Write Data , Create Folders/Append Data , Delete Subfolders and Files , and Delete sections in this article.

back to the top

Delete Subfolders and Files

The Delete Subfolders and Files permission allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file. This permission applies only to folders.

back to the top

Delete

The Delete permission allows or denies the user from deleting the file or folder. If you do not have Delete permission on a file or folder, you can delete it if you are granted Delete Subfolders and Files on the parent folder permissions.

back to the top

Read Permissions

The Read Permissions permission allows or denies the user form reading permissions about the file or folder, such as Full Control , Read , and Write .

back to the top

Change Permissions

The Change Permissions permission allows or denies the user from changing permissions on the file or folder, such as Full Control , Read , and Write .

back to the top

Take Ownership

The Take Ownership permission allows or denies the user form taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.

back to the top

Synchronize

The Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.

back to the top

Set, View, Change, or Remove Special Permissions for Files and Folders

To set, view, change, or remove special permissions for files and folders:

Click Start , click My Computer , and then locate the file or folder for which you want to set special permissions.
Right-click the file or folder, click Properties , and then click the Security tab .
Click Advanced , and then use one of the following steps:
- To set special permissions for an additional group or user, click Add , and then in Name box, type the name of the user or group, and then click OK .
- To view or change special permissions for an existing group or user, click the name of the group or user, and then click Edit .
- To remove an existing group or user and the special permissions, click the name of the group or user, and then click Remove . If the Remove button is unavailable, click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, click Remove , and then skip the next two steps.
In the Permissions box, click to select or click to clear the appropriate Allow or Deny check box.
In the Apply onto box, click the folders or subfolders for which you want these permissions applied.
To configure security so that the subfolders and files do not inherit these permissions, click to clear the Apply these permissions to objects and/or containers within this container only check box.
Click OK , and then click OK in the Advanced Security Settings for FolderName box, where FolderName is the folder name.

CAUTION : If you click to select the Replace permission entries on all child objects with entries shown here that apply to child objects. Include these with entries explicitly defined here check box, so that all subfolders and files have all their permission entries reset to the same permissions as the parent object. After you click Apply or OK , you cannot undo this operation if you click to clear the check boxes.

Important : If you are not joined to a domain and want to view the Security tab:

Click Start , and then click Control Panel .
Click Appearance and Themes , and then click Folder Options .
Click the View tab, and then click to clear the Use simple file sharing [Recommended] check box in the Advanced settings box.

Notes :

The Everyone group does not include the Anonymous Logon permission in Windows XP.
If you click to select the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, the file or folder inherits permission entries from the parent object.
You can set permissions only on drives formatted to use the NTFS file system.
If the check boxes in the Permissions box are not available, the permissions are inherited from the parent folder.
To change permissions, you must be the owner or have permission to change permissions by the owner.
Groups or users that have Full Control permissions for a folder can delete files and subfolders in that folder, regardless of the permissions that protect the files and subfolders.

back to the top

Troubleshooting

If the Security tab is not available and you cannot configure special permissions for users and groups:

The file or folder to which you want to apply special permissions is not on an NTFS file system drive. You can set permissions only on drives that are formatted to use the NTFS file system.
Simple file sharing is enabled. By default, simplified sharing is enabled in Windows XP unless you are on a domain. To work around this behavior, disable simplified sharing.

back to the top

REFERENCES

For additional information about file and folder permissions, click the article number below to view the article in the Microsoft Knowledge Base:

Q308418 HOW TO: Set, View, Change, or Remove File and Folder Permissions