Windows’ NTFS filesystem applies permissions to files, folders, and other objects (even individual Registry entries).
This gives you control over your PC by specifying which users and groups have access to which files and folders, and what level of access they have.
By way of explanation, open the C:\Users folder to view each individual user’s personal folder. Inside here are their personal directories (Documents, Downloads, and so on), and various other account-specific f les and settings.
Try to open a folder other than your own user directory, and you get an ‘Access Denied’ error. All well and good – except that if you’re running as an administrator, you’re prompted to click ‘Continue’ to be granted access to the folder.
This is not exactly secure. Paranoid users wishing to keep specific files and folders private should investigate a third-party encryption app, such as the open-source Veracrypt, where you create a password-protected ‘file container’, which acts like a virtual drive, inside which you store your most sensitive files.
However, if you’re the only one with access to the Admin account on your PC, and you trust yourself not to abuse that power, then Windows’ NTFS permissions are adequate for basic privacy.
To view a folder or file’s permissions, right-click it, choose ‘Properties’, and switch to the ‘Security’ tab. You need read-only access to the item in order to view its permissions; if this is the case, you’ll see a list of ‘Group or user names’, plus permissions for the selected group or user.
Groups are basically collections of users, and include the following: Administrators, Users, SYSTEM, and Everyone. Anyone who is a standard user is part of the Users group, for example, while Everyone is a group designed to allow you to set universal permissions for every single person who uses your PC.
Permissions consist of various types:
Read, Write, Read & Execute, List Folder Contents (folders only), Modify, and Full Control. Some permissions are a combination of others – for example, Modify allows you to read, write, and delete, so both Read and Write permissions are set to ‘Allow’ if Modify is.
Read & Execute provides you with both read access to a file, plus the ability to execute it – vital for program and script files, for example – and it’s this attribute you can tweak to block individual users’ access to specific programs, as we’ll see shortly.
Finally, Full Control basically gives you carte blanche – read, write, execute, delete, and so on.
One annoyance with Windows is how it bakes support for OneDrive into the operating system, while separating its folders from your user account.
That means you end up with two of all your key user folders. Interestingly, you can merge OneDrive’s folders with those in your user account, making things simpler to manage, but it’s a one-way process – unmerging the two later isn’t an option.
If that doesn’t put you off, browse to your user folder, right-click your Documents folder, and choose ‘Properties > Location tab’. Click ‘Move’, then browse to the corresponding directory inside your OneDrive folder, and click ‘Apply’.
Click ‘Yes’ to move existing files into the new location, then read the warning before clicking ‘Yes’. Repeat for any other system folders you wish to integrate.
One thing to consider – the size of your OneDrive storage. You only get 5GB for free, so unless you’ve paid for additional storage, or have subscribed to Office 365, this may prove to be a non-starter. In that event, make use of Libraries instead.
Windows 10 may have hidden them, but Libraries are still very much a part of it. Open a File Explorer window, switch to the View tab, and click the ‘Navigation pane’ button – check ‘Show libraries’ to put them back in the navigation pane.
From here, select the Libraries view, right-click each Library in turn, and choose ‘Properties’. Click ‘Add…’ to add the corresponding OneDrive folder to that Library, and click ‘Include folder’ followed by ‘OK’.
The folders remain separate, but they’re easier to switch between.
File permissions are a dangerous subject – it’s all too easy to lock yourself out of a file, or even mess up your entire Windows installation, if you screw around with no real thought for the consequences.
So, before you begin, make sure you take full precautions and make a complete Windows drive image, which you can roll back to should the worst happen.
Second, limit yourself to tweaking permissions for non-system files and folders. That means making any of the root folders on drive C off limits – even with programs, you’ll want to limit yourself to a specific sub-folder inside Program Files and Program Files (x86).
Instead, focus on individual user folders, or folders and files you’ve got stored on a data partition or drive.
Third, you don’t necessarily need to be logged on as an administrator to make changes to a file or folder’s permissions. Two types of user can modify permissions – any member of the Administrators group (so your Admin user, for example), and the ‘owner’ of the item in question. Who’s the owner?
Typically, this is the user account that created the file – for example, when you set up and save a new document, the file is assigned to you as owner. Note you can edit permissions using your Admin credentials, without logging onto the account itself.
You’ve reviewed the permissions for your target file and folder, and now you’d like to change them. Click the ‘Edit’ button. You can now select a user or group to view their permissions, plus make changes using the checkboxes underneath ‘Allow’ and ‘Deny’.
If you select certain permissions (say, Read & Execute), then other permissions (Read in our example) may be checked, too.
If you choose to explicitly set a permission type to ‘Deny’, Windows throws up a warning about group permissions, and how this overrides them. What this means is that even if the group a user belongs to has access to that folder or file, choosing ‘Deny’ (rather than leaving both ‘Allow’ and ‘Deny’ boxes unchecked) explicitly tells Windows to ignore the group permission settings for that user.
You’ll also see ‘Add’ and ‘Remove’ buttons – these enable you to select additional users or groups, plus remove existing ones, so they either have no access, or rely on their group permissions to have access.
Click ‘Add’, and you need to type the name of your user, then click ‘Check Names’ to select them before clicking ‘OK’ to set their permissions.
Once done, click ‘Apply’, and Windows starts to set permissions for that item; if you’ve selected a folder, then all the items inside it will be set the same permissions, too.
Don’t panic if you get an ‘Access denied’ error applying security – it means access is restricted to that folder, so the settings remain unchanged. Click ‘Continue’ to carry on.
The unthinkable has happened to your PC – either you have botched your attempts to tweak the permissions for a particular file or folder, or Windows has run into permissions issues all on its own.
So, what can you do to resolve the problem? Start by seeing whether an official Microsoft troubleshooter can help.
This tool attempts to automatically diagnose (and fix) problems that are due to issues with permissions, which means everything from problems emptying the Recycle Bin and moving or renaming files, to keyboard shortcut issues in File Explorer is covered.
Another handy tool that can help resolve – albeit in a rather crude way – permissions-based issues is the Windows Repair Tool.
Download the tool (a portable version is available should you not wish to install it), then switch to the ‘Repairs’ tab.
Click ‘Open Repairs’, uncheck ‘All Repairs’, then examine the first two repairs: one fixes issues with the Registry, while ‘Reset File Permissions’ allows you to attempt fixes on selected drives.
The tool sets things back to their defaults, so your PC remains secure and hopefully fully functional after the repair completes.
It can take some time to complete, so be prepared to wait a while. One final tool to take a look at is NTFS Permissions Tools.
This provides an alternative means of browsing and editing permissions. You’re provided with a File Explorer-like view of your drives, with your access rights and the folder or file’s owner marked.
There are buttons for changing access levels and the owner, plus an Advanced section similar to that found in Windows. Also check out the options available when you right-click a folder, including one that lets you copy and paste permissions settings between items.
Block access to programs
So, how can you use permissions to restrict access to a certain program? Note that the following doesn’t work with certain system-installed programs, such as Internet Explorer, but should work with any applications that you have installed yourself.
First, browse to the program’s executable file (typically inside the Program Files or Program Files (x86) folders). Right-click the file, and choose ‘Properties > Security tab’.
Click ‘Edit’, then click ‘Add’ to select the user you wish to block. Once added, check the ‘Deny’ box next to ‘Read & Execute’, and click ‘OK’. Note the warning, and click ‘OK’ again.
Now when that user opens the program, they’re shown a dialog telling them they can’t access it due to permissions issues. They won’t be able to change or view the file’s permissions unless they have admin access.
You’ll notice an ‘Advanced’ button on the Security tab of a file’s properties. Click this, and you gain the ability to view more information about the permissions assigned to individual users, complete with an ‘Inherited from’ field that shows which folder the permissions were assigned from.
Look out for a button marked ‘Disable inheritance’ – click this to unlink the item from its parent folder. What this means is any permission changes you apply to the parent won’t automatically apply to this file or sub-folder.
When prompted, choose the ‘Convert’ option to apply the parent’s settings to the item before removing the link, or ‘Remove’ to clear them all. The latter option scrubs all existing permissions, blocking all access to the file or folder until new permissions are set by the item’s owner.
Note, however, that nothing happens until you click the ‘Apply’ button – click ‘Cancel’ to make no changes.
You’ll also see a line listing the ‘owner’ of the item in question. From here, you can change ownership to another user or group. You might do this to prevent the original owner – assuming they’re a standard user – from undoing any permission changes you implement.
You might also do this to take back ownership of a file or folder after you’ve either switched to a new user account (perhaps your old account corrupted), or reinstalled Windows in certain circumstances.
Taking the latter as an example, you might reinstall Windows from scratch using a different username and/or password, leaving your data folders on a separate drive or partition.
You then find you’re locked out of these folders because they’re assigned to the old user account. You can regain access to the folder via the ‘Continue’ button while logged on as an administrator, then transfer ownership to your new account.
What you’ll see when you view the item’s permissions is an ‘Account Unknown’ entry with a name like ‘S-1-5-25-12345’. This refers to your previous, redundant account.
Click ‘Advanced’, and you see it’s the owner of the folder, so click ‘Change’ to transfer ownership to your new account, allowing you to set the permissions you need.
And there you have it – everything you need to know about locking down your PC a little bit more. Of course, things can go wrong when messing with permissions.
- Enjoyed this article? Discover how to get the most from your PC and new things to do in Windows Help & Advice. Take advantage of an exclusive offer in our sampler today.
Get daily insight, inspiration and deals in your inbox
Get the hottest deals available in your inbox plus news, reviews, opinion, analysis and more from the TechRadar team.