WIN2000 adds a feature that differs from the WIN98 and previous versions of Windows, which is NTFS permissions, and because of this feature, the folder and file level security controls can be implemented in WIN2000, unlike the accounts and passwords in WIN98. In WIN98, when you know the account number and password, you can have full control of your computer, and you cannot implement the ability to only read a folder or a file for an account. And in WIN2000, it is perfectly possible to achieve this. Ok,let ' s go!
First, first of all, the prerequisite for implementing this function is that your partition must be an NTFS partition, if it is FAT or FAT32 partition, then it is not possible to achieve this function, in fact, if you have only one WIN2000 operating system on the computer, Or, as long as you don't have WIN98 and WIN98 systems on your machine, using an NTFS partition is a great choice, which will greatly improve the stability and security of your system. If your partition is a FAT32 partition, you can use this command to turn him into an NTFS partition:
Convert x:/fs:ntfs
The x can be replaced with the actual disk character. However, it is important to note that WIN98 is not recognized for NTFS-formatted partitions, which means that if the WIN98 partition is formatted with NTFS, then WIN98 will not be available. And the command is irreversible, that is, the command can only convert FAT32 to NTFS format, and can not convert the NTFS format to FAT32 format, if you want to convert back, then use PQ and other software to achieve.
Well, now that you're done, with NTFS partitions, you must grant NTFS permissions to each user account that requires access to a resource, and the user must have an explicit authorization to access the set of resources. If you do not have permissions, it will be denied access to the resource. To make an analogy: if there is a file that I have NTFS permission settings for, and I set it up only to myself and a user, then no other account will be able to use the file except me and a, WIN2000 will give a hint of "no proper permission to read". This realizes the security of the file, and the security is valid both on the computer and on the network, that is, even if connected to the computer over the network, only I and a user can use the file, others are not available, although the file is shared, but other people can only see this file, But can not read, hehe, a little see, can't eat the meaning of it?
In WIN2000, there is something called access Control List (ACL), which contains the accounts, groups, and computers of the users who can access the resource. When a user accesses the resource, it must have its account in the ACL, so WIN2000 allows the user to access the resource, or rejects
The point here is that, unlike what we imagine, WIN2000 does not identify users based on the same username, each account has a security ID (SID, secure identifier) when it is created, and WIN2000 identifies the user based on whether the SID is the same. If the SID is not the same, even if the user name and other settings exactly the same, WIN2000 will also think it is not the same two accounts, this is like when we accept the award, only to recognize your identity card is consistent, regardless of whether your name is the same is a reason, The SID is WIN2000 when creating the account, so that when you delete an account, and then re-establish an identical account, the SID and the original is not the same, then his NTFS permissions must be reset.
Now let's talk about the actual application of NTFS permissions. Right-click the file or folder you want to set permissions, select Attributes-> Security, then you can see that the file is allowed to use the account or group, the default is all the Everyone group, the group represents all users, the following section is the group or account can be set for the permissions. If everyone's permissions are set to Full control, it means that all users are free to manipulate the file, including reading, modifying, deleting, and so on. This is also the default permission for WIN2000. You can also add accounts, set permissions for the account, this as long as you know how to operate the operation, now I just give an example to illustrate:
Suppose that there is a file called files, I want to set it to only User1,user2 and USER3 three users can use the file, but USER1 users can manipulate the file, USER2 users can only read the file, and not for such as modification, and other operations, USER3 can read , you can write to it, but you can't delete the file, I'll explain how to do it.
1, right click File, select Attributes-> Security
2, remove the check in front of "Allow inheritable permissions from parent to propagate to this object". He will pop up a dialog box and select Delete. In other words, the above everyone and all other accounts deleted.
3, click Add, Pop-up A dialog box, select USER1, add, OK.
4, then select USER1, after "Full Control" below "Allow" tick.
5, according to the previous method to add USER2.
6, check the USER2, in the "read" after the "Allow" tick, the other check all removed.
7, add USER3.
8, check the USER3, in the "modify" after the "Allow" tick, confirm the "Full Control" of the hook removed.
9, choose "Advanced", select USER3, point "view/edit". Remove the "Allow" check inside the "delete" button below.
10, Fix!!! ^-^
At this time, with USER1 Landing, then you can completely control the file
Log in with USER2, you can open the file, when the save will appear "Cannot create file, please confirm the path and file name is correct" prompt box. This means that USER2 cannot save the file now. Of course, there is no other operation, he can only read the file.
Log in with USER3, you can open the file, you can also save. When you delete the file, "Cannot delete file: Deny access." The source file may be in use with the prompt box stating that the file cannot be deleted.
Reminder: Before you fully understand the usage of permissions, it's a good idea to create an unused file and then experiment with it, which is more secure. Otherwise, it's not my business to get the important files removed.
As for setting up security for a folder, the steps are similar to the above, but there is an extra inheritance to the folder, which means you can choose whether the permission setting is only working on the folder or on the folder and subfolders and files of the folder. Simply tick the "Reset permissions on all child objects and allow propagation of inheritable permissions" to be ticked ahead.
Key points and difficulties
Multiple NTFS permission problems have been confusing to many people, and are now presented and illustrated.
Note: The following is a problem between multiple NTFS permissions, and the multiplicity between non-NTFS permissions and shared permissions.
1, the accumulation of authority
The user's effective permissions on a resource are the sum of all the permissions assigned to that personal user account and to the group to which the user belongs. If a user has Read permission on a file and the group to which the user belongs has Write permission to the file, the user has both read and write permissions on the file, for example: