On
NTFS and
ReFS volumes, you can set security permissions on files and folders. These permissions grant or deny access to the files and folders.
Every container (ex:
folder) and object (ex:
file) on the PC has a set of access control information attached to it. Known as a
security descriptor, this information controls the type of access allowed to
users and groups. The security descriptor is automatically created along with the container or object that is created.
When you are a member of a
group (ex: "Administrators") that is associated with an object, you have some ability to manage the permissions on that object. For those objects you
own, you have full control.
Permissions are defined within an object's security descriptor. Permissions are associated with, or assigned to, specific users and groups. For example, for the file Temp.dat, the built-in Administrators group might be assigned Read, Write, and Delete permissions, while the Backup Operators group might be assigned Read and Write permissions only.
Each assignment of permissions to a user or group is represented in the system as an
access control entry (ACE). The entire set of permission entries in a security descriptor is known as a permission set or access control list (ACL). Thus, for a file named Temp.dat, the permission set includes two permission entries, one for the built-in Administrators group and one for the Backup Operators group.
There are two types of permissions:
explicit permissions and
inherited permissions.
- Explicit permissions are those that are set by default on non-child objects when the object is created, or by user action on non-child, parent, or child objects.
- Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
- Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.
- Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
By default, objects within a container inherit the permissions from that container when the objects are created. For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder automatically inherit the permissions from that folder. Therefore, MyFolder has explicit permissions, while all subfolders and files within it have inherited permissions.
This tutorial will show you how to add or remove a
List Permissions context menu for files and folders for all users in
Windows 7,
Windows 8, and
Windows 10.
The
List Permissions context menu will list the
path,
owner,
group,
access permissions, and
SDDL (security descriptor definition language) of the file, folder, or subfolders and files of a folder.
While you must be an
administrator to add or remove the context menu, all users can use the context menu.