NT / Windows 2000 NTFS Permissions Gotcha!
You can get yourself caught in a real gotcha! if you use Windows 2000 or Windows
XP to set NTFS permissions on Windows NT boxes. NT has NTFSv4 and Windows 2000
has NTFSv5. Windows 2000 has more security options in NTFS than Windows NT. In
W2K and XP you have more options related to denying access, a much finer grained
control than that supposed to be available in NT.
Microsoft has done it again. In one of the SPs, SP5 or SP6, they slipped in some
of the W2K NTFS functionality to NTFS in NT. It still does not support inherited
permissions as W2K does.
Ah! I hear you now. That means there is no problem. Unfortunately, that isn't
so. If you forever after use W2K or XP to set permissions on NT boxes, you will
probably be OK since it has the security templates to support the extended ALC
What happens if you use NT4 to view or set permissions on an NT box that has
had NTFSv4 permissions set from a NTFSv5 box which supports the extended
attribute set of ACLs? NT tells you:
The security information for path is not standard and Do you want to overwrite the current security information?
cannot be displayed. Windows NT 3.x and Windows NT 4.0 support certain features
such as DenyAccess Control Entries but cannot edit security information which
uses these features. The information may have been modified by a computer
running Windows NT 5.0, which supports these features and can edit information
which uses them.
say Yes, NT4 will eliminate all NTFS permissions. You
will wind up with a blank slate and you will have to either restore from a
backup or manually reset the correct NTFSv4 permissions. If you say No then you can backout and use Windows 2000 or Windows XP to
manage the NT permissions.
Do you want to overwrite the current security information?
You can get a consistent ACL editor for both NT and Windows 2000 if
you install the SP4 Security Configuration Manager on all your NT servers. The
SCM has the same security templates which W2K has and thus manages permissions
on the NTFSv4 the same way W2K does. It doesn't upgrade NTFS from NTFSv4 to
NTFSv5, it simply manages the ACLs consistent to W2K ACL manager.
Its your choice but any choice but upgrading your servers to Windows 2000
leaves a potential permission time bomb.
Now, I ask you: are your administrators using Windows 2000 workstations to
manage Windows NT servers? At least for setting permission ACLs, this might not
be a good idea if they sometimes work from the NT server consoles. Are you going
to put the Security Configuration Manager on all your NT servers? Check Q218934.
Which way are you going to jump?
- Q287024 : Permission Inheritance Behavior Between Windows 2000 and
Windows NT 4.0
- Q218934 : Multiple Bugs in Security Configuration Manager MMC
- Q195509 : Installing Security Configuration Manager from SP4
Changes Windows NT 4.0 ACL Editor
- Q195509 : Downloading and Using the Security Configuration Manager
- Q195227 : SP4 Security Configuration Manager Available for
- Q216081 : Installing C2 Security Configuration Manager on Terminal
- SP4 Security Configuration Manager Is Not Compatible with SBS
- Q284849 : Permissions Are Incorrect After Installing Security