GuardianOS permissions FAQ (Windows environment)

Version 1

    This article contains questions and answers to help understand Windows permission management on Guardian OS base servers.




    1. Q. How are share level permissions managed?
    2. A. Share level permissions are designed to be managed from the web interface. From the main web administration page, navigate to the Security>>Shares page to assign rights to shares.


    1. Q. How are file and folder level permissions managed?
    2. A. Access permissions for files and directories are set using native Windows NT, 2000, 2003, or XP security tools.


    1. Q. What are the levels of file or folder access permissions supported?
    2. A. Guardian OS supports 6 permission bits. They are described below:
    3. 1. Read - Grants complete read access. It is a combination of List Folder/ Read Data, Read Attributes, Read Extended Attributes, Read Permissions.
    4. 2. Write - Grants complete write access. A combination of Create Files/Write Data, Create Folders/ Append Data, Write Attributes, and Write Extended Attributes.
    5. 3. Execute - Allows traversal of the directory.
    6. 4. Delete - Grants the user the permission to delete the file/directory.
    7. 5. Change Permissions - Grants the user rights to modify the permissions (ACLs) on the file/directory.
    8. 6. Take Ownership - Gives the user the ability to take ownership of the file/directory.


    1. Q. How do Guardian OS and Windows NTFS differ in processing file or folder permissions?
    2. A. Guardian OS permissions are processed differently than permissions on an NTFS Windows system. When a user attempts to perform an action on a file and directory, Windows collects all permissions that apply to the user before deciding whether to allow the user to perform the action. The Guardian OS uses the first applicable permission it finds to decide whether to allow the user to perform the action.


    The Guardian OS searches for access permissions in the following order:

    1. 1. User owner
    2. 2. User
    3. 3. Group owner
    4. 4. Group
    5. 5. Everyone


    When a match is found, the search stops and the specified access permission is applied.


    However, there are exceptions to this rule.

    *If the User owner, User, and Group owner (primary group) does not apply while there are other groups (supplementary groups) that do, the user will be given the highest permission value for Read(4), Write(2), and Execute(1) bits. Delete, Change Permissions and Take Ownership bits are summed from all applicable groups. So a user belonging to more than one group will be provided with read/write access if they belong to a group with read/write, even if they belong to another group with read-only access.


    *This exception also takes effect if the Group owner applies but all permission bits for the Group owner are turned off. However, if any permission is set for the Group owner, the Group owner?s permission applies even if the user is part of another group with more rights.


    1. Q. What is the Group owner?
    2. A. The Group owner is the main group a user belongs to. Every user belongs to a primary group. The main point of this group for POSIX systems is to provide a default group for file ownership, since POSIX filesystems require both User Owner and Group Owner permissions. The way this works in practice for GuardianOS is as follows: When a user of any type (Windows domain, local, NIS) creates a file, the group owner will be set to the user?s primary group. In Windows Active Directory/Domains, Domain Users is the primary group for newly created accounts by default. This can be changed on the Domain Controller per user if desired.


    1. Q. How can the primary group for a domain user be changed?
    2. A.  A domain user?s primary group can be changed within the built-in Windows user management tool. For Windows NT domains, the tool is User Manager. For Windows 2000/2003 domains, use the management console for Active Directory Users and Computers. The option to set a user?s primary group can be found under the user?s group membership tab.


    1. Q. Why do Domain Users reappear after the group is removed from the security?
    2. A. This behavior is expected if the user who created the file or folder has Domain Users set for his or her primary group. By default, Domain Users is the primary group new users added to the domain. The User owner and Group owner of a file or folder cannot be removed from the security list. Although the group reappears in the access control entry, it will not have permissions checked.


    The security tab is no longer available or permissions cannot be changed after permissions were accidentally removed, how can the permissions be changed or reset?


    Option 1. Regardless of file-level access settings, a user has access to change permissions of file and folder he/she owns. To change the permissions, connect to the server as the owner. Browse to the problematic file/folder from a Windows NT base client and take ownership. Finally set the permissions as you would like them, including giving take ownership permissions back to the user that should be the owner.


    Option 2. Map a drive to the server as the Domain Administrator account and take ownership of the folder. The Domain Administrator is a unique account that is capable of taking ownership while the Snap server is joined to the domain.


    Option 3. If the affected folder is located at the root of the volume, a trick is to resetting the security on the folder is to toggle the SnapTree security model for the folder. Changing a SnapTree\'s security model resets file-level permissions for the files and folders within it to full access for everyone, though ownership is retained. Remember to set the security model back to Windows.


    Option 4. Factory default reset the permissions on the entire volume. Navigate to the Maintenance>>Factory Defaults page of the web administration. Select the option to Reset to default ACLs for volume.


    1. Q. What are the steps to take ownership of a folder in Windows 2000/XP?
    2. A. In Windows Explorer, right click the folder and select the Properties. Click on the Security tab. Click on the Advanced button. Click the Owner tab. The current owner of the item is displayed. Select the owner to change to. Click on the OK button.


    1. Q. What is a good tool for migrating data from a Windows system to the Snap server?

    2. A. XCOPY with the /O switch is capable of copying data to the Snap server and preserving ownership and permissions for most setups. The Snap server should be joined to the domain and the task should be performed by the Domain Administrator account. Keep in mind the Guardian OS does not support all NTFS permission bits and Guardian OS processes permission differently. If the permissions on source files are out of the range supported by Guardian OS, permissions changes will have to be changed manually after data is copied.


    1. Q. What choice do I have if I must have NTFS in my environment?
    2. A. The Snap has the feature to be utilized as an iSCSI target. Once configured, a Windows server can make use of an iSCSI target as if it were a non-bootable disk drive. Windows server would be able to format the disk to the NTFS file system. For additional information, see the Quick Reference Guide for iSCSI Initiators.