Windows 7 and Windows Server 2008 R2 Event – 8th July

For Windows sys admins, the biggest contacts on your approach radar right now are Windows 7 and Windows Server 2008 R2, due to release later in the year (but be complete and released to manufacture next month). This free evening event, right here on the campus, couldn’t be much more timely then.

Rik Hepworth, the IT Director at Black Marble, will cover some of the great new features of the new operating systems, including BranchCache, XP Mode and what I personally think is the number one feature, DirectAccess.

This is bound to be a popular event, so sign up early over at the VBUG site.

Re-assigning Administrator permissions on filestores

You may be aware that if you remove the Administrator permissions from your home folder (or any other shared folder) this will cause all sorts of problems as well as prevent backups being taken. Therefore it is strongly advised not to do this.
Who has access to my filestore?

To re-assign administrator permissions start by opening COMPUTER (or MY COMPUTER if using windows XP) and type the path of the share you want to fix. If you are unsure what the path is then use cmdinfo to find out.
CMDInfo

My home folder is on tower 1 and home 01 therefore I shall type \\tower1\home01 and I should only be able to see folders I have permission on.

Right click on your folder and select properties. Then select the security tab.

You may notice tower1\administrators is not there as it should be so click the Add button.

Type towerX\administrators

Tick the full control box to allow full control to towerX\administrators then click apply

Click OK. All child folders and files should now have the administrator permission.

Filestore Best Practices #2: Consider turning OFF offline files on Desktop Machines

In the CAMPUS domain offline files are turned on by default; the majority of users will have seen the now familiar ‘Synchronising’ dialogue message window which appears when they log off a PC.

However, Offline files can cause warning and error messages being displayed to users – this has been seen by the ISS Helpdesk on a daily basis, and is becoming a problem: The two main issues appear to be the default excluded files extensions, or insufficient disk space on the PC to allow the caching of offline files.

So why are offline files sometimes unnecessary? In Microsoft’s own words “Offline Files: You can use this feature on a portable computer, or on a desktop computer that occasionally connects to your workplace network.”

Approximately 90% of the machines on Campus are Desktop machines which will never leave the confines of their office environment. These machines will still have offline files enabled. There is the argument that should a server fail, offline files will allow you to continue working merrily away, without any knowledge that a problem actually exists. But in reality how often does a server issue occur? And those which do are publicised well in advanced during an ‘At-risk’ period. Given the problems that offline files can cause it’s worth considering if such machines really need offline files enabled.

ISS Provides a Group Policy to switch off offline files on Windows XP machines The name of this policy is: ‘2 Campus Windows XP Turn Offline Files Off.’ And as an added benefit to your users they will see that their log off speed has dramatically increased too.

The Offline files system in Windows Vista is vastly improved and not activated by default but you should still consider it’s use carefuly.

SUMMARY: Assess the pros and cons of offline files on Desktop machines in your OU. If they are not benefitting you or your end users then please consider switching them off.

Filestore Best Practices #1: Don’t give full permissions unless you really need to!

A large proportion of the calls to helpdesk relating to the Shared Filestore Service (Turrets) are around broken permissions with the Share Administrator and often the Server Administrator permissions being removed. This can interfere with day-to-day operations , backup procedures and become a real problem when it becomes necessary to copy data.

Even more worryingly there have have been occurrences when users have removed folders so that the Share Administrator cannot even see that the folder exists!

Looking over some random shares it seems that nearly all of the folders assigned to users are set with ‘Full Control’. This is not necessary for users to have read\write access.

Let’s have a look each type of permissions and what it really means:

Full Control

Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

Modify

Modify and delete the file plus perform the actions permitted by the Write permission and the
Read & Execute permission

Read & Execute

Run applications plus perform the actions permitted by the Read permission

Read

Read the file, and view file attributes, ownership, and permissions

Write

Overwrite the file, change file attributes, and view file ownership and permissions

The problems we have are often around a poor understanding of permissions but usually caused by end-users with ‘Full Control’ who try to set permissions themselves. In 99% percent of cases this is not required and users who need to work with and change files in a folder can accomplish this with ‘Modify’ access.

Modify

SUMMARY: Look at your folders. Do the assigned users need to have rights to change permissions? If not, take them away by changing ‘Full Control’ to ‘Modify’.