DOCUMENT:Q102339 11-AUG-1993 [W_NTAS] TITLE :INF: Permissions Comparison--NT AS vs. LAN Manager PRODUCT :Microsoft Windows NT Advanced Server PROD/VER:3.10 OPER/SYS:WINDOWS KEYWORDS: -------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Advanced Server version 3.1 -------------------------------------------------------------------- SUMMARY ======= This article discusses how file, directory, and printing permissions compare between Windows NT Advanced Server and LAN Manager version 2.x. MORE INFORMATION ================ File and Directory Permissions ------------------------------ On a LAN Manager for OS/2 system, you can control access to all files and directories under the FAT, HPFS, or HPFS386 file systems. On a Windows NT system, you can control users' access to directories and files on drives formatted to use the Windows NT file system (NTFS). Drives formatted to use FAT and HPFS do not support Windows NT security. You can, however, secure Windows NT shared directories no matter what file system is in use. The standard permissions for files and directories and their meanings are shown in the following tables, along with the individual permissions each standard permission represents. LAN Manager NTFS Description ----------------------------------------------------------------------- R Read (RX) User can read the contents of the file and run it if it is an application. W (Write) Change (RWXD) Lets the user open and write to a file, changing its contents. Windows NT allows deletion of the file. D N/A Lets the user delete files. (Delete) X (Execute) N/A Lets the user run a program, but not read or copy it. A N/A (Change Attributes) Lets the user change file attributes. P N/A (Change Permissions) Lets the user grant permissions for the file to other users. Y Full Control (All) For LAN Manager, serves as a shortcut (Yes) to RWCDA permissions. When you give a user Y permission, you are granting RWCDA permissions. For Windows NT, enables user to read, modify, delete, set permissions for, and take ownership of the file. N No Access Prevents a user from using the file (No) or directory in any way, even if the user is a member of a group that has been granted access to the file. On LAN Manager, Y access given to a user overrides N access given to a group. On Windows NT, deny access takes precedence. For example, if a user has Full Control access for a file, but is a member of a group that has No Access for the same file, access is denied. In the second column of the following table (for NTFS directory permissions), the first set of individual permissions applies to the directory itself, and the second set of individual permissions applies to new files subsequently created in the directory. Directory Permissions --------------------- LAN Manager NTFS Description ----------------------------------------------------------------------- R Read (RX)(RX) User can read files in the (Read) directory and run applications in the directory. W Change (RWXD)(RWXD) User can read and add files and (Write) change the contents of current files. C Add A user with C permission can create (Create) (WX) (Not Specified) a file and after creating it, can read from or write to the file until closing it. Add & Read Add enables a Windows NT user to (RWX) (RX) add files to the directory but not to read the contents of current files or change them. Add & Read enables a user to add files to the directory and read current files, but not to change any files. D N/A Users can delete files and (Delete) subdirectories within the shared directory but cannot delete the shared directory itself. X N/A Lets the user run a program in the (Execute) directory, but not read it or copy it. A N/A (Change Attributes) Lets the user change the attributes of files in the directory. P N/A (Change Permissions) The user can change the permissions for the directory or files in the directory. Y Full Control (Yes) (All)(All) For LAN Manager, serves as shortcut to RWCDA permissions. When you give a user Y permission, you are granting RWCDA permissions. User can read and change files, add new ones, change permissions for the directory and its files, and take ownership of the directory and its files. N No Access (No) (None)(None) Prevents a user from using the file or directory in any way. Usually, you can prevent a user from accessing a file or directory simply by not giving the user any permissions to it; however, you must use N permission to prevent a specific user from accessing a file while granting access to the file or directory to a group the user belongs to. For Windows NT, users cannot access the directory in any way, even if they have Full Control access through membership in a group. N/A List (RX) User can only list the files and (Not Specified) subdirectories in this directory and change to a subdirectory of this directory. User cannot access new files created in this directory. NOTE: Permissions on shared Windows NT directories that are not NTFS are identical. Note that if a directory is both shared and on an NTFS volume, permissions are cumulative over the network. Printer Permissions ------------------- LAN Manager Windows NT Printer Printer Descriptions/ Queue Permissions Differences ----------------------------------------------------------------------- Y Print Users can send jobs to the printer (Yes) queue. N No Access Prevents a user from accessing the (No) printer queue. Y+P Full Control Users can send jobs to and set (Yes+Change Permissions) access permissions for the printer the printer queue. Users can print documents, change print settings, and completely manage documents and printers. N/A Manage Documents Users can pause, resume, restart, delete, and control settings for documents. Additional reference words: 3.10 security ntas KBCategory: KBSubCategory: ntadsrv scrty ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1993.