DOCUMENT:Q102339  11-AUG-1993  [W_NTAS]
TITLE   :INF: Permissions Comparison--NT AS vs. LAN Manager
PRODUCT :Microsoft Windows NT Advanced Server
PROD/VER:3.10
OPER/SYS:WINDOWS
KEYWORDS:

--------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Advanced Server version 3.1
--------------------------------------------------------------------

SUMMARY
=======

This article discusses how file, directory, and printing permissions
compare between Windows NT Advanced Server and LAN Manager version
2.x.

MORE INFORMATION
================

File and Directory Permissions
------------------------------

On a LAN Manager for OS/2 system, you can control access to all files
and directories under the FAT, HPFS, or HPFS386 file systems. On a
Windows NT system, you can control users' access to directories and
files on drives formatted to use the Windows NT file system (NTFS).
Drives formatted to use FAT and HPFS do not support Windows NT
security. You can, however, secure Windows NT shared directories no
matter what file system is in use.

The standard permissions for files and directories and their meanings
are shown in the following tables, along with the individual
permissions each standard permission represents.

LAN
Manager     NTFS                 Description
-----------------------------------------------------------------------

R           Read (RX)            User can read the contents of the
                                 file and run it if it is an 
                                 application.

W
(Write)     Change (RWXD)        Lets the user open and write to a
                                 file, changing its contents. Windows 
                                 NT allows deletion of the file.

D           N/A                  Lets the user delete files.
(Delete)

X
(Execute)   N/A                  Lets the user run a program, but
                                 not read or copy it.

A           N/A
(Change Attributes)              Lets the user change file attributes.

P           N/A
(Change Permissions)             Lets the user grant permissions for
                                 the file to other users.

Y           Full Control (All)   For LAN Manager, serves as a shortcut
(Yes)                            to RWCDA permissions. When you give a
                                 user Y permission, you are granting 
                                 RWCDA permissions.

                                 For Windows NT, enables user to read,
                                 modify, delete, set permissions for, 
                                 and take ownership of the file.

N           No Access            Prevents a user from using the file
(No)                             or directory in any way, even if the 
                                 user is a member of a group that has 
                                 been granted access to the file. On 
                                 LAN Manager, Y access given to a user 
                                 overrides N access given to a group. 
                                 On Windows NT, deny access takes 
                                 precedence. For example, if a user 
                                 has Full Control access for a file, 
                                 but is a member of a group that has 
                                 No Access for the same file, access 
                                 is denied.

In the second column of the following table (for NTFS directory
permissions), the first set of individual permissions applies to the
directory itself, and the second set of individual permissions applies
to new files subsequently created in the directory.

Directory Permissions
---------------------

LAN
Manager     NTFS                   Description
-----------------------------------------------------------------------

R           Read (RX)(RX)          User can read files in the
(Read)                             directory and run applications in
                                   the directory.

W           Change (RWXD)(RWXD)    User can read and add files and
(Write)                            change the contents of current
                                   files.

C           Add                    A user with C permission can create
(Create)    (WX) (Not Specified)   a file and after creating it, can
                                   read from or write to the file
                                   until closing it.

            Add & Read             Add enables a Windows NT user to
            (RWX) (RX)             add files to the directory but not
                                   to read the contents of current
                                   files or change them.

                                   Add & Read enables a user to add
                                   files to the directory and read
                                   current files, but not to change
                                   any files.

D           N/A                    Users can delete files and
(Delete)                           subdirectories within the shared
                                   directory but cannot delete the
                                   shared directory itself.

X           N/A                    Lets the user run a program in the
(Execute)                          directory, but not read it or copy
                                   it.

A           N/A
(Change Attributes)                Lets the user change the attributes
                                   of files in the directory.

P           N/A
(Change Permissions)               The user can change the permissions
                                   for the directory or files in the
                                   directory.

Y          Full Control
(Yes)      (All)(All)              For LAN Manager, serves as 
                                   shortcut to RWCDA permissions. When
                                   you give a user Y permission, you
                                   are granting RWCDA permissions.
                                   User can read and change files, add
                                   new ones, change permissions for
                                   the directory and its files, and
                                   take ownership of the directory and
                                   its files.

N          No Access
(No)       (None)(None)            Prevents a user from using the file
                                   or directory in any way. Usually,
                                   you can prevent a user from
                                   accessing a file or directory
                                   simply by not giving the user any
                                   permissions to it; however, you
                                   must use N permission to prevent a
                                   specific user from accessing a file
                                   while granting access to the file
                                   or directory to a group the user
                                   belongs to. For Windows NT, users
                                   cannot access the directory in any
                                   way, even if they have Full Control
                                   access through membership in a
                                   group.

N/A        List (RX)               User can only list the files and
(Not Specified)                    subdirectories in this directory and 
                                   change to a subdirectory of this 
                                   directory. User cannot access new 
                                   files created in this directory. 

NOTE: Permissions on shared Windows NT directories that are not NTFS
are identical. Note that if a directory is both shared and on an NTFS
volume, permissions are cumulative over the network.

Printer Permissions
-------------------

LAN
Manager         Windows NT
Printer         Printer            Descriptions/
Queue           Permissions        Differences
-----------------------------------------------------------------------

Y               Print              Users can send jobs to the printer
(Yes)                              queue.

N               No Access          Prevents a user from accessing the
(No)                               printer queue.

Y+P             Full Control       Users can send jobs to and set
(Yes+Change Permissions)           access permissions for the printer
                                   the printer queue. Users can print 
                                   documents, change print settings, 
                                   and completely manage documents
                                   and printers.

N/A             Manage Documents   Users can pause, resume, restart, 
                                   delete, and control settings for 
                                   documents.

Additional reference words: 3.10 security ntas
KBCategory:
KBSubCategory: ntadsrv scrty

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1993.