How to Set File and Folder Permissions in Windows
Normally, you don’t have to worry about permissions in Windows because that’s already taken care of by the operating system. Each user has their own profile and their own set of permissions, which prevents unauthorized access to files and folders.
There are times, however, when you might want to manually configure the permissions on a set of files or folders in order to prevent other users from accessing the data. This post is assuming the other “people” also have access to the same computer you are using.
If not, you may as well justencrypt your hard driveand that’s it. However, when others can access the computer, like family or friends, then permissions can come in handy.
Of course, there are other alternatives likehiding files and folders using file attributesor by using the command prompt to hide data. You can even hide an entire drive in Windows if you like.
If you are looking to set permissions in order to share files with others, check out my post oncreating a hidden network share or how to share files across computers, tablets and phones.
Data Security
The only other occasion where you will need to mess around with folder or file permissions is when you get aPermission Denied errorwhen trying to access data. This means you can take ownership of files that don’t belong to your current user account and still access them.
This is important because it means that setting permissions on a file or folder does not guarantee the security of that file or folder. In Windows, an administrator on any Windows PC can override the permissions on a set of files and folders by taking ownership of them. Once you have ownership, you can set your own permissions.
So what does this mean in English? Basically, if you have data you don’t want others to see, then you should either not store it on that computer at all or you should use an encryption tool likeVeraCrypt.
File and Folder Permissions
Now that we got all of that out of the way, let’s talk about permissions in Windows. Every file and every folder in Windows has its own set of permissions. Permissions can be broken down intoAccess Control Listswith users and their corresponding rights. Here is an example with the user list at the top and the rights at the bottom:
Permissions are also either inherited or not. Normally in Windows, every file or folder gets their permissions from the parent folder. This hierarchy keeps going all the way up to the root of the hard drive. The simplest permissions have at least three users: SYSTEM, currently logged in user account and the Administrators group.
These permissions usually come from theC:\Users\Usernamefolder on your hard drive. You can access these permissions by right-clicking on a file or folder, choosingPropertiesand then clicking on theSecuritytab. To edit permissions for a particular user, click on that user and then click theEditbutton.
Note that if the permissions are greyed out, like in the example above, the permissions are being inherited from the containing folder. I’ll talk about how you can remove inherited permissions further below, but first let’s understand the different types of permissions.
Permission Types
There are basically six types of permissions in Windows:Full Control,Modify,Read & Execute,List Folder Contents,Read, andWrite.List Folder Contentsis the only permission that is exclusive to folders. There are more advanced attributes, but you’ll never need to worry about those.
So what do each of these permissions mean? Well, here is a nice chart from Microsoft’s website that breaks on what each permissions means for files and for folders:
Now that you understand what each permission controls, let’s take a look at modifying some permissions and checking out the results.
Editing Permissions
Before you can edit any permissions, you have to have ownership of the file or folder. If the owner is another user account or a system account like Local System or TrustedInstaller, you won’t be able to edit the permissions.
If you right-click on a file or folder, choosePropertiesand click on theSecuritytab, we can now try to edit some permissions. Go ahead and click theEditbutton to get started.
At this point, there are a couple of things you can do. Firstly, you’ll notice that theAllowcolumn is probably greyed out and can’t be edited. This is because of the inheritance I was talking about earlier.
However, you can check items on theDenycolumn. So if you just want to block access to a folder for a specific user or group, click theAddbutton first and once added, you can check theDenybutton next toFull Control.
When you click theAddbutton, you have to type in the user name or group name into the box and then click onCheck Namesto make sure it’s correct. If you don’t remember the user or group name, click on the Advanced button and then just clickFind Now. It will show you all the users and groups.
Click OK and the user or group will be added to the access control list. Now you can check theAllowcolumn orDenycolumn. As mentioned, try to useDenyonly for users instead of groups.
Now what happens if we try to remove a user or group from the list. Well, you can easily remove the user you just added, but if you try to remove any of the items that were already there, you’ll get an error message.
In order to disable inheritance, you have to go back to the main Security tab for the file or folder and click on theAdvancedbutton at the bottom.
On Windows 7, you’ll one extra tab forOwner. In Windows 10, they just moved that to the top and you have to clickChange. Anyway, in Windows 7, click onChange Permissionsat the bottom of the first tab.
On theAdvanced Security Settingsdialog, uncheck theInclude inheritable permissions from this object’s parentbox.
When you do that, another dialog box will popup and it will ask you whether you want to convert the inherited permissions to explicit permissions or whether you just want to remove all the inherited permissions.
Unless you really know exactly what permissions you want, I suggest choosingAdd(explicit permissions) and then just removing whatever you don’t want afterwards. Basically, clicking onAddwill keep all the same permissions, but now they won’t be greyed out and you can clickRemoveto delete any user or group. ClickingRemove, will start you off with a clean slate.
In Windows 10, it looks slightly different. After clicking on theAdvancedbutton, you have to click onDisable Inheritance.
When you click on that button, you’ll get the same options as in Windows 7, but just in a different form. TheConvertoption is the same asAddand the second option is the same asRemove.
The only thing you have to understand now is theEffective PermissionsorEffective Accesstab. So what is effective permissions? Well, let’s see the example above. I have a text file and my account, Aseem, has Full Control. Now what if I add another item to the list so that the groupUsersis deniedFull Control.
The only problem here is that theAseemaccount is also part of theUsersgroup. So I have Full Control in one permission and Deny in another, which one wins? Well, as I mentioned above, Deny always overrides Allow, so Deny will win, but we can also confirm this manually.
Click onAdvancedand go to theEffective Permissionsor Effective Accesstab. In Windows 7, click the Select button and type in the user or group name. In Windows 10, click theSelect a userlink.
In Windows 7, once you select the the user, it will instantly show the permissions in the list box below. As you can see, all of the permissions are unchecked, which makes sense.
In Windows 10, you have to click theView effective accessbutton after selecting the user. You’ll also get a nice red X for no access and a green check mark for allowed access, which is a bit easier to read.
So now you pretty much know all there is to know about Windows file and folder permissions. It does take some playing around yourself in order to get the hang of it all.
The main points to understand are that you need to be the owner in order to edit permissions and that any administrator can take ownership of files and folders regardless of the permissions on those objects. If you have any questions, feel free to post a comment. Enjoy!
Founder of Help Desk Geek and managing editor. He began blogging in 2007 and quit his job in 2010 to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications.Read Aseem’s Full Bio
Welcome to Help Desk Geek- a blog full of tech tips from trusted tech experts. We have thousands of articles and guides to help you troubleshoot any issue. Our articles have been read over 150 million times since we launched in 2008.
HomeAbout UsEditorial StandardsContact UsTerms of Use
Copyright © 2008-2024 Help Desk Geek.com, LLC All Rights Reserved
