Table of Contents

• Permissions for Students
• Types of Security Access Permissions
• Notes on Permissions
• Add Permissions
• Modify Existing Permissions
• Remove Permissions

Please Note: Allowing the Staff and Students groups Add, Add & Read, Change, or Full Control permissions on a folder allows any infected NPS user accounts to add virus-infected files to that folder. We strongly recommend limiting the use of those four permissions to specifically named user accounts rather than all Staff or all Students.

Permissions for Students

• Students should never be allowed "Full Control" of any folder or file on the S: drive!
• They may safely be granted permission to "Change" one or more files. In general, we recommend against giving students "Change" permission for a folder. Doing so would allow them to edit or delete any file in that folder (unless the permissions for that file were modified to explicitly disallow student access).
• If your students need to add files to a folder then you should use one of the two procedures below. The first procedure will prevent unauthorized students from adding files to the folder. The second, less desirable, procedure will not prevent storage space "poaching" by unauthorized students. But it will allow us to more easily discover their dastardly deeds and to expunge their inappropriate materials. The first two steps in both procedures are identical.

  Procedure #1	or...	Procedure #2   (less desirable)
  Modify the permissions so that "CREATOR OWNER" has "Read" (or "Change") permission - but not "Full Control"! This will allow students to read (or edit/modify/delete) the files and folders they add to your folder - but they will not be able to modify the access permissions on the files and folders to deny you or administrators access to those files and folders. Modify or add "Full Control" for yourself and for administrators. This allows you to edit and delete the files and allows administrators to scan the S: drive for computer viruses and repair infected files. Give each individual student who needs to add files to that folder permission to "Add" or "Add & Read".		Modify the permissions so that "CREATOR OWNER" has "Read" (or "Change") permission - but not "Full Control"! This will allow students to read (or edit/modify/delete) the files and folders they add to your folder - but they will not be able to modify the access permissions on the files and folders to deny you or administrators access to those files and folders. Modify or add "Full Control" for yourself and for administrators. This allows you to edit and delete the files and allows administrators to scan the S: drive for computer viruses and repair infected files. Give the "Students" group or the "Everyone" group (which includes both Students and Staff) permission to "Add" or "Add & Read".
  (See the table below for descriptions of the various types of access permissions for folders and files.)

Types of Security Access Permissions in Windows NT 4.0

Permission Type	Has the Following Effects on ...
	Folders	Files
No Access	Unable to access the folder, its contents, or attributes.	Unable to access the contents or attributes of the file.
Read	Can view the contents, attributes, permissions, and owner of the folder. Can run programs. Can navigate the folder structure, moving down through subfolders (where subfolder security permissions do not restrict access) Unable to modify the folder or its attributes.	Can view the file's data, attributes, permissions, and owner. Can run programs. Unable to modify the file or its attributes.
List	Can see what files and folders are in the folder. Can navigate. Unable to modify the folder or its attributes. Unlike all other permission types, granting List access to a folder will not affect permissions on any files within the folder - even if the Replace Permissions on Existing Files box is checked. If you wish to grant access to files as well as folders, you should either (1) grant Read access instead of List access to the folder and the files it contains , or (2) grant the desired access to individual files.	N/A
Add	Can add files to the folder. Unable to view or access the contents of the folder. (Note: they will be the owner of any files they add to the folder, and as such will have whatever access is granted to "CREATOR OWNER" in the permissions list.)	N/A
Add & Read	Can add files to the folder. Can read files in the folder (see Read above). Unable to modify or delete files. (Note: they will be the owner of any files they add to the folder, and as such will have whatever access is granted to "CREATOR OWNER" in the permissions list.)	N/A
Change	Can create, modify, and delete files and folders. Can run programs. Can navigate. Unable to change permissions for the folder. Unable to take ownership of the folder.	Can view, modify, or delete the file. Can run programs. Unable to change permissions for the file. Unable to take ownership of the file.
Full Control	Can create, modify, and delete files and folders. Can run programs. Can navigate. Can change permissions for the folder. Can take ownership of the folder.	Can view, modify, or delete the file. Can run programs. Can change permissions for the file. Can take ownership of the file.

Notes:

1. Users can use a directory or file only if they have been granted permission to do so or if they belong to a group that has permission to do so.
2. File permissions always override folder permissions.
3. Permissions are cumulative, but the No Access permission overrides all others. For example, if the Librarians group has Change permission for a file, and the Staff group has only Read permission and John is a member of both groups, John will be granted Change permission. However, if the Staff group's permission for the file is changed to No Access, John will be unable to use the file, despite his membership in the Librarians group.
4. Windows NT calls the user who creates a file or folder the CREATOR OWNER of that file or folder.
5. Anyone who has been granted Full Control over a file or folder (including, by default, the CREATOR OWNER) can control access to that file or folder by changing the security access permissions set on it. Windows NT will allow any user with Full Control to take ownership of files and folders, then modify permissions restricting access to those files and folders. It is usually a good idea to give Full Control only to system administrators and persons entrusted with the responsisbility of maintaining that file structure. Persons who need to modify the information within a file or the files within a folder need only permission to Change that file or folder. Users who are members of the Administrators group can always take ownership of a file or folder.
6. The easiest way to administer security is by setting permissions for groups rather than individual users. Typically, a user needs access to many files. If the user is a member of a group that has access to the files, you can end the user's access by removing the user from the group rather than changing the permissions on each of the files. Setting permissions for an individual user does not override the access granted to the user through groups to which the user belongs.
7. It is generally better, and easier, to set permissions only at the folder level. The Windows NT operating system permits folders to be created inside folders... and more folders inside of those folders. This allows you to create a hierarchical structure of folders, each with customized permissions. When you create files and folders inside a parent folder (the folder that contains those files and folders), they inherit their permissions from the parent folder. For example, if you create a file in a folder that allows the Librarians group Change permission and the Staff group Read permission, those same permissions apply to a file created in that folder (until someone with Full Control changes the permissions for that file).
8. If you like to keep life simple, you should probably avoid using the Special Access permissions (which are not described in this document).

Add Security Access Permissions

1. Right-click on the folder or file for which you wish to add security permissions
2. Select Properties from the menu that appears
3. Click on the Security tab
4. Click on the Permissions button
   This should open the Directory Permissions window (example below)
   
   
   
   
   
   
5. If you are changing the security access permissions for a folder and you would like the changes to affect all files and subfolders contained within that folder then you should place a check in both Replace Permissions... boxes near the top of the Directory Permissions window
6. Click Add
7. If you need to add permissions for individual users you should click the Show Users button. Adding all individual users to the list may take a moment. If you do not need to add permissions for individual users you may skip this step.
8. Click on the name(s) of the groups and/or users you would like to add
9. Click Add
10. Use the drop-down menu to select the type of security permissions you want to give to those users.
11. Click OK to save the permission changes and exit the Directory Permissions window
12. Click OK to close the Properties window

Modify Existing Security Access Permissions

1. Open the Directory Permissions window (see above)
2. Click on the name of the group or user you want to modify
3. Use the drop-down menu to select the type of security permissions you want to give to that group or user.
4. Click OK to save the permission changes and exit the Directory Permissions window
5. Click OK to close the Properties window

Remove Security Access Permissions

1. Open the Directory Permissions window (see above)
2. Click on the name of the group or user you want to remove
3. Click Remove
4. Click OK to save the permission changes and exit the Directory Permissions window
5. Click OK to close the Properties window