NTFS Permission

Posted on 2012-09-20
Last Modified: 2012-09-20

1) This is related to the NTFS Permission for a Folder in the File Server
2) There are 2 items in the NTFS Security Permission which confuse me:

First --> CREATOR OWNER  (Usually gets "Full Control")
Second --> SYSTEM (Usually gets "Full Control")

3) My questions:
i) What are the FUNCTIONS of the above 2 items?
ii) Could I just DELETE it? It seems it will be NO Effect; am I right?

Question by:tjie
    LVL 11

    Assisted Solution

    Creator / Owner and System are generated by NTFS.  

    The creator/owner gives full control attributes to whatever user account created the file / folder.  The System account is to allow Windows services to log into files and folders.

    If this is a user-created folder/share, you can delete them, but make sure to first add your own user account / group with Full Control permissions so you don't accidentally lock yourself out of the folder.
    LVL 18

    Assisted Solution

    You may simply remove those ID's Administrators can take ownership make security ACL changes in event of failure
    LVL 70

    Accepted Solution

    The CREATOR/OWNER is the account that created the object - MS give this user 'Special Permissions', taking the view that the person who created the object ca do whatever they like with it - its theirs - so thay have full control over what happens to it. - DO NOT DELETE THIS.

    The SYSTEM is Windows itself - it has permissions by default so that windows can read the file information, and preform system level operations on the object - DO NOT DELETE THIS

    As for NTFS vs SHARE permissions:

    When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is common to allow full control at the share level and then tie down permissions with NTFS.

    If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

    You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

    It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

    Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

    If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

    It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

    See for more info

    Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

    An analogy. Your computer is a house Your data is in as safe the house. To gain access to the data people from outside have to go through the froint door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now