<A NAME="508"><H1>Lesson 6: Solving Permissions Problems</H1></A> When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. After this lesson, you will be able to Troubleshoot resource access problems. Estimated lesson time: 20 minutes<A NAME="509"><h2>Troubleshooting Permissions Problems</H2></A> Table 14.6 describes some common permissions problems that you might encounter and provides solutions that you can use to try to resolve these problems.Table 14.6 Permissions Problems and Troubleshooting Solutions<table cellpadding=5 width="95%"><tr> <th>Problem</th><th>Solution</th> </tr><tr> <td valign="top">A user can't gain access to a file or folder.</td> <td valign="top">If the file or folder was copied, or if it was moved to another NTFS volume, the permissions might have changed. Check the permissions that are assigned to the user account and to groups of which the user is a member. The user might not have permission or might be denied access either individually or as a member of a group.</td> </tr><tr> <td valign="top">You add a user account to a group to give that user access to a file or folder, but the user still can't gain access.</td><td valign="top">For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again, or close all network connections to the computer on which the file or folder resides and then make new connections.</td> </tr><tr> <td valign="top">A user with Full Control permission to a folder deletes a file in the folder, although that user doesn't have permission to delete the file itself. You want to stop the user from being able to delete more files.</td><td valign="top">You have to clear the special access permission—the Delete Subfolders And Files check box—on the folder to prevent users with Full Control of the folder from being able to delete files in the folder.</td> </tr></table>NOTEWindows 2000 supports POSIX applications that are designed to run on UNIX. On UNIX systems, Full Control permission allows you to delete files in a folder. In Windows 2000, the Full Control permission includes the Delete Subfolders And Files special access permission, allowing you the same ability to delete files in that folder regardless of the permissions that you have for the files in the folder.<A NAME="510"><h2>Avoiding Permissions Problems</H2></A> The following list provides best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems. Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.Assign all permissions at the folder level, not at the file level. Group files in a separate folder for which you want to restrict user access, and then assign that folder restricted access.For all application-executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group. Damage to application files is usually a result of accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions to their user account.Assign Full Control to the CREATOR OWNER group for public data folders so that users can delete and modify files and folders that they create. Doing so gives the user who creates the file or folder (CREATOR OWNER) full access to only the files or folders that he or she creates in the public data folder.For public folders, assign Full Control to the CREATOR OWNER group and Read and Write to the Everyone group. This gives users full access to the files that they create, but members of the Everyone group can only read files in the folder and add files to the folder.Use long, descriptive names if the resource will be accessed only at the computer. If a folder will eventually be shared, use folder and filenames that are accessible by all client computers.Allow permissions rather than denying permissions. If you don't want a user or group to gain access to a particular folder or file, don't assign permissions. Denying permissions should be an exception, not a common practice. <A NAME="511"><h2>Practice: Managing NTFS Permissions</H2></A> In this practice, you will observe the effects of taking ownership of a file. Then you will determine the effects of permission and ownership when you copy or move files. Finally, you will determine what happens when a user, having the Full Control permission to a folder, has been denied all access to a file in that folder, and the user attempts to delete the file.To successfully complete this practice, you must have completed "<a class='inlineblock cb lh2 dr tr p5' href='81'>Practice: Planning and Assigning NTFS Permissions</a>," in Lesson 3 of this chapter.<A NAME="512"><h2>Exercise 1: Taking Ownership of a File</h2></A> In this exercise, you will observe the effects of taking ownership of a file. To do this, you must determine permissions for a file, assign the Take Ownership permission to a user account, and then take ownership as that user.To determine the permissions for a file Log on as Administrator, and then start Windows Explorer.In the Public folder, create a text file named Owner.Right-click Owner.txt, and then click Properties.Microsoft Windows 2000 displays the Owner Properties dialog box with the General tab active.Click the Security tab to display the permissions for the Owner.txt file.What are the current allowed permissions for Owner.txt? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Click Advanced.Windows 2000 displays the Access Control Settings For Owner dialog box with the Permissions tab active.Click the Owner tab.Who is the current owner of the Owner.txt file? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a> To assign permission to a user to take ownership In the Access Control Settings For Owner dialog box, click the Permissions tab.Click Add.Windows 2000 displays the Select User, Computer, Or Group dialog box.In the Look In box at the top of the dialog box, ensure that your computer is selected.Under Name, click User84, and then click OK.Windows 2000 displays the Permission Entry For Owner dialog box.Notice that all of the permission entries for User84 are blank.Under Permissions, select the Allow check box next to Take Ownership.Click OK.The Access Control Settings For Owner dialog box with the Permissions tab displayed is once again active.Click OK to return to the Owner Properties dialog box.Click OK to apply your changes and close the Owner Properties dialog box.Close all applications, and then log off Windows 2000. To take ownership of a file Log on as User84, and then start Windows Explorer.Click the Public folder.Right-click Owner.txt, and then click Properties.Windows 2000 displays the Owner Properties dialog box with the General tab active.Click the Security tab to display the permissions for Owner.txt.Windows 2000 displays the Security message box, indicating that you can view only the current security information on Owner.txt.Click OK.Windows 2000 displays the Owner Properties dialog box with the Security tab active.Click Advanced to display the Access Control Settings For Owner dialog box, and then click the Owner tab.Who is the current owner of Owner.txt? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>In the Change Owner To box, select User84, and then click Apply.Who is the current owner of Owner.txt? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Click Cancel to close the Access Control Settings For Owner dialog box.The Owner Properties dialog box with the Security tab displayed is once again active.Click OK to close the Owner Properties dialog box. To test permissions for a file as the owner While you are logged on as User84, assign User84 the Full Control permission for the Owner.txt file, and click Apply.Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.In the Security dialog box, click Remove.Click OK to close the Owner Properties dialog box.Delete the Owner.txt file. <A NAME="513"><h2>Exercise 2: Copying and Moving Folders</h2></A> In this exercise, you will see the effects of permissions and ownership when you copy and move folders.To create a folder while logged on as a user While you are logged on as User84, in Windows Explorer, in drive C, create a folder named Temp1.What are the permissions that are assigned to the folder?<a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Who is the owner? Why?<a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Close all applications, and then log off Windows 2000. To create a folder while logged on as Administrator Log on as Administrator, and then start Windows Explorer.In drive C, create the following two folders: Temp2 and Temp3.What are the permissions for the folders that you just created?<a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Who is the owner of the Temp2 and Temp3 folders? Why?<a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Remove the Everyone group, and then assign the following permissions to the Temp2 and Temp3 folders. You will have to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. To select a group, select the group name in the Name list and then click Add.<table cellpadding=5 width="95%"><tr> <th>Folder</th><th>Assign these permissions</th> </tr><tr> <td valign="top">Temp2</td> <td valign="top">Administrators: Full Control Users: Read & Execute</td> </tr><tr> <td valign="top">Temp3</td> <td valign="top">Backup Operators: Read & Execute Users: Full Control</td> </tr></table> To copy a folder to another folder within a Windows 2000 NTFS volume In Windows Explorer, copy C:\Temp2 to C:\Temp1 by selecting C:\Temp2, holding down the Ctrl key, and then dragging C:\Temp2 to C:\Temp1.Since this is a copy, C:\Temp2 and C:\Temp1\Temp2 should both exist.Select C:\Temp1\Temp2, and then compare the permissions and ownership with C:\Temp2.Who is the owner of C:\Temp1\Temp2 and what are the permissions? Why? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Close all applications, and then log off Windows 2000. To move a folder within the same NTFS volume Log on as User84.In Windows Explorer, select C:\Temp3, and then move it to C:\Temp1.What happens to the permissions and ownership for C:\Temp1\Temp3? Why? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Close all windows and log off. <A NAME="514"><h2>Exercise 3: Deleting a File with All Permissions Denied</h2></A> In this exercise, you will grant a user Full Control permission to a folder but deny all permissions to a file in the folder. You will then observe what happens when the user attempts to delete that file.To assign the Full Control permission for a folder Log on as Administrator, and then start Windows Explorer.Expand drive C, and then create a folder named Fullaccess.Verify that the Everyone group has the Full Control permission for the Fullaccess folder. To create a file and deny access to it In the Fullaccess folder, create a text file named Noaccess.txt.Deny the Everyone group the Full Control permission for the Noaccess.txt file.Windows 2000 displays the Security dialog box with the following message:<table cellpadding=5 width="95%"><tr><td> <pre> You have denied everyone access to NoAccess.txt. No one will be able to access NoAccess.txt and only the owner will be able to change permissions. Do you wish to continue? </pre> </td></tr></table>Click Yes to apply your changes and close the Security dialog box. To view the result of the Full Control permission for a folder In Windows Explorer, double-click Noaccess.txt in the Fullaccess folder to open the file.Were you successful? Why or why not? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>Click the Start button, point to Programs, point to Accessories, and then click Command Prompt.Change to C:\Fullaccess.Delete Noaccess.txt.Were you successful? Why or why not? <a class='inlineblock cb lh2 dr tr p5' href='149'>Answer</a>How would you prevent users with Full Control permission for a folder from deleting a file in that folder for which they have been denied the Full Control permission?Close all windows and log off Windows 2000. <A NAME="515"><h2>Lesson Summary</H2></A> When you assign or modify NTFS permissions for files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. In this lesson, you learned some common permissions problems and some possible solutions to resolve these problems. In the practice exercises for this lesson, you determined the permissions for a file, assigned the Take Ownership permission to a user account, and then took ownership as that user. You also observed the effects of permissions and ownership when you copy and move folders. Finally, in these exercises you practiced assigning permissions to a folder and a file, and then you observed the results when a user has Full Control permission to a folder and has been denied all permissions to a file in that folder. - Microsoft Windows 1002000 Professional [Electronic resources] نسخه متنی