Strategies for securing data come in many forms. As standard protocol in protecting an organization’s sensitive information, IT administrators ensure that only authorized users can access certain items within a network. This is why IT administrators must know the concept of permissions and how to manage access and restrictions of files, folders, data, and others.
This article will explore the steps on how to change permissions in Windows 10, highlight the differences between user and group permissions, and address how these changes affect system security and functionality.
An Overview of Permission in Windows 10
What is permission in Windows 10?
Permissions refer to the level of access a user or group has to a resource. Common permission types include the following:
- Read. This permission allows users and/or groups to view the contents of data.
- Write. This permission allows users and/or groups to view and modify the contents of data.
- Modify. This permission allows users and/or groups to view, modify, and delete the contents of data.
- Full control. This permission refers to users’ and/or groups’ complete access to the data and allows users to change permissions.
What are the types of permissions?
Permissions have two types: explicit and inherited.
- Explicit permission. This type of permission is set either by default when non-child objects are created or through user actions on non-child, parent, or child objects. In contrast, inherited permissions are passed down to an object from its parent, simplifying permission management and maintaining consistency across all objects within a container.
- Inherited deny permission. This type of permission does not block access to an object if there is an explicit Allow permission entry for that object. Explicit permissions always override inherited permissions, including inherited Deny permissions.
What is the difference between user and group permissions?
- User permissions. This permission is limited to specific individual accounts.
- Group permissions. This permission applies to a collective group, streamlining permission management.
What is NTFS Permissions and the Windows Security Model
New Technology File System (NTFS) is a system that Windows uses to control permissions of data for enhanced security. Meanwhile, the Windows Security Model is an architecture that enforces user access control and privileges. These two systems work together to ensure that only authorized users and applications can access and modify data on a Windows system.
Pre-requisites for Modifying Permissions in Windows 10
There are important considerations that you have to check first before changing permissions for user or group accesses:
1. Identify the target object
Determine whether you’re changing permissions for files, folders, registry keys, drives, or a combination of any of those. This will give you an idea of how to approach the actions you will take next in terms of permission management.
2. Review current permissions
Reviewing existing permissions helps you see the current access status of your target objects. You can check them using the Security Tab or Registry Editor. Here’s how:
- Files/Folders/Drives: Right-click the object, select Properties, then go to the Security tab.
- Registry Keys: Use the Registry Editor (regedit) to view permissions.
How to Change Permissions for Files and Folders
A. Add User or Group and Set Permissions in Security Settings
1. Access Security Settings
- Right-click the file, folder, or drive and select Properties.
- Go to the Security tab.
2. Add a User or Group
- Click Edit under the Group or user names section.
- Click Add.
3. Select User or Group
- In the dialog box, click Advanced > Find Now.
- Choose the desired user or group from the list.
- Click OK to confirm.
4. Set Permissions
- Highlight the added user or group.
- Check the appropriate boxes under Allow or Deny to configure permissions.
- Click Apply and then OK.
B. Add User or Group and Set Permissions in Advanced Security Settings
1. Open Advanced Security Settings
- Right-click the file, folder, or drive, select Properties, and navigate to the Security tab.
- Click Advanced.
2. Add a User or Group
- Click Add in the Advanced Security Settings window.
- Click Select a principal.
3. Choose User or Group
- In the dialog box, click Advanced > Find Now.
- Select the desired user or group and click OK.
4. Assign Permissions
- Configure the permissions by checking the appropriate boxes.
- Click OK to apply changes.
5. Save Changes
- Review the settings and click OK to close all dialogs.
C. Remove User or Group from Permissions in Security Settings
1. Access Security Settings
- Right-click the file, folder, or drive and select Properties.
- Go to the Security tab.
2. Edit Permissions
- Click Edit under the Group or user names section.
3. Remove User or Group
- Select the user or group to remove.
- Click Remove.
- Confirm the removal and click OK.
D. Remove User or Group from Permissions in Advanced Security Settings
1. Open Advanced Security Settings
- Right-click the file, folder, or drive, select Properties, and go to the Security tab.
- Click Advanced.
2. Select User or Group
- Locate the user or group under the Permission entries section.
- Highlight it and click Remove.
3. Save Changes
- Click OK to apply the changes and exit.
E. Change Permissions in Security Settings
1. Access Security Settings
- Right-click the file, folder, or drive and select Properties.
- Go to the Security tab.
2. Edit Permissions
- Click Edit under the Group or user names section.
- Select the user or group whose permissions you want to modify.
3. Modify Permissions
- Check or uncheck the appropriate boxes under Allow or Deny.
- Click Apply and then OK.
F. Change Permissions in Advanced Security Settings
1. Open Advanced Security Settings
- Right-click the file, folder, or drive, select Properties, and go to the Security tab.
- Click Advanced.
2. Edit Permissions
- Locate the user or group under the Permission entries section.
- Select it and click Edit.
3. Adjust Permissions
- Modify the permissions as needed by checking or unchecking boxes.
- Click OK to confirm.
4. Save Changes
- Review the settings and click OK to apply and exit.
G. Change Permissions Using Command Prompt
1. Open Command Prompt
- Press Win + X and select Command Prompt (Admin) or Windows Terminal (Admin) if elevated permissions are required for the target file, folder, or drive.
2. Use the ICACLS Command to Modify Permissions
- Enter one of the following commands based on what you want to apply:
- Apply to this file only:
icacls “full path of file” /grant “user or group”:(permissions) - Apply to this folder only:
- Apply to this file only:
icacls “full path of folder” /grant “user or group”:(permissions)
- Apply to this folder, subfolder, and files:
icacls “full path of folder” /grant “user or group”:(permissions)
- Apply to this drive only:
icacls “drive letter:” /grant “user or group”:(permissions)
- Apply to this drive, subfolder, and files:
icacls “drive letter:” /grant “user or group”:(permissions) /t /c
3. Substitute Values in the Command
- Replace placeholders in the command with the appropriate values:
- full path of file: Full path of the file (e.g., “C:\Users\Documents\File.txt“).
- full path of folder: Full path of the folder (e.g., “C:\Users\Documents\MyFolder“).
- drive letter: Drive letter (e.g., “D:”).
- user or group: Name of the user or group (e.g., “JohnDoe“).
- permissions: One or more permissions (e.g., RX,W).
4. Available Permissions
- Use the following permissions for the permissions parameter:
- Basic permissions:
| PERMISSIONS | DESCRIPTION |
| N | No access |
| F | Full access |
| M | Modify access |
| RX | Read and execute access |
| R | Read-only access |
| W | Write-only access |
| D | Delete access |
-
- Advanced permissions:
| PERMISSIONS | DESCRIPTION |
| DE | Delete |
| RC | Read control |
| WDAC | Write DAC |
| WO | Write owner |
| S | Synchronize |
| AS | Access system security |
| MA | Maximum allowed |
| GR | Generic read |
| GW | Generic write |
| GE | Generic execute |
| GA | Generic all |
| RD | Read data/list directory |
| WD | Write data/add file |
| AD | Append data/add subdirectory |
| REA | Read extended attributes |
| WEA | Write extended attributes |
| X | Execute/traverse |
| DC | Delete child |
| RA | Read attributes |
| WA | Write attributes |
5. Example Command
- To grant read and write access to a folder and its subfolders for a user, run the following command:
- icacls “C:\Users\John\Documents\Folder” /grant “JohnDoe”:(RX,W) /t /c
6. Close the Command Prompt
- When finished, close the Command Prompt. The changes will take effect immediately.
Common Use Cases Permission Modification
Changing permissions for files, folders, and other objects serves multiple purposes. Here are some common use cases of permission modifications.
- Assigning read-only access. This specific permission allows users to view files but prohibits them from doing modifications. Read-only access provides viewing permission to essential files that one needs to share but, at the same time, needs to be protected from unwanted edits or data modifications.
- Custom shared folders. This permission is used to set specific access levels for different groups of users within a network. For example, you might have a “Graphic Design” folder where the graphic design team has full read/write access, while other departments only have read-only access. This granular control helps maintain data integrity and prevents unauthorized modifications to shared resources.
- Restricting sensitive data. This permission involves denying access to folders containing confidential information, which is crucial for certain industries, such as banking, finance, healthcare, and more. By denying access to folders containing confidential information, organizations can prevent the unauthorized disclosure or misuse of sensitive data.
- Registry key management. The Windows Registry is a hierarchical database that stores configuration information for the operating system and applications. Administrators can grant specific users or groups the necessary rights to modify specific registry keys by managing permissions. This is crucial for tasks like system troubleshooting, where administrators may need to adjust specific settings to resolve issues. It also allows for controlled system optimization by granting limited access to specific registry keys for performance-tuning purposes. Administrators can prevent accidental or malicious changes that could destabilize the system by restricting access to critical registry keys.
Troubleshooting Permission Issues
Managing permissions in Windows 10 can be easy, depending on your method for changing permissions and your expertise level. However, whether you already know how to manage permissions or not, you may encounter some issues along the way. Here are some of the most common permission issues and their potential solutions.
1. Access denied error. This error is typically encountered when the one modifying permissions has insufficient privileges to execute the process. Additionally, if the current user does not have ownership of the file, folder, or registry key, you may encounter an access denied error. Here’s what you can do:
- Firstly, ensure that you are logged into an account as an Administrator.
- Press Win + R, type netplwiz, and press Enter.
- Check if your account is listed as “Administrator.”
- Try taking ownership of the object.
- Right-click the file, folder, or drive and select Properties.
- Go to the Security tab and click Advanced.
- In the Advanced Security Settings, click the Owner field (top) and select Change.
- Enter your username or group name (e.g., “Administrators”) and click Check Names.
- Click OK to confirm and Apply the changes.
- Check the Replace owner on subcontainers and objects box if applying ownership to nested items.
2. Access denied error when using ICALS. Others may also encounter an “Access is Denied” error when using the ICALS command to modify permissions. This could stem from the current user lacking ownership of the file, folder, or drive being modified. Here’s what you can do:
- Elevate permissions to ensure the Command Prompt is running with administrative privileges by selecting Run as Administrator when opening it.
- Try taking ownership of the object using Command Prompt.
- Press the Windows key + R to open Command Prompt.
- Run the command takeown /F “full path of file or folder” /R /D Y
- This grants the current user ownership of the file, folder, or drive.
- Once ownership is established, rerun the ICACLS command with the desired permissions.
- In Command Prompt, run the command icacls “full path of file or folder” /grant “user or group”:(permissions)
Implications and Security Considerations
Changing permissions is a critical task that should only be carried out by users who know how to execute the process and understand the effects of the modifications.
How changes in permissions impact system security
- Increased security. Data security is enhanced only if permissions are configured correctly. By restricting access to sensitive files and folders, you effectively limit the potential impact of malware, unauthorized access, and data breaches.
- Reduced security. On the other hand, if the task of changing permissions falls into the wrong hands, the permissions could be configured improperly, weakening the security posture. Incorrect permissions may cause granting users excessive access when they’re only supposed to have a limited one, potentially exposing data to risks.
- Data loss. Incorrectly denying access to necessary files or folders can prevent legitimate users from accessing critical data, potentially leading to data loss or disruptions to business operations.
How to balance accessibility and security
- Managing user roles. Careful planning and consideration of user roles and responsibilities within the organization is the best way to balance data accessibility and security.
- Finding a balanced permission. Managing permissions should involve looking thoroughly into the data for which you will modify permissions. Certain data may need restrictive access, such as those that should only be exclusive to specific groups of people. Meanwhile, some data need permissions that should be restricted enough to be protected but not so restricted that they hinder legitimate users from performing their job duties.
The Importance of auditing permissions regularly
- Identify misconfigurations. Permission audits can help determine whether misconfigurations occurred. This, in turn, can help rectify the misconfigurations, ensuring that permissions are aligned with current security policies and that there are no unintended access privileges.
- Flag unauthorized changes. Regular permission audits can also help detect unauthorized permission modifications. This can lead to timely action if necessary security measures need to be deployed.
- Remain compliant. Regular security audits are required in many industries to comply with regulatory standards such as HIPAA or GDPR.
Changing Permissions As a Crucial Security Measure
Data security is a cornerstone of permission management in Windows 10. This ensures that only authorized users or groups can access specific data and information. Proper permission configuration is needed since it plays a huge role in maintaining data security. If permissions are misconfigured, they expose data to critical risks that may lead to data breaches, cyber threats, and more. Therefore, meticulous attention to detail and regular audits are essential to ensure that permissions are configured correctly and that data remains secure.
