Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Security descriptor
open-in-new
<h2 id="permissions-in-ntfs">Permissions in NTFS</h2> <p>The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information:<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a><a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a><a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> </p> <ul><li>Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.)</li> <li>Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on a file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.</li> <li>Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient.</li> <li>Alias: The two Windows command-line utilities (<a href="/facts/Icacls/6x6KPPum">icacls</a> and <a href="/facts/Cacls/6x6KPPum">cacls</a>) have their own aliases for these permissions.</li></ul> <table><tbody><tr><th rowspan="2">Permissioncode</th><th colspan="2">Meaning</th><th colspan="5">Included in</th><th colspan="2">Alias</th></tr><tr><th>For files</th><th>For folders</th><th>R<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a></th><th>E<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a></th><th>W<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a></th><th>A<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a></th><th>M<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a></th><th>In <a href="/facts/Icacls/6x6KPPum">icacls</a></th><th>In <a href="/facts/Cacls/6x6KPPum">cacls</a></th></tr><tr><td>0x01</td><td>Read data</td><td>List folder contents</td><td>Yes</td><td>Yes</td><td></td><td>Yes</td><td>Yes</td><td>RD</td><td>FILE_READ_DATA</td></tr><tr><td>0x80</td><td colspan="2">Read attributes</td><td>Yes</td><td>Yes</td><td></td><td>Yes</td><td>Yes</td><td>RA</td><td>FILE_READ_ATTRIBUTES</td></tr><tr><td>0x08</td><td colspan="2">Read extended attributes</td><td>Yes</td><td>Yes</td><td></td><td>Yes</td><td>Yes</td><td>REA</td><td>FILE_READ_EA</td></tr><tr><td>0x20</td><td>Execute file</td><td>Traverse folder</td><td></td><td>Yes</td><td></td><td>Yes</td><td>Yes</td><td>X</td><td>FILE_EXECUTE</td></tr><tr><td>0x20000</td><td colspan="2">Read permissions</td><td>Yes</td><td>Yes</td><td>Yes</td><td>Yes</td><td>Yes</td><td>RC</td><td>READ_CONTROL</td></tr><tr><td>0x100000</td><td colspan="2">Synchronize</td><td>Yes</td><td>Yes</td><td>Yes</td><td>Yes</td><td>Yes</td><td>S</td><td>SYNCHRONIZE</td></tr><tr><td>0x02</td><td>Write data</td><td>Create files</td><td></td><td></td><td>Yes</td><td>Yes</td><td>Yes</td><td>WD</td><td>FILE_WRITE_DATA</td></tr><tr><td>0x04</td><td>Append data</td><td>Create folders</td><td></td><td></td><td>Yes</td><td>Yes</td><td>Yes</td><td>AD</td><td>FILE_APPEND_D</td></tr><tr><td>0x100</td><td colspan="2">Write attributes</td><td></td><td></td><td>Yes</td><td>Yes</td><td>Yes</td><td>WA</td><td>FILE_WRITE_ATTRIBUTES</td></tr><tr><td>0x10</td><td colspan="2">Write extended attributes</td><td></td><td></td><td>Yes</td><td>Yes</td><td>Yes</td><td>WEA</td><td>FILE_WRITE_EA</td></tr><tr><td>0x10000</td><td colspan="2">Delete (or rename<a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a>)</td><td></td><td></td><td></td><td>Yes</td><td>Yes</td><td>DE</td><td>DELETE</td></tr><tr><td>0x40000</td><td colspan="2">Change permissions</td><td></td><td></td><td></td><td>Yes</td><td></td><td>WDAC</td><td>WRITE_DAC</td></tr><tr><td>0x80000</td><td colspan="2">Take ownership</td><td></td><td></td><td></td><td>Yes</td><td></td><td>WO</td><td>WRITE_OWNER</td></tr><tr><td>0x40</td><td colspan="2">Delete subfolders and files</td><td></td><td></td><td></td><td>Yes</td><td></td><td>DC</td><td>FILE_DELETE_CHILD</td></tr></tbody></table> <p>Most of these permissions are self-explanatory, except the following: </p> <ol><li>Renaming a file requires the "Delete" permission.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a></li> <li>File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a></li></ol> <h2 id="footnotes">Footnotes</h2> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Access_control/08zE5Pz8">Access control § Computer security</a></li> <li><a href="/facts/Information_technology_security_audit/B261JIFY">Information technology security audit</a></li> <li><a href="/facts/Authorization/FYFAkCH2">Authorization</a></li> <li><a href="/facts/Computer_security/7E5dIy7G">Computer security</a></li> <li><a href="/facts/Information_security/horlrCln">Information security</a></li> <li><a href="/facts/Token_(Windows_NT_architecture)/nsfEanhM">Token (Windows NT architecture)</a></li> <li><a href="/facts/Windows_SID/2lHWPTa8">Windows SID</a></li> <li><a href="/facts/SDDL/yPdJ1TAP">SDDL</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="https://ss64.com/nt/cacls.html">CACLS command description on SS64.com</a></li> <li><a href="http://setacl.sourceforge.net/">SetACL SourceForge page</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16. <a href="https://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx" target="_blank">https://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16. <a href="https://web.archive.org/web/20080505125439/http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true" target="_blank">https://web.archive.org/web/20080505125439/http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16. <a href="https://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx" target="_blank">https://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism? <a href="https://msdn.microsoft.com/en-us/library/bb625957.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/bb625957.aspx</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>SubInACL home page <a href="http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en" target="_blank">http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>FILEACL home page Archived 2012-08-29 at the Wayback Machine <a href="http://www.gbordier.com/gbtools/fileacl.asp" target="_blank">http://www.gbordier.com/gbtools/fileacl.asp</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25. <a href="https://web.archive.org/web/20080416053942/http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en" target="_blank">https://web.archive.org/web/20080416053942/http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23. <a href="https://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx" target="_blank">https://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24. <a href="https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx" target="_blank">https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Richard Civil (8 September 2016). "How IT works NTFS Permissions, Part 2". Microsoft. Retrieved 2017-11-24. <a href="https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx" target="_blank">https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Richard Civil (30 August 2016). "How IT works NTFS Permissions". Microsoft. Retrieved 2017-11-24. <a href="https://technet.microsoft.com/en-us/library/2005.11.HowITWorksNTFS.aspx" target="_blank">https://technet.microsoft.com/en-us/library/2005.11.HowITWorksNTFS.aspx</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>GENERIC_READ, known as "Read" in File Explorer <a href="/wiki/File_Explorer" target="_blank">/wiki/File_Explorer</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>GENERIC_EXECUTE, known as "Read & Execute" in File Explorer <a href="/wiki/File_Explorer" target="_blank">/wiki/File_Explorer</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>GENERIC_WRITE, known as "Write" in File Explorer <a href="/wiki/File_Explorer" target="_blank">/wiki/File_Explorer</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>GENERIC_ALL, known as "Full Control" in File Explorer <a href="/wiki/File_Explorer" target="_blank">/wiki/File_Explorer</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>Known as "Modify" in File Explorer <a href="/wiki/File_Explorer" target="_blank">/wiki/File_Explorer</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted. <a href="https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822" target="_blank">https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted. <a href="https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822" target="_blank">https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft. <a href="https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110" target="_blank">https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> </ol>