August 2007 Reader Challenge Winner
Congratulations to the winner of our August 2007 Reader Challenge. A copy of "Windows Vista: The Definitive Guide," from O'Reilly Media, is on its way to Gary McIntosh, of Illinois.
September 2007 Reader Challenge
Solve this month's Vista Update challenge, and you might win a prize! Email your solution (don't use an attachment) to [email protected] by September 13, 2007. You MUST include your full name, and street mailing address (no P.O. Boxes). Without that information, we can't send you a prize if you win, so your answer is eliminated, even if it’s correct. I choose winners at random from the pool of correct entries. I’m a sucker for humor and originality, and a cleverly written correct answer gets an extra chance. Because I receive so many entries each month, I can't reply to respondents, and I never respond to a request for an email receipt. Look for the solutions to this month's problem at http://www.windowsitpro.com/articles/index.cfm?articleid=97000 on September 14, 2007.
The Challenge
An accounting firm called me to help when it wanted to change the way it supported its clients. Clients were assigned to specific employees (bookkeepers and accountants), so each employee had folders for clients on the local drive. The client folders had subfolders to hold accounting database files received from the client, the data from the clients' tax returns, spreadsheets for various types of calculations, and payroll information to produce federal forms. The folders were shared so that bookkeepers and accountants assigned to the same client could access data. Because of the sensitive nature of some of the data, security on each subfolder was carefully configured on a "right to know" basis between bookkeepers and accountants.
This paradigm doesn't work. First, you have to enforce a rule that no employee ever leaves the company, takes a vacation, or gets sick and can't come to work. Otherwise, someone else has to be given the logon name and password of the absent employee, which isn't a great security model. In addition, it meant backups were inconsistent because there's no way to watch or enforce each user's actions on individual computers. Even automated backup functions don't help if users turn off the computer before the backup runs, or leave files open when they go home.
The obvious solution was a data server, creating folder structures based on clients, with subfolders based on client settings (for example, you can't open a client's QuickBooks 2006 file in QuickBooks 2007, work on the file, and return it to the client, because it won't open in the client's older version).
The existing folder structure on the local computers was already set up properly, including security settings, so all I needed to do was copy the structure from each computer to the structure established on the server, right? Well, not exactly. I had to worry about the security settings.
What happens to security settings when you have to shift the paradigm from local computers to a central server that has been set up with a folder structure based on the client settings? Can you answer these questions?
Question 1: If you copy a folder from one computer to another, making it a subfolder of a parent folder on the target computer, the folder and file security settings:
A. Stay the same as they are on the original folder.
B. Change because they inherit the settings of the new parent folder.
Question 2: If you move folders instead of copying them:
A. The rules are reversed.
B. Nothing changes, it's the same as copying.
Answers:
The answer to both questions is B. When you copy or move folders to another computer (or even a different volume on the same computer), by default the security for those files and folders is inherited from the parent folder on the target computer. (If this action takes place on the same volume, there's a difference between copying and moving. Copying causes the folder to inherit the parent folder security, moving maintains the original permissions.)
Solutions:
Don't use the standard GUI tools (e.g., My Computer, My Network Places, Windows Explorer) to perform this task. Depending on the specific circumstances of the task: Use the syntax and power of the robocopy command, which provides switches that manage security along with other powerful functions. Robocopy is built into Windows Vista, and is available in the "Microsoft Windows Server 2003 Resource Kit" at http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en. A GUI-based robocopy is also available for download from Microsoft, for those who don't share my enthusiasm for the command line. Use the /o and /x switches available for the xcopy command, in addition to the switches that keep subfolder structures intact.
