Windows 10 permissions are relatively straightforward and very similar to previous versions, but there are a few important things to keep in mind.
In Windows 10, IT uses permissions to control access to resources and operating system settings. Although companies commonly grant permissions to Active Directory (AD) accounts, domain membership is not an absolute requirement. Windows 10 supports three different types of accounts -- local accounts, Microsoft accounts and Active Directory accounts -- and assigns permissions to any of these types. Being able to assign permissions to account types other than AD is useful for securing devices that are not domain joined.
Windows 10 permissions role call
In Windows 10, a user's role determines operating level permissions. IT can classify a Windows 10 user as an administrator -- the user is a device administrator, or a standard user -- the user does not have administrative privileges for the device.
A standard user is allowed to manage her own account and access her own data. A standard user can generally change the password, change the desktop theme and settings and access the files stored in her personal folders -- Documents, Downloads, Pictures and so on -- and public folders.
An administrator can create, change and delete user accounts. An administrator is also able to modify operating system settings that affect all users on the device, including security settings. In addition, administrators can install and remove apps, and access data that is stored in other user's folders and have full access to system files.
It is tempting to think of standard users and administrators in terms of local accounts, but remember that Windows 10 also supports the use of Active Directory and Microsoft accounts. As such, IT could designate a device administrator regardless of whether the user signs in with a local, Active Directory or Microsoft account, depending on how the device is configured.
Don't let the permissions slip
Windows 10 also uses permissions to control access to the file system through the use of Access Control Lists (ACLs). IT can access a folder's ACL by right clicking on the folder, choosing the Properties command from the shortcut menu, and selecting the Security tab. The upper portion shows the users or groups that have been added to the ACL. The lower portion displays the permissions that apply to the user or group that is currently selected (Figure A).
IT must also be aware of inheritance. Files and folders inherit the permissions of their parent folder. Figure A shows a number of groups to which IT granted access to the folder, which were all inherited, not explicitly assigned. If IT selects one of the groups that are listed, and clicks the Edit button, some of the permissions are greyed out, because permissions are inherited rather than dynamically assigned (Figure B).
It is possible to block permissions from being inherited. The Advanced button in the Security tab causes Windows to display a dialog box which contains a Disable Inheritance button (Figure C). Avoid disabling inheritance unless there is a compelling reason to do so.
Another best practice is to assign Windows 10 permissions to groups, not users. Doing so makes management much easier because IT never has to worry about managing granular permissions for individual users. Users inherit the permissions of the groups to which they belong.
Show off your knowledge of Windows 10 features
Are you a Windows 10 expert? Flaunt your knowledge with this quiz about app compatibility, the OS upgrade process and more.
When permissions collide
It is possible for a user to receive contradictory Windows 10 permissions. Windows solves contradictions by combining ACLs. Suppose that a user is a member of two different groups, both with access to a particular folder. If one group gave the user read access to the folder, and the other group gave the user read and write access, the permissions combine, resulting in an effective permission of read and write.
Keep in mind that an explicit denial overrides any granted permission. If a user is a member of one group that has read access to a folder, and another group that IT explicitly denied read access, then when the permissions are combined the resulting permission will deny access.
Why companies are confused by the Windows 10 Anniversary Update
How to get Windows 10 running even faster
Keep Windows 10 secure with these steps