Setting Permissions

tllcurv.gif (1047 bytes)

Home

Free Downloads

Product FAQs (NT)

Product FAQs (OpenVMS)

Product Alerts

Technical References

Links

brlcurv.gif (1043 bytes)

Setting Permissions

It is necessary for both SYSTEM and ADMINISTRATOR to have full controlover a file (or the directory folder it is in) in order for Diskeeper to have access to move the file. This isbecause the Diskeeper service runs under the Administrator account, and System access is necessary to safely defragmentfiles. This is a security feature that is governed by the Windows NT C2 security requirements.

Therefore, you should confirm that the permissions in the registryand in the root directory of each NTFS partition have "Type of Access" set to "Full Control"for both Administrator and System. These settings should not conflict with any security plan you have in place,since membership in the Administrator group should be very restricted, and System access applies only to the operatingsystem, not users.

The account you are logged into must be a member of the Administratorsgroup (and Domain Admin, if applicable), but no other groups.

Setting permissions on the root of the drive:

Start EXPLORER
Right click the root directory for the partition.
Click PROPERTIES, click SECURITY, then click PERMISSIONS
Highlight ADMINISTRATOR
Set TYPE OF ACCESS to FULL CONTROL
If SYSTEM is not listed, click ADD and select SYSTEM
Highlight SYSTEM
Set TYPE OF ACCESS to FULL CONTROL
DE-SELECT the REPLACE PERMISSIONS ON EXISTING FILES check box (itis checked by default)
Click OK

Note: On an existing partition, if you have modified securitysettings on any subdirectories, then the "Replace permissions ..." options will overwrite the old settings.If you've modified the settings, for user directories for example, you will not want to overwrite them. Use themethod below to add the needed settings to the existing ones. However if this is a new partition or you are certainthat you can overwrite existing settings go ahead and use these options and skip the 'cacls' step below.

Adding System and Administrator to Sub Directories.

This procedure uses a utility called CACLS.exe which is on the NTdistribution CD. You can find more information about this utility in Windows help. Type cacls in the index tab.

Open a command line window and go to the root of the drive you wantto change the permissions on.

Type the command:

cacls * /e /t /g "YOUR_DOMAIN\Domain Admins":F Administrators:FSYSTEM:F

SPECIAL NOTE: If you see this message: "Unable to perform a securityoperation on an object which has no associated security" you are executing this from a FAT partition, youmust set default to the NTFS partition.

This command would EDIT (/e) the ACLs rather than REPLACE them andrecursively apply them (/t) to subdirectories. Any number of ACCOUNT:PERM may follow the GRANT (/g) switch. Thereis additional flexibility built into the cacls command - it's only limitation is the dirth of selections for PERMvalues.

Setting Permissions in the registry NT4.0

Caution: Editing the registry can be extremely dangerous and candisrupt your system to the point where your only option is to re-install Windows NT.

Even if you know exactly what you are doing and are completely certainwhat the results will be, it is good policy always to back up your registry before making any changes. If you observeall precautions and dont "experiment" the registry may become one of your favorite tuning tools.

From the Desktop, click START, then RUN
Type REGEDT32 for the command and click OK
Under HKEY_LOCAL_MACHINE, highlight SECURITY
In the Menu Bar, click SECURITY, then PERMISSIONS
Highlight ADMINISTRATOR
Set TYPE OF ACCESS to FULL CONTROL
If SYSTEM is not listed, click ADD and select SYSTEM
Highlight SYSTEM
Set TYPE OF ACCESS to FULL CONTROL
Select the REPLACE PERMISSIONS ON ALL SUBKEYS check box
Click OK
Exit the Registry Editor to the Program Manager (or Desktop)

If you have any comments about this article orany requests for new technical articles e-mail

Executive Software Europe





				Home
				Free Downloads
				Product FAQs (NT)
				Product FAQs (OpenVMS)
				Product Alerts
				Technical References
				Links


	Setting Permissions It is necessary for both SYSTEM and ADMINISTRATOR to have full controlover a file (or the directory folder it is in) in order for Diskeeper to have access to move the file. This isbecause the Diskeeper service runs under the Administrator account, and System access is necessary to safely defragmentfiles. This is a security feature that is governed by the Windows NT C2 security requirements. Therefore, you should confirm that the permissions in the registryand in the root directory of each NTFS partition have "Type of Access" set to "Full Control"for both Administrator and System. These settings should not conflict with any security plan you have in place,since membership in the Administrator group should be very restricted, and System access applies only to the operatingsystem, not users. The account you are logged into must be a member of the Administratorsgroup (and Domain Admin, if applicable), but no other groups. Setting permissions on the root of the drive: Start EXPLORER Right click the root directory for the partition. Click PROPERTIES, click SECURITY, then click PERMISSIONS Highlight ADMINISTRATOR Set TYPE OF ACCESS to FULL CONTROL If SYSTEM is not listed, click ADD and select SYSTEM Highlight SYSTEM Set TYPE OF ACCESS to FULL CONTROL DE-SELECT the REPLACE PERMISSIONS ON EXISTING FILES check box (itis checked by default) Click OK Note: On an existing partition, if you have modified securitysettings on any subdirectories, then the "Replace permissions ..." options will overwrite the old settings.If you've modified the settings, for user directories for example, you will not want to overwrite them. Use themethod below to add the needed settings to the existing ones. However if this is a new partition or you are certainthat you can overwrite existing settings go ahead and use these options and skip the 'cacls' step below. Adding System and Administrator to Sub Directories. This procedure uses a utility called CACLS.exe which is on the NTdistribution CD. You can find more information about this utility in Windows help. Type cacls in the index tab. Open a command line window and go to the root of the drive you wantto change the permissions on. Type the command: cacls * /e /t /g "YOUR_DOMAIN\Domain Admins":F Administrators:FSYSTEM:F SPECIAL NOTE: If you see this message: "Unable to perform a securityoperation on an object which has no associated security" you are executing this from a FAT partition, youmust set default to the NTFS partition. This command would EDIT (/e) the ACLs rather than REPLACE them andrecursively apply them (/t) to subdirectories. Any number of ACCOUNT:PERM may follow the GRANT (/g) switch. Thereis additional flexibility built into the cacls command - it's only limitation is the dirth of selections for PERMvalues. Setting Permissions in the registry NT4.0 Caution: Editing the registry can be extremely dangerous and candisrupt your system to the point where your only option is to re-install Windows NT. Even if you know exactly what you are doing and are completely certainwhat the results will be, it is good policy always to back up your registry before making any changes. If you observeall precautions and dont "experiment" the registry may become one of your favorite tuning tools. From the Desktop, click START, then RUN Type REGEDT32 for the command and click OK Under HKEY_LOCAL_MACHINE, highlight SECURITY In the Menu Bar, click SECURITY, then PERMISSIONS Highlight ADMINISTRATOR Set TYPE OF ACCESS to FULL CONTROL If SYSTEM is not listed, click ADD and select SYSTEM Highlight SYSTEM Set TYPE OF ACCESS to FULL CONTROL Select the REPLACE PERMISSIONS ON ALL SUBKEYS check box Click OK Exit the Registry Editor to the Program Manager (or Desktop) If you have any comments about this article orany requests for new technical articles e-mail
	Executive Software Europe