Full Read & Write Access Required:
- Data folder [usually on a server]
- Ideally entire C: drive [where Reporter is installed]
- Barest minimum – Program Folder
- User’s own Temp folder (shared folder if multiple users per comuter)
File Attributes Windows 98
Win98’s View – Details view can be set to display file attributes, such as whether or not a file is read-only, ‘hidden,’ a system file, or a file with the attribute bit set. To enable this feature, click on a folder, choosing “View” and then “Folder Options.” On the multi-tabbed dialog box that appears, click the “View” tab. Check “Show file attributes in Detail View” and press “OK.”
- Choose the file first
- View | Details view
- View | Folder Options | View tab | Show file attributes in Detail View
- OK
File Attributes XP Home Edition
Locate the file or folder for which you want to set. You can see the Choose Details… menu only while in Windows Explorer, not within My Computer.
- Choose Details | check Attributes.
File Attributes XP Pro
Locate the file or folder for which you want to set. You can see the Choose Details… menu only while in Windows Explorer, not within My Computer.
In Windows Explorer or My Computer:
- Choose Details | check Attributes.
To set, view, change, or remove special permissions for files and folders
- Open Windows Explorer, and then locate the file or folder for which you want to set special permissions.
- Right-click the file or folder
- click Properties
- click the Security tab.
- Click Advanced, and then do one of the following:
| To | Do This |
|---|---|
| Set special permissions for an additional group or user | - Click Add. - In Name, type the name of the user or group - then click OK. |
| View or change special permissions for an existing group or user | Click the name of the group or user and then click Edit. |
| Remove an existing group or user and its special permissions | Click the name of the group or user and then click Remove. If the Remove button is unavailable - Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box - click Remove, - and skip the next two steps. |
- In the Permissions box, select or clear the appropriate Allow or Deny check box.
- In Apply onto, select the folders or subfolders you would like these permissions to be applied to.
- To configure security so that the subfolders and files will not inherit these permissions, clear the Apply these permissions to objects and/or containers within this container only check box.
- Click OK and then, in Advanced Security Settings for FolderName, click OK.
- If you select the Replace permission entries on all child objects with entries shown here that apply to child objects. Include these with entries explicitly defined herecheck box, then all subfolders and files will have all their permission entries reset to be identical with the parent object. Once you have clicked Apply or OK, you cannot undo this operation by clearing the check box.
Important
- If you are not joined to a domain and want to view the Security tab, see To display the Security tab.
Notes
- To open Windows Explorer, click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
- The Everyone group no longer includes the Anonymous Logon permission.
- If you select the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, then this file or folder will inherit permission entries from the parent object.
- You can set permissions only on drives formatted to use NTFS.
- If the check boxes under Permissions are shaded, the permissions are inherited from the parent folder.
- To change permissions, you must be the owner or have been granted permission to do so by the owner.
- Groups or users that have been granted Full Control for a folder can delete files and subfolders within that folder, regardless of the permissions protecting the files and subfolders.
For more information about permissions on other objects, see Permissions.
To display the Security tab:
- Open Folder Options in Control Panel.
- Click Start, and then click Control Panel.
- Double-click Folder Options.
- On the View tab, under Advanced settings,
- clear Use simple file sharing [Recommended].
To Assign User Rights
To assign user rights for your local computer,
add workstations to domain, etc.:
- Open Local Security Settings
- click Start
- click Control Panel
- double-click Administrative Tools
- double-click Local Security Policy.
- In the console tree…
- Security Settings | Local Policies | User Rights Assignments
- In the details pane, double-click the user right you want to change.
- Or select the item, UserRightsAssignments Properties, click Add.
- [right-click file or use Properties button]
Add the user or group and click OK.
Best practices
Permissions
- Assign permissions to groups rather than to users.
- Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception.
- Set permission to be inheritable to child objects.
- Assign Full control, if appropriate, rather than individual permissions.
- Deny should be used for these special cases.
- Use Deny permissions to exclude a subset of a group which has Allowed permissions.
- Use Deny to exclude one special permission when you have already granted full control to a user or group.
User rights
- Assign rights as high in the container tree as possible. By doing this, you gain the greatest breadth of effect with the least effort.
- The rights you establish should be adequate for the majority of the security principals.
- Apply inheritance to propagate rights through the tree. You can quickly and effectively apply access control settings to all children or a subtree of a parent object.
- Administrators should use an account with restrictive permissions to perform routine, nonadministrative tasks, and use an account with broader permissions only when performing specific administrative tasks.
- To accomplish this without logging off and back on, log on with a regular user account and use the Runas command to run the tools that require the broader permissions.
Use the runas command to start programs as an administrator
Runas
Allows a user to run specific tools and programs with different permissions than the user’s current logon provides.
Syntax
runas [{/profile|/noprofile}] [/env] [/netonly] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program
Parameters
- /profile
- Loads the user’s profile. /profile is the default.
- /no profile
- Specifies that the user’s profile is not to be loaded. This allows the application to load more quickly, but it can also cause a malfunction in some applications.
- /env
- Specifies that the current network environment be used instead of the user’s local environment.
- /netonly
- Indicates that the user information specified is for remote access only.
- /smartcard
- Indicates whether the credentials are to be supplied from a smartcard.
- /showtrustlevels
- Lists the /trustlevel options.
- /trustlevel
- Specifies the level of authorization at which the application is to run. Use/showtrustlevels to see the trust levels available.
- /user:UserAccountName
- Specifies the name of the user account under which to run the program. The user account format should be user@domain or Domain\User.
- program
- Specifies the program or command to run using the account specified in /user.
- /?
- Displays help at the command prompt.
Remarks
- It is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account, and then use the runas command to run the tools that require the broader permissions.
- For examples of the use of the runas command, see Related Topics.
- The use of runas is not restricted to administrator accounts, although that is the most common use. Any user with multiple accounts can use runas to run a program, MMC console, or Control Panel item with alternate credentials.
- If you want to use the Administrator account on your computer, for the /user: parameter, type one of the following:/user:AdministratorAccountName@ComputerName/user:ComputerName\AdministratorAccountName
- If you want to use this command as a domain administrator, type one of the following:/user:AdministratorAccountName@DomainName/user:DomainName\AdministratorAccountName
- With the runas command, you can run programs (*.exe), saved MMC consoles (*.msc), shortcuts to programs and saved MMC consoles, and Control Panel items. You can run them as an administrator while you are logged on to your computer as a member of another group, such as the Users or Power Users group.
- You can use the runas command start any program, MMC console, or Control Panel item. As long as you provide the appropriate user account and password information, the user account has the ability to log on to the computer, and the program, MMC console, or Control Panel item is available on the system and to the user account.
- With the runas command, you can administer a server in another forest (the computer from which you run a tool and the server you administer are in different domains).
- If you try to start a program, MMC console, or Control Panel item from a network location using runas, it might fail because the credentials used to connect to the network share are different from the credentials used to start the program. The latter credentials may not be able to gain access to the same network share.
- Some items, such as the Printers folder and desktop items, are opened indirectly and cannot be started with the runas command.
- If the runas command fails, the Secondary Logon service might not be running or the user account you are using might not be valid. To check the status of the Secondary Logon service, in Computer Management, click Services and Applications, and then clickServices. To test the user account, try logging on to the appropriate domain using the account.
Examples
To start an instance of the command prompt as an administrator on the local computer, type:
runas /user:localmachinename\administrator cmd
When prompted, type the administrator password.
To start an instance of the Computer Management snap-in using a domain administrator account called companydomain\domainadmin, type:
runas /user:companydomain\domainadmin “mmc %windir%\system32\compmgmt.msc”
When prompted, type the account password.
To start an instance of Notepad using a domain administrator account called user in a domain called domain.microsoft.com, type:
runas /user:user@domain.microsoft.com “notepad my_file.txt”
When prompted, type the account password.
To start an instance of a command prompt window, saved MMC console, Control Panel item, or program that will administer a server in another forest, type:
runas /netonly /user:domain\username “command”
domain\username must be a user with sufficient permissions to administer the server. When prompted, type the account password.
Formatting Legend
| Format | Meaning |
|---|---|
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
| Courier font | Code or program output |