locked
WHS losing permissions weekly RRS feed

  • Question

  • WHS, most recent updates in...
    Every week the permissions are lost. First I setup for each user in the house so backups would run. Then in the permissions for the shared folders I added each user. A week later the users are still users but not listed under the permissions.
    This time made permissions with "Everyone", the next week they were gone (the user name "Everyone" under the permissions of the folder).
    Next I made the user part of the build in groups using hte RW_x groups. Guess what in 1 week those were gone too (but now magically the RO_x groups are there). If I go into the RW group, guess what, the users I added are missing from that list too (so not only does RW_x no longer have permisssions but two of the 3 users are missing).
    No AV, no running scheduled tasks, no other user or users working / playing / accessing the WHS.
    So I stopped Windows updates (I thought maybe the forced reboots / updates) well, first the system still updated and rebooted, second it still lost the permissions.
    Yes, it had the green shield with the standard "Windows rebooted because of and update.."
    Tuesday, March 31, 2009 11:13 PM

Answers

  • I'll throw out Option 4 (which WorksForMe):
    Move your webserver operations to a dedicated (read:  not part of the storage pool, and not used for server backups) HDD.
    This way, you can maintain the permissions that you want, and the drive is still a part of the server (but not a part of WHS.)

    -Chris
    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Friday, April 3, 2009 3:59 AM
  • Ken & Chris:

    First, thanks for your help.

    Of the four options, I think the 4th is the easieset for me to implement. But of course there is yet another question.

    If I set up another HDD on the Homeserver that is not part of either the storage pool or used for backup, I'm guessing that I won't be able to automatically back up that drive with WHS. Is this correct?

    Mike

    I prefer option 3 to Chris' option 4, tbh. There is no guarantee, in the longer term, that Windows Home Server will continue to allow you to do what you want at all.

    That said, a disk that you have not added to the storage pool or as a backup drive is listed in the console as an available disk (i.e. it could be added to the pool or as a backup disk at a later date), and will not participate in any Windows Home Server functionality.

    I'm not on the WHS team, I just post a lot. :)
    Monday, April 6, 2009 4:48 PM
    Moderator

All replies

  • WHS, most recent updates in...
    Every week the permissions are lost. First I setup for each user in the house so backups would run. Then in the permissions for the shared folders I added each user.

    Are you setting the permissions in the Home Server Console?  If so, does anyone else (other than yourself) have the password for the Console?

    A week later the users are still users but not listed under the permissions.
    This time made permissions with "Everyone", the next week they were gone (the user name "Everyone" under the permissions of the folder).
    Next I made the user part of the build in groups using hte RW_x groups. Guess what in 1 week those were gone too (but now magically the RO_x groups are there). If I go into the RW group, guess what, the users I added are missing from that list too (so not only does RW_x no longer have permisssions but two of the 3 users are missing).
    No AV, no running scheduled tasks, no other user or users working / playing / accessing the WHS.
    So I stopped Windows updates (I thought maybe the forced reboots / updates) well, first the system still updated and rebooted, second it still lost the permissions.
    Yes, it had the green shield with the standard "Windows rebooted because of and update.."

    Wednesday, April 1, 2009 12:24 AM
    Moderator
  • I am having the exact same problem as The Weekly Geek.  Every time WHS gets updated or reboots I lose my permissions. I also tried turning off the automatic updates, but I think the rebooting is what is causing the problem.

    In order to run my web server from WHS, I need Users (HOMESERVER\Users) to have read/write access to certain shares (directories).

    To answer kariaya21's questions:

    1. "Are you setting the permissions in the Home Server Console?"

    No, I set the permissions through the Windows Explorer because the WHS User Access permissions tab doesn't offer the granularity I need.

    2. "does anyone else (other than yourself) have the password for the Console?"

    No, I am the only person who accesses the Console

     

    Wednesday, April 1, 2009 8:06 AM
  • To both The Weekly Geek and To Serve Man :

    Maintenance of Windows Home Server users, user rights, user groups, and permissions outside of the Windows Home Server console is unsupported and known to cause problems related to permissions. There is no need to do this for normal Windows Home Server operation, and to be honest, if you have a need for this sort of manual maintenance, you may well want to consider Windows Server 2003 as a platform for your application.
    I'm not on the WHS team, I just post a lot. :)
    Wednesday, April 1, 2009 12:26 PM
    Moderator
  • Ken:

    I have just discovered that if I right-click on a Share via the WHS Console that it opens the Windows Explorer from which point I can set permissions. Also, the property tabs are different than those when using the Windows Explorer directly from the OS.

    Questions:

    1. Is the above what you mean by maintaining user rights, user groups, and permissions within WHS?

    2. If your answer is no, can you bullet-point a step-by-step procedure for maintaining user rights, user groups, and permissions within WHS?

    Thanks, Mike
    Wednesday, April 1, 2009 5:02 PM
  • The only way you should set permissions is using the Console itself. So on the Shared Folders tab, you can right click a share and select Properties (or you can left click on a share, and select Poperties from the ribbon bar), then set permissions the User Access tab. Or you can select a user on the User Accounts tab, then vie properties for that user and set share access on the Shared Folder Access tab.

    If you right click a share and select Open, you are using Windows Explorer, not the console. This is true even if you right click the sare in the console and select Open.

    I'm not on the WHS team, I just post a lot. :)
    Wednesday, April 1, 2009 5:30 PM
    Moderator
  • Ken:

    I understand what you are saying and I accept that what I am doing cannot/should not be done; however I don't see the solution to my problem. Let me explain my situation in more detail and perhaps you can tell me how better to address my goals.

    I am running IIS on my WHS from which I am serving two different web sites. Both websites are ASP.Net 3.0 with Access database back ends. The websites are running on different ports (8000 & 8010) which are accessible from the Internet.

    I need to run IIS from WHS because it is the only server version of IIS that I have; which I need in order to host two different web sites - both of which are non-commercial sites.

    I have set up the sites as follows:

    D:\shares\
      Websites\
         Website 1\ (Port 8000)
             App_Data\
                 Access Database

         Website 2\ (Port 8010)
             App_Data\
                 Access Database


    Websites is a share set up through the WHS Console.

    Here are the settings I have on the User Access Tab for this share

        User Account          Full      Read       None
        User #1                  X           O            O 
        Guest                     O           O            X 
        User #2                  O           O            X 
        User #3                  O           O            X 


    When I access either website via the internet, I get a pop-up login screen asking me for my Account and Password, but I don't want that. I want to go straight to my website(s). To avoid the pop-up screen I set the permissions via the Windows Explorer to allow Users (HOMESERVER\Users) read / write access. I'm guessing this works because IIS is a user.

    Question:

    If I can't use Windows Explorer to set the permissions:

    1. Should I grant Guest Full access rights? If yes, then where is my security?

    2. Should IIS & the websites be configured differently?

    Thanks, Mike


    Wednesday, April 1, 2009 6:49 PM
  • First, I need to reiterate that the use you're making of your server is unsupported, and probably not an anticipated home use of the product. So I can pretty well guarantee that you're going to struggle with this.

    Rather than give an off-the-cuff answer now, I'm going to come back to this later this evening when I can spend some time to think about your options. There are a couple of options that come to mind, neither of them terribly palatable (IMO).
    I'm not on the WHS team, I just post a lot. :)
    Wednesday, April 1, 2009 7:44 PM
    Moderator
  • Okay, first, the only supported administration tool for Windows Home Server is the Console. If you don't see a way to do what you want in there, there's no way for an end user to do it in a supported fashion.

    So, your basic options are: 

    Do as you suggest and open your web applications up to the world. I can see why you might not want to do this, if there is sensitive information stored in your applications.

    Modify your applications so that they participate in Windows Home Server Remote Access security. There is (sketchy) documentation on how to do this in the Windows Home Server SDK documentation. The results will be limited; every user who's granted Remote Access privileges (i.e. is able to log in to the web site at all) will be granted access to your applications, unless you make additional changes to your applications to enforce additional levels of security.

    Switch your applicaitons to run on a server operating system without the restrictions and limitations of Windows Home Server; probably Windows Server 2003 or 2008. In a lot of ways this is the best option; you can control security as you please, and you don't have to worry about unanticipated interactions between your configuration and the core system processes and configuration. It's expensive, however.

    I'm not on the WHS team, I just post a lot. :)
    Thursday, April 2, 2009 5:31 PM
    Moderator
  • I'll throw out Option 4 (which WorksForMe):
    Move your webserver operations to a dedicated (read:  not part of the storage pool, and not used for server backups) HDD.
    This way, you can maintain the permissions that you want, and the drive is still a part of the server (but not a part of WHS.)

    -Chris
    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Friday, April 3, 2009 3:59 AM
  • Ken & Chris:

    First, thanks for your help.

    Of the four options, I think the 4th is the easieset for me to implement. But of course there is yet another question.

    If I set up another HDD on the Homeserver that is not part of either the storage pool or used for backup, I'm guessing that I won't be able to automatically back up that drive with WHS. Is this correct?

    Mike

    Monday, April 6, 2009 4:38 PM
  • Ken & Chris:

    First, thanks for your help.

    Of the four options, I think the 4th is the easieset for me to implement. But of course there is yet another question.

    If I set up another HDD on the Homeserver that is not part of either the storage pool or used for backup, I'm guessing that I won't be able to automatically back up that drive with WHS. Is this correct?

    Mike

    I prefer option 3 to Chris' option 4, tbh. There is no guarantee, in the longer term, that Windows Home Server will continue to allow you to do what you want at all.

    That said, a disk that you have not added to the storage pool or as a backup drive is listed in the console as an available disk (i.e. it could be added to the pool or as a backup disk at a later date), and will not participate in any Windows Home Server functionality.

    I'm not on the WHS team, I just post a lot. :)
    Monday, April 6, 2009 4:48 PM
    Moderator
  • Hi Mike,
    if you use a disk, which is not in the storage pool, this will not interact with the console security features and share management.
    Anyway you could create shared folders manually, and adjust the permissions on them at share and local NTFS level manually using the Windows Explorer or the command prompt on the server, which is unsupported (as Ken already mentioned).
    For  making data in these folders more secure, you could enable Shadow Copies on that volume (to get access to Previous Versions in the properties of the share) and create a scheduled task, which is copying changed data to a regulary share on your home server. That way you would have also redundancy, which does not stop the need of backing up to external storage as well.

    Best greetings from Germany
    Olaf
    Monday, April 6, 2009 7:13 PM
    Moderator