Windows Storage

NTFS permissions basics

Practical Windows guide: nTFS permissions basics without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Read and set basic NTFS permissions on files and folders — understanding inherited permissions, Modify vs Full Control, and effective access.

1) Open the Security tab

  1. Right-click a file or folder → Properties → Security.
  2. The top list shows groups and users with access; the bottom pane shows permissions for the selected entry.
  3. Click Advanced to see inheritance, owner, and effective access.

2) Common permission levels

  1. Full control — read, write, delete, change permissions (use sparingly).
  2. Modify — read, write, delete files but not change ACLs.
  3. Read & execute — view and run files (typical for shared apps).
  4. Write — create and modify files only.

3) Inheritance

  1. Child folders usually inherit permissions from the parent — shown as greyed inherited entries in Advanced Security Settings.
  2. Disable inheritance only when you need a unique ACL — click Disable inheritance and choose convert or remove inherited permissions.

4) Check effective access (troubleshooting)

  1. In Advanced Security → Effective Access tab → Select a userView effective access.
  2. Or icacls from Command Prompt:
icacls "D:\Shared" /T

5) Take ownership (when locked out)

  1. Advanced Security → Owner → change to Administrators group → apply to subcontainers.
  2. Then grant yourself Full control — fix ACL, then revert owner to SYSTEM if system folder.

6) Share permissions vs NTFS

  1. Effective access is the most restrictive of share and NTFS — set NTFS on server folders, share permissions often Everyone Read for simplicity on small LANs.

7) Reset permissions to default

icacls "C:\Users\Public" /reset /T /C

Use documented defaults only — blind reset on system folders breaks Windows.

8) Disable inheritance example

  1. Break inheritance on confidential folder → copy existing → remove Users group → leave Finance group Modify.
  2. Document ACL changes — unexplained deny rules lock out admins later.

Verification checklist

As test user, attempt access denied folder — should fail. As authorised group member, same path should succeed. Logs effective access before production ACL changes.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Quick reference paths

  • icacls
  • File Properties → Security
  • Advanced Security Settings
  • Admin tools: press Win + X for Terminal (Admin), Device Manager, and Computer Management.

On shared family PCs, avoid deny rules unless necessary — explicit deny overrides allow and confuses troubleshooting for non-admin users.

Related guides

basics ntfs permissions windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Storage
Map a network drive
Practical Windows guide: map a network drive without the usual guesswork.
Read guide
Storage
Symlinks and junctions on Windows
Practical Windows guide: symlinks and junctions on Windows without the usual guesswork.
Read guide