Admin Tip #110: NT / Windows 2000 NTFS Permissions Gotcha!

Hits: Failed to execute CGI : Win32 Error Code = 3


You can get yourself caught in a real gotcha! if you use Windows 2000 or Windows XP to set NTFS permissions on Windows NT boxes. NT has NTFSv4 and Windows 2000 has NTFSv5. Windows 2000 has more security options in NTFS than Windows NT. In W2K and XP you have more options related to denying access, a much finer grained control than that supposed to be available in NT. Microsoft has done it again. In one of the SPs, SP5 or SP6, they slipped in some of the W2K NTFS functionality to NTFS in NT. It still does not support inherited permissions as W2K does.

Ah! I hear you now. That means there is no problem. Unfortunately, that isn't so. If you forever after use W2K or XP to set permissions on NT boxes, you will probably be OK since it has the security templates to support the extended ALC attributes.

What happens if you use NT4 to view or set permissions on an NT box that has had NTFSv4 permissions set from a NTFSv5 box which supports the extended attribute set of ACLs? NT tells you:

The security information for path is not standard and cannot be displayed. Windows NT 3.x and Windows NT 4.0 support certain features such as DenyAccess Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.

Do you want to overwrite the current security information?

You are in a kind of catch-22. You now have to make a choice. If you say Yes, NT4 will eliminate all NTFS permissions. You will wind up with a blank slate and you will have to either restore from a backup or manually reset the correct NTFSv4 permissions. If you say No then you can backout and use Windows 2000 or Windows XP to manage the NT permissions.

You can get a consistent ACL editor for both NT and Windows 2000 if you install the SP4 Security Configuration Manager on all your NT servers. The SCM has the same security templates which W2K has and thus manages permissions on the NTFSv4 the same way W2K does. It doesn't upgrade NTFS from NTFSv4 to NTFSv5, it simply manages the ACLs consistent to W2K ACL manager.

Its your choice but any choice but upgrading your servers to Windows 2000 leaves a potential permission time bomb.

Now, I ask you: are your administrators using Windows 2000 workstations to manage Windows NT servers? At least for setting permission ACLs, this might not be a good idea if they sometimes work from the NT server consoles. Are you going to put the Security Configuration Manager on all your NT servers? Check Q218934. Which way are you going to jump?

Related tips:




If you can only buy one book. Its in its 7th edition.