Jump to content
  • 0

Permissions - WHS 2011


Mick Mickle

Question

I'm not sure all of this is DrivePool related, but I'm having an issue with folder access for users. To resolve it, I ran the WSSTroubleshooter Reset NTSF Permissions on the Pool. That leaves user folder access in Dashboard in the "No access" state, yet the server shares are accessible by all users on the network. (I don't recall zero security being the default for WHS 2011 server folders, but maybe it was. I assume setting all the accesses in Dashboard will put things right, as instructions say.)

 

However, when I try to set a user's folder access from "no access" to "Read/Write", I get a pop-up up error saying, "Cannot retrieve or change the user account information. If this problem persists, restart the server, and try again." (I was getting this error before WSSTroubleshooter, as well.) Has anyone seen this problem and know how to fix it?

Link to comment
Share on other sites

11 answers to this question

Recommended Posts

  • 0

Well, since I'm assuming you're restarted the server like it recommends....

Run "services.msc" on the server, and check to see if any of the "Windows Server" services are not running (there should be a couple that aren't).

Please list any that aren'.

 

Also, have you checked the event viewer on the server for any errors related to users or WHS?

 

 

Additionally, you can change things manually.

Specifically, just add the user to the NTFS Permissions on the file.

 

And as for the ntfs permission state, you are correct. But the settings used are to guarantee that the files are 100% accessible and that nothing should prevent you from accessing the files. After they've been put into this state, you change them as you see fit. But DO NOT mess with the SYSTEM account settings, as this is the account that DrivePool uses (for grabbing info, duplication and balancing). The "Users" and "Authenticated Users" entries can be deleted, if you wish.

Link to comment
Share on other sites

  • 0

Actually, there's only one "Windows Server" service that's not running, and that's Windows Server Initialization Service.  (This is a Hyper-V VM, if that makes a difference.)  Unfortunately, I haven't found anything related in the Event Viewer.  And, yes, the server has been restarted several times.

 

The error message is a bit sporadic.  For example, I may change one or several folders access level for a user without error.  Or, I can change all of the folders (or one with lots of nested folders) for a user and have the error stop the action -- but the access level may have been effective for some or most of the folders before the error occurs.

 

Thanks for the good information on the designed permission state after using WSS Troubleshooter.

Link to comment
Share on other sites

  • 0

Mick, that's the one service that *shouldn't* be running, except for at startup. And then it ends. So, that's all good from a service standpoint.

 

 

And okay, I just wanted to make sure that it was rebooted. 

There is one more place to look for logs here... and I'm not entirely sure they'll be helpful though.

 

On the server, head to "C:\ProgramData\Microsoft\Windows Server\Logs", and zip up all of the longs there. Then PM me the zipped logs. Please don't post them here, as there can be somewhat sensitive data there. If the logs are too large to attach, then just upload them to a cloud storage location, and PM a link to them.

Link to comment
Share on other sites

  • 0

Thanks.  One point of clarification now, though: 

 

And as for the ntfs permission state, you are correct. But the settings used are to guarantee that the files are 100% accessible and that nothing should prevent you from accessing the files. After they've been put into this state, you change them as you see fit. But DO NOT mess with the SYSTEM account settings, as this is the account that DrivePool uses (for grabbing info, duplication and balancing). The "Users" and "Authenticated Users" entries can be deleted, if you wish.

 

At what point do the folders become accessible only according to how users are supposed to be setup in Dashboard?  In other words, after the reset of NTFS permissions using WSS Troubleshooter, everyone has effective access -- that's according to design as you explained.  But Dashboard says "No access" for all users at that stage.  Setting a user to "Read/Write" for all applicable folders will take effect when the changes are applied.  However, it would seem that each and every user and folder would need to be "touched" by the Dashboard Shared folders/Users access setting tool in order to restrict access as desired.  If you don't explicitly change a user's folder access, does that user still have the "everyone" access even though "no access" is displayed in Dashboard?  The behavior of the NTFS permission state after WSS Troubleshooter is important to be clear on, especially if you have lots of users with remote access (or even just a few LAN users but you want to ensure appropriate access).

Link to comment
Share on other sites

  • 0

The dashboard looks for the specific user's access. Like for example, if you had a user "Mick", it would look for that account and it's privileges on the "share" in "Server Folder". You can verify that yourself, by checking the permissions (on lets say "Videos"). It will have "SYSTEM", "Administrators" and "Mick" listed for the users. If it doesn't have "Mick", then the dashboard would report "No Access". And if it has read access, well, "Read Only", and so on.

 

As for making sure use access works 100% as expected. Delete the "users" and "Authenticated Users" on each share. Or do it to "ServerFolders" and "replace child entries". Just note, that until you add the specifically defined entries for each folder, you may not be able to access the files locally.

 

Sorry if all of this is confusing... but NTFS security permissions *are* confusing and if you don't thoroughly understand them, it can be even more so. 

And as I said, the tool is meant to leave the pool in a 100% workable state (same permissions as if your formated, BTW). 

Link to comment
Share on other sites

  • 0

As for making sure user access works 100% as expected. Delete the "Users" and "Authenticated Users" on each share. Or do it to "ServerFolders" and "replace child entries". Just note, that until you add the specifically defined entries for each folder, you may not be able to access the files locally.

 

. . . the tool is meant to leave the pool in a 100% workable state . . . .

 

Got it! 

 

I recommend that you elaborate a little in the Wiki instructions for the WSS Troubleshooter under the Reset NTSF Permissions section. While the intent of the tool to leave the pool in a fully accessible state is appropriate to restore full capability, the server folders aren't in the secure state they were in when created using Dashboard.  Even after you adjust all of the users' folder access levels back to where you want them, "User X", who you don't trust to access anything but a Public folder, will have access to all of them until you delete the "Users" and "Authenticated Users". 

 

I like the idea of applying the removal of those two user groups in one sweep at the ServerFolders level on the DrivePool disk.  But it requires turning "off the option for inheriting permissions."  It looks like that's done under ServerFolders Properties/Security/Advanced/Change Permissions, but unchecking produces a warning box that there could be consequences.  So that would need to be explained step-by-step, I think.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...