Lesson 5: Troubleshooting Permissions Problems - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Lesson 5: Troubleshooting Permissions Problems

When you assign or modify NTFS permissions to files and folders, problems might arise. Troubleshooting these problems is important to keep resources available to users. This lesson describes common permission-related problems and their solutions.

After this lesson, you will be able to

Recognize common reasons why users cannot gain access to resources

Solve common permission-related problems

Estimated lesson time: 5 minutes

Troubleshooting Permissions Problems

Table 9.12 describes some common permissions problems that you might
encounter and provides solutions that you can try to resolve these problems.

Table 9.12 Permissions Problems and Solutions

NOTE
Windows 2000 supports Portable Operating System Interface for UNIX (POSIX) applications that are designed to run on UNIX. On UNIX systems, Full Control permission allows you to delete files in a folder. In Windows 2000, the Full Control permission includes the Delete Subfolders and Files special permission, allowing you the same ability to delete files in that folder regardless of the permissions that you have for the files in the folder.

Avoiding Permissions Problems

The following list provides best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems.

Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks.

Assign all permissions at the folder level, not at the file level. Group files in a separate folder for which you want to restrict user access, and then assign that folder restricted access.

For all application executable files, assign Read & Execute and Change Permissions to the Administrators group, and assign Read & Execute to the Users group. Damage to application files is usually a result of accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions to their user account.

Assign Full Control to CREATOR OWNER for public data folders so that users can delete and modify files and folders that they create. Doing so gives the user who creates the file or folder (CREATOR OWNER) full access to only the files or folders that he or she creates in the public data folder.

For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Everyone group. This gives users full access to the files that they create, but members of the Everyone group can only read files in the folder and add files to the folder.

Use long, descriptive names if the resource will be accessed only at the computer. If a folder will eventually be shared, use folder and file names that are accessible by all client computers.

Allow permissions rather than deny permissions. If you do not want a user or group to gain access to a particular folder or file, do not assign permissions. Denying permissions should be an exception, not a common practice.

Practice: Deleting a File with All Permissions Denied

In this exercise you simulate the third problem described in Table 9.12. You grant a user Full Control permission to a folder, but deny all permissions to a file in the folder. You then observe what happens when the user attempts to delete that file.

To assign the Full Control permission for a folder

Log on to your domain as Administrator, then start Windows Explorer.

Expand C:\ (where C:\ is the name of your system drive), then create a folder named Fullaccess.

Verify that the Everyone group has the Full Control permission for the C:\Fullaccess folder.

To create a file and deny access to it

In C:\Fullaccess, create a text file named NOACCESS.TXT.

Clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. Deny the Everyone group the Full Control permission for the NOACCESS.TXT, then click OK.

Windows 2000 displays the Security dialog box with the following message:

You have denied everyone access to noaccess.txt. No one will be able
to access noaccess.txt and only the owner will be able to change
permissions.
Do you wish to continue?

Click Yes to apply your changes and close the Security dialog box.

To view the result of denying the Full Control permission for a folder

In Windows Explorer, double-click NOACCESS.TXT in C:\Fullaccess to open the file.

Were you successful? Why or why not?

Click Start, point to Programs, point to Accessories, then click Command Prompt.

Type cd fullaccess to change the directory to C:\Fullaccess.

Delete NOACCESS.TXT by typing del noaccess.txt.

Were you successful? Why or why not?

How would you prevent users with Full Control permission for a folder from deleting a file in that folder for which they have been denied the Full Control permission?

Answers

Lesson Summary

When you assign or modify NTFS permissions for files and folders, problems might arise. Troubleshooting these problems is important to keep resources
available to users. In this lesson you learned about some common permissions problems and some possible solutions to resolve these problems.

In the practice portion of this lesson you observed how users can delete a file with all permissions denied.