\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]
A colleague recently reorganized permissions and user rights on our file server, and now our engineering department can't use a certain application that maintains thousands of design-plan files. The application's vendor is out of business, and the application doesn't identify exactly which files we can't access or whether the problem has to do with the rights for the user account we used for the service. For the time being, we've added the engineering staff users and the application's service account to the Administrators group. How can I diagnose what's gone wrong?
I've solved many problems like this simply by enabling failure auditing for each of the nine audit categories on the server and all workstations that use an application. You also need to enable failure auditing on the top-level folders in which the application is stored for any files that the application accesses. Next, clear your Security log and attempt the operation that's failing. Then, check your Security log for failure audits. The log should list any objects that can't be accessed or whether the application tried to use a certain user right and failed. (For more information about enabling auditing, see my Windows & .NET Magazine articles "Keeping Tabs on Object Access," http://www.winnetmag.com, InstantDoc ID 20563, and "Tracking Logon and Logoff Activity in Win2K," http://www.winnetmag.com, InstantDoc ID 16430.)