Take a close-up look at Windows 10 permissions settings

Windows 10 permissions role call

In Windows 10, a user's role determines operating level permissions. IT can classify a Windows 10 user as an administrator -- the user is a device administrator, or a standard user -- the user does not have administrative privileges for the device.

It is possible for a user to receive contradictory Windows 10 permissions.

A standard user is allowed to manage her own account and access her own data. A standard user can generally change the password, change the desktop theme and settings and access the files stored in her personal folders -- Documents, Downloads, Pictures and so on -- and public folders.

An administrator can create, change and delete user accounts. An administrator is also able to modify operating system settings that affect all users on the device, including security settings. In addition, administrators can install and remove apps, and access data that is stored in other user's folders and have full access to system files.

It is tempting to think of standard users and administrators in terms of local accounts, but remember that Windows 10 also supports the use of Active Directory and Microsoft accounts. As such, IT could designate a device administrator regardless of whether the user signs in with a local, Active Directory or Microsoft account, depending on how the device is configured.

Don't let the permissions slip

Windows 10 also uses permissions to control access to the file system through the use of Access Control Lists (ACLs). IT can access a folder's ACL by right clicking on the folder, choosing the Properties command from the shortcut menu, and selecting the Security tab. The upper portion shows the users or groups that have been added to the ACL. The lower portion displays the permissions that apply to the user or group that is currently selected (Figure A).

IT must also be aware of inheritance. Files and folders inherit the permissions of their parent folder. Figure A shows a number of groups to which IT granted access to the folder, which were all inherited, not explicitly assigned. If IT selects one of the groups that are listed, and clicks the Edit button, some of the permissions are greyed out, because permissions are inherited rather than dynamically assigned (Figure B).

It is possible to block permissions from being inherited. The Advanced button in the Security tab causes Windows to display a dialog box which contains a Disable Inheritance button (Figure C). Avoid disabling inheritance unless there is a compelling reason to do so.

Another best practice is to assign Windows 10 permissions to groups, not users. Doing so makes management much easier because IT never has to worry about managing granular permissions for individual users. Users inherit the permissions of the groups to which they belong.

When permissions collide

It is possible for a user to receive contradictory Windows 10 permissions. Windows solves contradictions by combining ACLs. Suppose that a user is a member of two different groups, both with access to a particular folder. If one group gave the user read access to the folder, and the other group gave the user read and write access, the permissions combine, resulting in an effective permission of read and write.

Keep in mind that an explicit denial overrides any granted permission. If a user is a member of one group that has read access to a folder, and another group that IT explicitly denied read access, then when the permissions are combined the resulting permission will deny access.