When I try to install new software, use a Control Panel or Computer Management tool, or set up hardware like a printer or network adapter, I get an error message telling me I don't have sufficient privilege to perform the operation. Limited User accounts are not allowed to perform many management functions, or to make changes to the Windows software folder. In general this is a good thing because it prevents unauthorized people (like young children, visitors, or meddlesome in-laws) from making changes to your computer setup. More subtly, it can help prevent rogue software from taking over your computer without your knowledge. If you are using a Limited User account and run into a roadblock because of this, you can either get a Computer Administrator user to perform the task for you, or you can have them change your account to make you a Computer Administrator as well. If you know the password to an Administrator account, just log off and log on again using that account. Access Is Denied Opening a FileWhen I attempt to open a document, I get the message Access is Denied. This can sometimes occur if you are using Fast User Switching and the document is in use by another logged-on user, or if the document was in use by a crashed application. If this is the case, have the other user close the application, or use the Task Manager to kill the errant application. This can also occur if your disk is formatted with the NTFS file system, and you move files from a private My Documents folder to a public folder using the command line move command, or using Windows Explorer on a domain network or on a computer with Simple File Sharing turned off. In this case, the file's security attributes have been moved with the file, so it's still "private." If Simple File Sharing is turned on, one way to fix this is to have the original owner of the file locate the file in Windows Explorer. She or he needs to drag the file to her or his My Documents folder, and then drag it back to the shared location. Explorer will then fix the security settings. A Computer Administrator user can also use the cacls command to change the file's security settings. In a command prompt window, change to the directory containing the file, and type the following command cacls filename /G Everyone:F where filename is the name of the file you're trying to fix. If Simple File Sharing is disabled, the file's owner can right-click the file or its containing folder, select Properties, Security, and add your account the access list. If modifying a folder, have him or her click Advanced and check Replace Permission Entries on All Child Objects. Users Cannot Access Shared ResourceShare permissions are set up with Everyone to have Full Control. The users get a message telling them they don't have permission to access the folder. If you are not using Simple File Sharing, check to be sure that NTFS permissions are not overriding share permissions on the shared resource. Remember that between the two types of permissions, the most restrictive of the permissions apply. Logon Scripts Won't RunI have set up logon scripts for the all users of my machine, but they run only when I log on. Make certain that you have specified the logon script properly in the Profile tab of each user account. Enter just the name of the script file (for example, MYLOGON.BAT). Make certain that the logon scripts are stored in the proper directory (%SYSTEMROOT%\ System32\Repl\Import\Scripts), and make certain that all users have at least Read and Execute permission to the directory. A User Has Access to a Restricted ObjectA user in the Users local group has access to an object that the Users local group is not assigned permissions for. Check to see whether the user belongs to any other groups that have been assigned permissions. Remember that permissions accumulate through groups. If necessary, you can remove groups from those listed as having access to the file, or you can list specific users and/or groups and check the Deny boxes to remove access rights. Security Tab Is Not PresentWhen I select a file, folder, or printer's properties, there is no Security tab. On a domain network, this can occur if the disk drive containing the folder is not formatted with the NTFS file format. If the disk drive is NTFS-formatted, your domain administrator may have disabled your access to the Security dialog. On a standalone computer or workgroup LAN, the Security tab will not appear if the disk was not formatted with NTFS, or if you are using Simple File Sharing. In the latter case Windows manages the security settings for all folders so that it can successfully manage access to shared folders. You can temporarily disable Simple File Sharing while you make access-control changes to non-shared folders, if necessary. To find out if the hard drive is NTFS-formatted, select the drive icon in My Computer. The format type is displayed under Details. Administrator Can't Delete File or FolderI have found some files or folders that can't be deleted even by Administrator. They don't have the Read-Only attribute set, but Windows informs me that access is denied. Sometimes a file or more often a folder is set with access controls such that even Administrator can't access or delete it. To erase such a folder, take ownership of it as described earlier in this chapter. Give Administrator full access rights. Use the Advanced security button to view Advanced Permissions, and check Replace Permission Entries on All Child Objects. Click OK and Apply, and then try to delete the folder again. If you are using Simple File Sharing you will need to disable it temporarily to view the Security properties dialog boxes. (Or, more drastically, boot up your computer in Safe Mode. Even Windows XP Home Edition displays the Security options in Safe Mode.) |