The most common problems encountered related to the security issues covered in this chapter are permissions problems, usually because someone made a change to the permissions on a file or folder without checking to see what the possible impact would be. Fortunately, there are tools and straightforward processes to check to see what and where security permissions have been set.
Common Access Problems
The following are commonly encountered problems related to file/folder access:
Lack of permissionsA user is expecting to be able to access a file or folder but cannot because permissions have not been set on the file or folder. The user may not belong to a group that does have the desired permissions, or the permissions may not have been applied.
Too many permissionsA common reaction of an inexperienced system administrator is to simply grant Full Control to more and more groups until access issues are resolved. Often having the system wide open is more problematic than being too restrictive.
Permission conflictsIn most cases, conflicts occur when a Deny permission is set and yields unexpected results. In many cases, restricting access to resources can be better handled by removing permissions than by denying them.
Files or folders moved or copiedWhen files and folders are moved or copied to different volumes using Explorer, the permission settings may not transfer as expected. After copying a set of files or folders, double-check the resulting permissions to see that they match those of the original location.
NTFS and share permissions in conflictWhen NTFS and share permissions are not in sync, users generally report that they have limited access to the files they are trying to use.
Although there is no guaranteed, one-size-fits-all rulebook for troubleshooting access problems, some general steps can be followed to help identify where the problem lies:
Listen, listen, and then listen some more. When an access problem is described, try to get an understanding of exactly what is happening. The best technician is going to be less effective if the problem is not understood fully. Take the time up front to get as much detail as possible before heading down the wrong troubleshooting path.
Examine group memberships for the user in question. In most SBS environments, group memberships will not change much from the defaults applied when the user account is created. However, if a user belongs to two groups that have conflicting permissions on a file or folder, looking first at the group membership may help quickly find the source of the conflict.
Examine the files or folders that are being accessed. Sometimes it's best to look for the obvious before hunting down the obscure. Check to make sure that the files or folders exist in the expected location. Check for read-only flags on files. Look to see whether explicit NTFS permissions have been assigned to files instead of the containing folders, and then ask why. Check for the presence of the CREATOR OWNER group and that it has appropriate permissions. Look up the folder path to see whether any Deny permissions have been set along the way.
Check the permissions on the share being used to access the files and folders. Look to see whether multiple shares have been created to access the same folder on the server volume. Different shares can be assigned different permissions, which can lead to confusion. Make sure that the share has the same desired maximum permissions that are assigned in the NTFS permissions.
One quick way to see whether a user has the permissions expected in a folder is to look at the user's effective permissions for that folder. When a user belongs to multiple groups, or multiple permission assignments have been inherited down a folder tree, it may not be readily apparent what permissions the user actually has in a given location. Fortunately, the Effective Permissions tool can display that information without much time or effort.
The Effective Permissions tab is located in the Advanced Settings dialog box of a file or folder's Security settings, as shown in Figure 9.10. To verify user or group NTFS permissions settings, open the Effective Permissions tab, click Select, identify the appropriate object, and click OK. When the dialog updates, you see the permissions that the user or group has on the particular file or folder. In this example, if the user Jayne Dough was reporting problems saving files into a directory, you could see from the Effective Permissions window that the account only had Read access to the folder.
Figure 9.10. Viewing effective permissions for a user on a folder.