NTFS Permissions Overview

Comprehensive guide to NTFS permissions, including basic and advanced levels, inheritance, and best practices.

1. Basic Permissions (Standard UI)

These are the simplified permission levels shown in the folder/file properties UI:

Full Control: Allows all actions, including changing permissions and taking ownership.
Modify: Allows reading, writing, deleting, and modifying files/folders.
Read & Execute: Allows viewing and executing files.
List Folder Contents: Allows viewing file names and subfolder names (folders only).
Read: Allows viewing and listing files and folders.
Write: Allows writing data and creating files and folders.

Advanced permissions allow fine-tuning of access control:

Full control: Includes all permissions.
Traverse folder / execute file: Navigate folders and run executable files.
List folder / read data: View folder contents or read file data.
Read attributes: View basic file/folder attributes (e.g., read-only, hidden).
Read extended attributes: View additional metadata (set by apps).
Create files / write data: Create new files or write to existing files.
Create folders / append data: Create folders or append to files.
Write attributes: Modify basic attributes.
Write extended attributes: Modify extended attributes.
Delete subfolders and files: Delete contents inside folders.
Delete: Delete the file/folder itself.
Read permissions: View assigned permissions.
Change permissions: Modify access control lists.
Take ownership: Take ownership of the object.

Permissions can be inherited from parent folders. Inherited permissions are indicated as such in the UI and can be blocked by disabling inheritance.

Allow + Deny: Deny overrides Allow.
Effective Permissions: The actual access is calculated from group and user permissions combined, minus any explicit deny.