Understanding NTFS file permissions and DACL

The NTFS file system supports detailed access control to files and directories. So if you need to control who can access files on an NTFS formatted partition, you can do it using access control lists (ACLs).

Each file or directory has a Discretionary Access Control List (DACL), which defines which users and groups are allowed or denied access.

You can view and modify permissions from the Explorer:

Right-click a file -> Properties -> Security

The DACL is shown as a list of entries (ACEs or Access Control Entries), each specifying a user or group and the allowed or denied permissions.

Common permissions include:

Read
Write
Execute
Full Control

Permissions can be inherited from the parent directory, which simplifies management for larger directory structures.

From the command line, you can use the CACLS tool:

cacls file.txt
cacls file.txt /G user:R
cacls file.txt /G admins:F

This displays current permissions and grants Read or Full Control to the specified accounts.