Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Take a close-up look at Windows 10 permissions settings

With all the new updates and features, Windows 10 can appear daunting. To simplify the transition, break down and tailor the permissions in Windows 10 to users' specific needs.

Windows 10 permissions are relatively straightforward and very similar to previous versions, but there are a few...

important things to keep in mind.

In Windows 10, IT uses permissions to control access to resources and operating system settings. Although companies commonly grant permissions to Active Directory (AD) accounts, domain membership is not an absolute requirement. Windows 10 supports three different types of accounts -- local accounts, Microsoft accounts and Active Directory accounts -- and assigns permissions to any of these types. Being able to assign permissions to account types other than AD is useful for securing devices that are not domain joined.

Windows 10 permissions role call

In Windows 10, a user's role determines operating level permissions. IT can classify a Windows 10 user as an administrator -- the user is a device administrator, or a standard user -- the user does not have administrative privileges for the device.

It is possible for a user to receive contradictory Windows 10 permissions.

A standard user is allowed to manage her own account and access her own data. A standard user can generally change the password, change the desktop theme and settings and access the files stored in her personal folders -- Documents, Downloads, Pictures and so on -- and public folders.

An administrator can create, change and delete user accounts. An administrator is also able to modify operating system settings that affect all users on the device, including security settings. In addition, administrators can install and remove apps, and access data that is stored in other user's folders and have full access to system files.

It is tempting to think of standard users and administrators in terms of local accounts, but remember that Windows 10 also supports the use of Active Directory and Microsoft accounts. As such, IT could designate a device administrator regardless of whether the user signs in with a local, Active Directory or Microsoft account, depending on how the device is configured.

Don't let the permissions slip

Windows 10 also uses permissions to control access to the file system through the use of Access Control Lists (ACLs). IT can access a folder's ACL by right clicking on the folder, choosing the Properties command from the shortcut menu, and selecting the Security tab. The upper portion shows the users or groups that have been added to the ACL. The lower portion displays the permissions that apply to the user or group that is currently selected (Figure A).

Windows Security Tab Screenshot
Control permissions through the Security tab.

IT must also be aware of inheritance. Files and folders inherit the permissions of their parent folder. Figure A shows a number of groups to which IT granted access to the folder, which were all inherited, not explicitly assigned. If IT selects one of the groups that are listed, and clicks the Edit button, some of the permissions are greyed out, because permissions are inherited rather than dynamically assigned (Figure B).

Windows User Permissions Screenshot
Inherited permissions are greyed out.

It is possible to block permissions from being inherited. The Advanced button in the Security tab causes Windows to display a dialog box which contains a Disable Inheritance button (Figure C). Avoid disabling inheritance unless there is a compelling reason to do so.

Disable Inheritance Button Screenshot
Disable inheritance if necessary.

Another best practice is to assign Windows 10 permissions to groups, not users. Doing so makes management much easier because IT never has to worry about managing granular permissions for individual users. Users inherit the permissions of the groups to which they belong.

Show off your knowledge of Windows 10 features

Are you a Windows 10 expert? Flaunt your knowledge with this quiz about app compatibility, the OS upgrade process and more.

When permissions collide

It is possible for a user to receive contradictory Windows 10 permissions. Windows solves contradictions by combining ACLs. Suppose that a user is a member of two different groups, both with access to a particular folder. If one group gave the user read access to the folder, and the other group gave the user read and write access, the permissions combine, resulting in an effective permission of read and write.

Keep in mind that an explicit denial overrides any granted permission. If a user is a member of one group that has read access to a folder, and another group that IT explicitly denied read access, then when the permissions are combined the resulting permission will deny access.

Next Steps

Why companies are confused by the Windows 10 Anniversary Update

How to get Windows 10 running even faster

Keep Windows 10 secure with these steps

Dig Deeper on Windows 10

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has your company implemented Windows 10 permissions?
I came across something I haven't seen before in Windows 10 -- a condition applied to a permission in a folder ACL.  The permission is an "allow" for Users (ComputerName), for Read and Execute in the folder only, but has a visible condition in the Advanced Security Settings, "(Exists WIN://SYSAPPID)".  Unfortunately the particular ACE is corrupt -- I can delete and restore the permission, but have no idea how to set the condition to its original state.  Any thoughts on this would be helpful.  Thanks.
ok it's the connection between the internet and local storage Users
IIRC ACE is not actually corrupt but a condition/permission for your pc collection and is not located on the pc because it is encrypted by the world Users/           Users/ and should not be removed
I know what you're talking about I am the Users/             /Users
it's not a corrupt entry but an amazon SQS permission/Condition
for you're end of your computer and to my end but a (Case of Condition)
to you're pc allows the access between the internet and local storage and should remain unchanged because of the source main server between the internet and all storage I would never ever mess with this permission in any way because it is
a entry for every Exists files and if logged in then every Exists files will be accessed incorrectly and that it not safe see what it is now