CTC: Permissions-Windows XP

The way to control access to your files and directories on H: is through permissions. Each user can modify them for his or her own files, as shown below.

Note: These instructions apply specifically to permissions on H: as accessed from one of the collaboratory machines, which are running Windows XP Professional, and the login nodes, which are running Windows 2003.

Table of Contents

Viewing and Understanding Your Permissions
Default Permissions
Modifying Permissions: Graphical Interface
Modifying Permissions: Command Line

Viewing and Understanding Your Permissions

To view your permissions using the graphical interface, open my computer, navigate to H: and then Users. Right click on your user folder, and choose properties. Click on the security tab. There should be at least 2 entries: for your userid and Domain Admins. There may also be an entry for Domain Users or Consultants. An example of the permissions for id sverdlik follows.

Explanation of terms:

Name:

Domain Admins: The systems staff
Domain Users: Everyone who can use CTC machines

Permissions:

Full Control: You can do anything, including changing permissions.
Modify
Write: When taken together, {Modify, Write} allow you to edit existing files and create new ones.
Read & Execute
List Folder Contents
Read: When taken together, {Read & Execute, List Folder Contents, Read} provide read access to files.

Default Permissions

When a new account is set up at CTC, the current default permissions are applied. Over time, the default settings have evolved. Therefore, your settings may be different from those shown here.

Current default permissions:

Owner: Full Control

Domain Admins: Full Control

Consultants: {Read & Execute, List Folder Contents, Read} , so that the CTC Consulting Staff can help with any problems that arise.

No longer a default:

Domain Users: {Read & Execute, List Folder Contents, Read} This is the group of all users who have ids in the CTC_ITH domain. In general consider this as all users of CTC machines. Although the default is not to have a setting for Domain Users, meaning that this group is not permitted any kind of access to files, this has not always been the case.

Modifying Permissions: Graphical Interface

To control permissions using the graphical interface, start by following the instructions shown above on viewing permissions to reach the security tab on the properties page.

Here are some considerations to note before making changes.

Never remove the permissions on your login id. If you do, you will no longer have access to the files in your home directory. It will take a systems administrator to restore your account.
Leave the settings alone for Domain Admins. These are set so that the staff can maintain the system.
Consultants have read and list folder access, so that the CTC Consulting Staff can help with any problems that arise.
Domain Users refers to all users in the Theory Center Domain.

If you want to remove permissions for Domain Users
- First click on Advanced.
- Then uncheck the box at the bottom, "Inherit from parent the permission entries that apply to child objects. Include these with entries explicityly defined here". You need to uncheck this box in order to change permissions on the folder.
- A dialog box will come up. Click on copy.
- Highlight Domain Users and click on Remove.
- The number of files in your directory will affect how long it will take for the process to take place. It could be some number of minutes. If you have many tens of thousands of files or more, it may be considerably longer. This is because the changes are applied one file at a time.
- If you are working within the Permissions box, there are 2 column headings, Allow and Deny. To avoid potential problems, do not use the Deny column. For example, if you Deny write access for Domain Users, you will also deny yourself write access.
Suppose that you would like to add permissions for a user or group that is not already in the permissions list.
- Do this from the Security tab, not from Advanced Security Settings.
- Click Add.

In the box under "Enter the object names to select", specify the name of the user or group.

Click OK.
Using id sverdlik, suppose that permissions have been added for Consultants. The security tab will now look like

Modifying Permissions: Command Line
- The cacls (change access control lists) command is used to change permissions from the command line.
  - The /E flag edits the settings. Always use the /E flag to change ACLs. Otherwise you will be resetting the access controls from scratch and are likely to get unexpected and undesired results. If you do not use /E and lose access to your files, a systems administrator will have to restore access to the files in your account.
  - The /T flag changes ACLs of the specified files in the current directory and all subdirectories.
  - Help about cacls is available by issuing help cacls or cacls /?.
- The examples that follow give the commands as they would appear when issued for user sverdlik, thus the command prompt H:\Users\sverdlik>.
- To display the ACLs for the file or directory programs, issue the command
  H:\Users\sverdlik>cacls programs
- To remove(/R) access to all files and directories for Domain Users issue the following command in your home directory.
  H:\Users\sverdlik>cacls * /E /T /R "Domain Users"
- To grant(/G) read access to all files and directories, from the current directory(tools) down, for Domain Users,
  H:\Users\sverdlik\tools>cacls * /E /T /G "Domain Users":R
- To grant read access to directory public for user xxx,
  H:\Users\sverdlik>cacls public /E /G xxx:R

If you encounter any problems or have any questions, please write to consult@tc.cornell.edu or call 607-254-8686 to speak with a consultant.


Home Services Support

Permissions-Windows XP

The way to control access to your files and directories on H: is through permissions. Each user can modify them for his or her own files, as shown below. Note: These instructions apply specifically to permissions on H: as accessed from one of the collaboratory machines, which are running Windows XP Professional, and the login nodes, which are running Windows 2003. Table of Contents Viewing and Understanding Your Permissions Default Permissions Modifying Permissions: Graphical Interface Modifying Permissions: Command Line Viewing and Understanding Your Permissions To view your permissions using the graphical interface, open my computer, navigate to H: and then Users. Right click on your user folder, and choose properties. Click on the security tab. There should be at least 2 entries: for your userid and Domain Admins. There may also be an entry for Domain Users or Consultants. An example of the permissions for id sverdlik follows. Explanation of terms: Name: Domain Admins: The systems staff Domain Users: Everyone who can use CTC machines Permissions: Full Control: You can do anything, including changing permissions. Modify Write: When taken together, {Modify, Write} allow you to edit existing files and create new ones. Read & Execute List Folder Contents Read: When taken together, {Read & Execute, List Folder Contents, Read} provide read access to files. Default Permissions When a new account is set up at CTC, the current default permissions are applied. Over time, the default settings have evolved. Therefore, your settings may be different from those shown here. Current default permissions: *Owner:* Full Control *Domain Admins: Full Control* *Consultants:* {Read & Execute, List Folder Contents, Read} , so that the CTC Consulting Staff can help with any problems that arise. No longer a default: *Domain Users:* {Read & Execute, List Folder Contents, Read} This is the group of all users who have ids in the CTC_ITH domain. In general consider this as all users of CTC machines. Although the default is not to have a setting for Domain Users, meaning that this group is not permitted any kind of access to files, this has not always been the case. Modifying Permissions: Graphical Interface To control permissions using the graphical interface, start by following the instructions shown above on viewing permissions to reach the security tab on the properties page. Here are some considerations to note before making changes. Never remove the permissions on your login id. If you do, you will no longer have access to the files in your home directory. It will take a systems administrator to restore your account. Leave the settings alone for Domain Admins. These are set so that the staff can maintain the system. Consultants have read and list folder access, so that the CTC Consulting Staff can help with any problems that arise. Domain Users refers to all users in the Theory Center Domain. If you want to remove permissions for Domain Users First click on Advanced. Then uncheck the box at the bottom, "Inherit from parent the permission entries that apply to child objects. Include these with entries explicityly defined here". You need to uncheck this box in order to change permissions on the folder. A dialog box will come up. Click on copy. Highlight Domain Users and click on Remove. The number of files in your directory will affect how long it will take for the process to take place. It could be some number of minutes. If you have many tens of thousands of files or more, it may be considerably longer. This is because the changes are applied one file at a time. If you are working within the Permissions box, there are 2 column headings, Allow and Deny. To avoid potential problems, do not use the Deny column. For example, if you Deny write access for Domain Users, you will also deny yourself write access. Suppose that you would like to add permissions for a user or group that is not already in the permissions list. Do this from the Security tab, not from Advanced Security Settings. Click Add. In the box under "Enter the object names to select", specify the name of the user or group. Click OK. Using id sverdlik, suppose that permissions have been added for Consultants. The security tab will now look like Modifying Permissions: Command Line The cacls (change access control lists) command is used to change permissions from the command line. The /E flag edits the settings. *Always* use the /E flag to change ACLs. Otherwise you will be resetting the access controls from scratch and are likely to get unexpected and undesired results. If you do not use /E and lose access to your files, a systems administrator will have to restore access to the files in your account. The /T flag changes ACLs of the specified files in the current directory and all subdirectories. Help about cacls is available by issuing help cacls or cacls /?. The examples that follow give the commands as they would appear when issued for user sverdlik, thus the command prompt H:\Users\sverdlik>. To display the ACLs for the file or directory programs, issue the command H:\Users\sverdlik>cacls programs To remove(/R) access to all files and directories for Domain Users issue the following command in your home directory. *H:\Users\sverdlik>cacls /E /T /R "Domain Users" To grant(/G) read access to all files and directories, from the current directory(tools) down, for Domain Users, H:\Users\sverdlik\tools>cacls * /E /T /G "Domain Users":R To grant read access to directory public for user xxx, H:\Users\sverdlik>cacls public /E /G xxx:R** If you encounter any problems or have any questions, please write to consult@tc.cornell.edu or call 607-254-8686 to speak with a consultant.



© 2008 Cornell University \| Cornell University Center for Advanced Computing \| Copyright Statement