Need help understanding Windows NTFS permissions

I'm not sure if this is the correct forum, but none of the others looked specific to this. And I apologise that I may not be asking the right questions - it is difficult for me to even understand what is niggling at me, because I don't understand what my OS is doing sometimes. I'll try and highlight questions in bold as they occur to me, the kind of things that will help me to understand how my PC (OS) works.

Okay, that said, here's my setup. I have always been the only user on my PC. Just one PC, one person.

My understanding, going back to my first 486, is that a Windows PC is made up of a formatted hard drive (Fat32 or - later - NTFS format, which affect how big a file can be, and compatibility with other operating systems), and a load of files, which generally have an extension which determines what it does. Files can be programs (.exe, .bat) or collections of non-executable data that need a program to understand (.txt, .docx, .mp3). Because they're just all files, there should be no problem backing them up, transferring them to another PC and so on.

I think my problems began when I moved from Windows XP to Windows 7 in 2012, but it is hard to remember back for sure. Let's assume I'm right. I was generally happy with Windows 7, it was definitely more stable, though Windows Explorer seemed more packed with options I didn't want to use and couldn't hide (Libraries, Homegroup, a computer name, Control Panel etc - I just wanted C:, D: etc, and maybe the "Favorites" which is quite handy).

The problem I ran in to was when restoring or backing up files to an external drive. My synchronisation software was failing on some files. There seemed to be a lot of files where I got a red 'Access is Denied' message. They weren't encrypted or read-only, and used to transfer okay on Windows XP (they were just things like MP3 files).

I looked into it and it was all sorts of complicated stuff to do with a Security tab on each file, which displayed a list of "Group or user names" (none of which I recognised or had ever consciously chosen) each of which had different permission levels (again, which I had never set or changed). I had to fiddle about with that before the files could be moved or backed up. I spent ages trying to unravel it - again, it is hard to know what questions to ask, and who to ask them of. To my mind they should just be backed up or restored with no problems. I hadn't changed anything. I tracked it down to some silly Win7 permissions on the external hard drive, not letting files be written over or deleted in some cases. I changed the Users permissions to all the main categories, applied it to subfolders, and it then worked. It was annoyingly complicated though, and I hadn't known switching to Windows 7 would involve all these sorts of headaches.

I had another problem with some software. One bit of MP3 tagging software gave this error every time I ran it: "Error opening undo file" (then a path). When I clicked on ok it worked, but I had no idea what the error was. Eventually I fixed it by changing the permissions for the folder, giving full permissions to everyone.

I didn't understand the permissions/rights/groups things, and couldn't work out how to disable them - I just wanted them to be files, that anyone could use and access, as before. Maybe those features are useful to some people, such as power users (I'm just guessing), but for me, I just want a file. Maybe the option to make it read-only to prevent accidental deletion (which I sometimes did on Windows 3.1) could be handy, but I could even live without that.

I've never fully understood where all that stuff comes from; what the implications are (though it seems to affect backing up the files sometimes); whether I can delete it all or reset it. So first question: can I turn off whatever feature this is which is putting restrictions on what I can do with my files?
[I will summarise all the questions again at the end and number them]

I also wanted to know where the problems with permissions are coming from. One possibility is with files from different places/people? Are they coming with "owners" that aren't me, and causing problems?

Or could it be related to the PC name? For example, I reinstall Windows from time to time. I have to enter a name or something (I can't remember if it is meant to be me or for the PC) - there are no guidance notes at the time to indicate it is important. Since I don't know what it is used for I don't use my real name in case that somehow affects security/privacy/online anonymity, so I just type any old thing in such as "NA" or "NONE". But does that then somehow mean files belong to "NA", and when I next reinstall the OS and call my PC "NONE" Windows somehow thinks they are no longer my files on the backup drive?

Removing the stuff about security/ownership/permissions/rights/groups (I don't know if those are the same thing or not). Is there any way to disable this feature totally? For users in my position it just seems to cause problems.

Also, where is the information about security/ownership/permissions/rights/groups actually held? i.e. is it held in the registry, which has an index of all files and stores this information? [Implication: reinstalling Windows wipes it and lest you start afresh; the original files such as music, documents etc are untouched and pristine]. Or is the information added to the file itself (.mp3, .doc etc) as extra data/metadata even though I don't want that? [Implications: files bloat with unwanted data; files secretly accrue more and more weird "ownership/security" data over the years; possibly cause problems in the future if I move to another OS and try to use the files, or email one to someone?]

If the data is added to files themselves, is there any way to strip it all back out and reset them? Some software or command I can run that strips out all that extra Windows permission and makes the files just basic files again?


One place online seemed to suggest that the security/ownership/permissions/rights/groups data only exists due to NTFS, and that is as much of a factor as Windows 7. Is that true? If my drives were FAT32 rather than NTFS would that strip all the security metadata out of the files? Or would it leave the metadata there, but just ignore it (so right-click>properties on a file would no longer show Sharing/Security tabs, but the info would still be in the file somewhere, bloating it, but just invisibly?)

Do all versions of Windows 7 have this security/ownership/permissions/rights/groups stuff, or just Windows 7 Ultimate? Would life be easier if I bought a more basic version of Windows 7?

If I wanted an OS which doesn't use the security/ownership/permissions/rights/groups stuff, what are my options? Any other versions of Windows I could use? Linux? And will the security on my files cause problems if I move to another Windows OS, or Linux?


Sorry: to techie people this might all be clear, but as someone who just wants to create, copy and back up files (whether they are Word docs, photos, games or music) all the permissions stuff seems horrendously complicated. I'm doing my best to think back and try to clarify what I understand so you can see what a simple computer user thinks, though even my terminology might be incorrect. Basically there is all this security/ownership/permissions/rights/groups stuff - whenever I mention one of these things I mean them all - in my mind they're basically all related to an extra layer of restrictions applied to files. An unwanted layer, in my case, and one which I was never warned was part of upgrading from Windows XP (I wish the Windows 7 installer had explained some of this).

Lastly, I have read a lot on these topics. And I don't really understand them any better, because they all begin with assumptions which I can't fathom. If I can't get simple answers to my questions above, is there anything really simple I can read to understand what is going on, what the implications are, and how to manage it?


Sorry for the long message. One thing Windows doesn't do well is explain actually how it works, and what it is doing in the background in areas like this. It annoys me that it is so complicated, and I'm saddled a feature I can't seem to turn off or understand the implications of. I am not even sure what questions to ask. When I Google things to do with file ownership and security and Windows it is way too advanced to me, and misses out on the fundamental explanation of what is going on - it just raises more questions.

I'll summarise my questions without all of the explanation, and number them in case that helps if anyone want to tackle one but not the others.

1. can I turn off whatever feature this is which is putting restrictions on what I can do with my files?

2. I also wanted to know where the problems with permissions are coming from. One possibility is with files from different places/people? Are they coming with "owners" that aren't me, and causing problems?
Or could it be related to the PC name? For example, I reinstall Windows from time to time. I have to enter a name or something (I can't remember if it is meant to be me or for the PC) - there are no guidance notes at the time to indicate it is important. Since I don't know what it is used for I don't use my real name in case that somehow affects security/privacy/online anonymity, so I just type any old thing in such as "NA" or "NONE". But does that then somehow mean files belong to "NA", and when I next reinstall the OS and call my PC "NONE" Windows somehow thinks they are no longer my files on the backup drive?

3. Removing the stuff about security/ownership/permissions/rights/groups (I don't know if those are the same thing or not). Is there any way to disable this feature totally?

4. Also, where is the information about security/ownership/permissions/rights/groups actually held? i.e. is it held in the registry, which has an index of all files and stores this information? [Implication: reinstalling Windows wipes it and lest you start afresh; the original files such as music, documents etc are untouched and pristine].

5. Or is the information added to the file itself (.mp3, .doc etc) as extra data/metadata even though I don't want that? [Implications: files bloat with unwanted data; files secretly accrue more and more weird "ownership/security" data over the years; possibly cause problems in the future if I move to another OS and try to use the files, or email one to someone?]

6. If the data is added to files themselves, is there any way to strip it all back out and reset them? Some software or command I can run that strips out all that extra Windows permission and makes the files just basic files again?


7. One place online seemed to suggest that the security/ownership/permissions/rights/groups data only exists due to NTFS, and that is as much of a factor as Windows 7. Is that true? If my drives were FAT32 rather than NTFS would that strip all the security metadata out of the files? Or would it leave the metadata there, but just ignore it (so right-click>properties on a file would no longer show Sharing/Security tabs, but the info would still be in the file somewhere, bloating it, but just invisibly?)

8. Do all versions of Windows 7 have this security/ownership/permissions/rights/groups stuff, or just Windows 7 Ultimate? Would life be easier if I bought a more basic version of Windows 7?

9. If I wanted an OS which doesn't use the security/ownership/permissions/rights/groups stuff, what are my options? Any other versions of Windows I could use? Linux? And will the security on my files cause problems if I move to another Windows OS, or Linux?


10. Lastly, I have read a lot on these topics. And I don't really understand them any better, because they all begin with assumptions which I can't fathom. If I can't get simple answers to my questions above, is there anything really simple I can read to understand what is going on, what the implications are, and how to manage it?

ignatzatsonic said:

So, I'm wondering about a few things:

Do you build your own machines?

How often do you reinstall Windows from scratch?

Do you know for a fact that files you personally made from scratch, such as "My favorite spaghetti sauce recipe.doc" eventually develop permission related problems? Rarely? Frequently? Some such files? Most such files? Do obtained files develop these issues more than home-made files?

Do you have any insight at all into WHICH files develop issues and WHEN they do?

Do you have a certain number of files that NEVER have had permissions issues?

Thanks, it is useful to see a scenario that is very similar to mine!

Do you build your own machines?
No, I buy them from PCSpecialist, then update bits and pieces over the years (RAM and hard drives, mostly; PSU once).

How often do you reinstall Windows from scratch?
Mmm, it used to be about once a year or so with Windows XP. Since I got Windows 7 I think I have only done one reinstall of the OS, so that yearly reinstall is down to c.3 years per reinstall.

Do you know for a fact that files you personally made from scratch, such as "My favorite spaghetti sauce recipe.doc" eventually develop permission related problems? Rarely? Frequently? Some such files? Most such files? Do obtained files develop these issues more than home-made files?
Do you have any insight at all into WHICH files develop issues and WHEN they do?
Do you have a certain number of files that NEVER have had permissions issues?

Sorry, I can't say with any certainty. As with any Windows problem I remember having problems, getting angry, swearing, searching online fora, and eventually resolving it (or giving up) - and unless it is something likely to recur (in which case I'll save notes) I then try and forget about it and move on. So I remember having the issue, but not what file caused it. I just know they were ones that used to cause no problems on XP.

ignatzatsonic said:

I probably should add:

I do not use Windows built-in "user" directory structure (C:\users\......). Applications sometimes put stuff in there, but I NEVER do.

I don't know if that is significant for the security issues you are facing.

I save directly to my D drive, which is a physically separate drive, entirely distinct from C.

Actually, I do the same. I have the OS on C: (a partition). I never store files here, only use it for installing programs.
D: is where I store all my "files" (I never install programs to it). There are subfolders for mp3s, photos, and whatever else I decided to add.
When I do a backup I back up all of the d: (and anything temporarily on the desktop, which is like an easy workspace for me, because I can always see the left side of it, and it's the first option in save dialogues).
It's one of the reasons reinstalling Windows was so easy - although I would always back up the d: just to be safe, all I needed to do was reformat c:, install Windows to c:, and I was good to go - my data on d: was untouched (unless Windows was doing stuff behind my back).

ignatzatsonic said:

I assume only SOME files have the issues and others don't.

You need to find out why only some, rather than all.

Are they in a particular directory or sub-directory?

Were they obtained from a particular source?

Are they of the same file type--doc, exe, jpg, whatever?

Were they originally made on some particular PC or OS?

Were they all modified in some way?

Does the problem show up only in certain circumstances?

That type of thing.

It would be more understandable if ALL data files were affected.

Unless you say so, I'll assume it's not ALL.

Well, there are no visible problems with all of my files. Only some threw up errors. Of course, that doesn't mean that Windows isn't storing up problems for later if it is altering files without my knowledge (adding metadata etc) - that's one of the reasons why I want to understand what Windows does, regardless of the problems I had. Just how all this works. And I haven't compared the Security tabs on different File Properties. In fact, they themselves confuse me as soon as I look at them. It has headings for:

Authenticated Users [which should only be one, me]
SYSTEM [whatever that is - the OS? Does it get treated like a person?]
Administrators (NA-PC\Administrators) [which should only be one, me]
Users (NA-PC\Users) [which should only be one, me]

You can see why that is confusing, for PCs that are single user, and that user is also the administrator! There's no need for so many headings, each with their own subset of "Full control", "Modify", "Read & Execute", "Read", "Write", "Special permissions" [whatever that means]. I assume all but the last are meant to be ticked for each category? It seems clunky, for example, if there is a tick in full control, then the other headings become irrelevant. And this is the kind of thing where I wondered if the data is being stored in the file itself, or in Windows registry...

It's not the same issue, but is related: I just installed a game, went to rename the shortcut in my Start menu, and Windows 7 popped up:

"You'll need to provide administrator permission to rename this file"
Continue / Skip / Cancel

It is an example of how pointless all of this seems to any user who is the only user on their PC. "I am the administrator. I installed you, gave birth to you, set you up!" Yet Windows insists on popups forcing you to click "Continue" to do what you wanted it to do in the first place.

I wish I could just choose a setting on install that let me disable all this, and just have one user, administrator, and let me do whatever I want. It gets to the point where you don't even read all the prompts, you just press enter anyway, because you're so used to it popping up prompts every time you try and do something with your PC such as renaming a file. (Yes, I realise it must be something to do with where the game installed itself on the C:, but I still don't want all this stuff to do with permissions and so on. Let me delete or rename a file if I want. Let me take it back out of the recycle bin if I make a mistake. If I stuff it up then it is at least my fault then.)

1. Security has been a core concept of the NT platform from the very beginning. I know how to disable it only as a theoretical concept. I have never done it, never even contemplated it.

2. I will leave this to others.

3. Doing so would be highly insecure.

4. Security information is stored in the MFT (Master File Table) of the drive. There is an entry in the table for each file and folder on the drive.

7. In Windows 7 only NTFS volumes have security. FAT 32 does not. Modern versions of Windows must be installed on NTFS but FAT32 can be used for storage. FAT32 has one big problem in that it does not support files over 4 GB.

8. All editions of Windows 7 have security and it works the same way.

9. All versions of Windows released in the last 20 years with the exception of Windows 95, 98, ME are members of the NT platform and security is a basic concept. These systems will not install on modern hardware and will not run modern software. You can install Windows 2000 and XP on FAT 32 but installing such an OS on modern hardware is highly problematic and in many cases impossible. They are currently unsupported and have known security issues that will never be fixed. Running on FAT32 makes the security situation much worse.

All modern operating systems have security. Some very basic, command line only, versions of Linux may not. They will not run modern software and you can forget about them.

LMiller7 said:

3. Doing so would be highly insecure.

4. Security information is stored in the MFT (Master File Table) of the drive. There is an entry in the table for each file and folder on the drive.

Many thanks, that is useful.

Re: 3, above: this is a genuine question, can you give me a real world scenario for a single user PC like mine where the security (in terms of rights/permissions etc) benefits me? I'm curious as to where it is coming from, and I know in work environments we had to protect files from users, but on my own PC I can't see any real examples where it would benefit me.

Re: 4, thanks, that's useful to know - it's not adding anything to the file itself if permissions get changed. Presumably then, if I give a file to someone else, it will have no information about permissions/owners etc, and will be a blank slate? (Since friend X's PC won't have any access to my MFT, so will just see the file "as is").