locked
User File Restore RRS feed

  • General discussion

  • WHS has the ability for a user to restore their complete PC, but, unless I have got it wrong, it requires WHS adminitrator credentials to restore individual files from a backup.

     

    I believe it is much more likely that a user would want to recover an accidentally deleted or modified file or folder rather than restore their entire PC, yet they need admin level access to do this.

     

    This does not seem logical.

     

    Friday, July 6, 2007 1:37 PM

All replies

  • I had the same thought and in fact I touched on it indirectly in my post

    http://forums.microsoft.com/WindowsHomeServer/ShowPost.aspx?PostID=1833615&SiteID=50

    But you are right the need for admin access on the server to restore ones own files is not logical at all.

    Monday, July 9, 2007 3:23 AM
  • Allowing users access to the PC backups is a security risk because the backups contain files that they shouldn't have access to. Only the WHS administrator can perform a PC restore.

     

    Ordinary users have permissios to previous versions of files but not to the backups.

    Monday, July 9, 2007 4:07 AM
  • If we were talking about a commercial network I would agree. However, we are not. Take this scenario:

     

    User has been backing up "my docs" or some other folder to an external drive & often wants to recover an earlier version of a file. WHS is IDEAL for this because it automatically backs everything up & makes its own duplicate in the background - all excellent. However if said user wants to recover a file they either have to ask me or have to know the admin p/w. It's logically wrong.

     

    Friday, July 13, 2007 8:39 AM
  • Backups aren't for frequent rollbacks of user changes. They're for disaster recovery. They take too long, and are too invasive, to be restoring from backups all the time. No matter how frustrating a user finds it when they accidentally delete a file, that's user error, not a disaster. Additionally, allowing anyone to restore from a backup will give anyone access to every file backed up from every PC, including files that mom and dad would probably really prefer little Joey not even know about.

    If you want to recover previous versions of files frequently, there are a range of solutions available to you. In the WHS world, the preferred solution is likely to just store the files on the server, where Shadow Copies of Shared Folders is turned on by default. That way, you've got a snapshot that's taken every 12 hours (if the file changes) and can roll the file back to a point in time, or copy the previous version to a different location for comparison.
    Friday, July 13, 2007 11:16 AM
    Moderator
  • Ken hit the real problem with allowing user based restoration:  Backups aren't created or stored on a user by user basis; they are created and stored on a PC by PC basis, and owned by the WHS admin.  Because of this, you can't restrict access to individual backup files by user name, it's all or nothing.

     

    Remember, WHS is NOT a user focused data backup system, it's a Network and Computer focused backup system.  There's a subtle but important difference.  WHS is designed to do complete backups for entire machines on the network, and for ease of restoration in case of catastrophic failure of that machine.  Neither of those actions would typically be performed by individual users, but by the person in the house (consultant if necessary) who initially installed and supports the WHS box.

    Friday, July 13, 2007 12:41 PM
  • Okay maybe I am missing something, but...

    I can not find any way for a user or even me to access previous versions of the files outside of loading the backup in the WHS console. I have heard much talk of shadow copying and the like but I cannot find anything like that in the Console in the shares or even logged into the server directly. I am wondering with all that I have read on the topic of volume shadow copies that a compatible OS is needed (as is the case with remote access). If anyone can show me how to access previous versions of files without having to load the back up it would be greatly appreciated.

    Now that I wrote this I am sure that I will either read it in another post or stumble across how to do it myself. But oh well, such is life.



    UPDATE:
    I have managed to get the volume shadow copy to work with previous versions somewhat. But there are 2 main things that I am not sure of.

    1- I had to go in and enable the volume shadow copy services since they were set to manual, and I also had to enable it in computer management. Now I was under the impression that the default in WHS was for these feature(s) to be on.

    and

    2- Even when on and after manually running a "backup", I am still only able to see the previous versions when locally logged into the server. Not when opening the shares on my Vista Home Premium laptop, my XP pro Laptop, nor through the WHS console on either, nor through an RDP session into the WHS box on either. I would think that this last one would at least allow me to see the previous versions but it does not. I can understand not being able to when viewing the shares as my OS on both laptops I tested do not natively have the "previous versions" feature. But with the RDP session I would think that since I am essentially logged on to that computer with the monitor and keyboard by connected via TCP/IP that I would be able to see the previous versions, but alas no.

    So any light on this subject would be greatly appreciated.

     



    Update to the update:

    I am now seeing previous versions in the RDP sessions, so I do not know it something needed to replicate or something but I know when I checked it 5 minutes before the last edit that tab was not there.
    \

     

    Yet another Update: It is missing again. The previous version tab is now missing again. It does not matter where I am logging in from. An RDP session from any of the following; Vista Home Premium, Vista Enterprise (without connector software installed as it is my work provided laptop), or XP Pro. Or even logging on directly to the WHS machine itself. This is infuriating, But how do I get this to work. Do I need to buy Vista Ultimate to have access to that feature. If so that is the stupidest thing I have ever heard. I would think that the users that would need this feature the most (like my daughter), are those that are on less full versions of OS's. My daughter does not need nor do I want her have access to all the features of Vista Ultimate. Also if any Microsoft guy is reading this. Please let the powers that be know that the Previous version feature either needs to be fully available on the Home versions of Vista, or they need to be turned off (minus system restore) so my hard drive is not being suck up by files I cannot even access, nor delete!

    Thursday, July 19, 2007 5:16 AM
  • I'm sorry to disagree with you all, but I believe this is a failure of design; a failure of imagination.  Why can't the connector software "represent" the user to the WHS backup set?  Sure, the WHS or the administrator "owns" the entire backup set, but I think I should be able to right-click any file or folder on my client machine and see a "previous versions" tab just like I can on the server shares.  Of course, I should only be able to access this on files or folders on my PC where I have access already.  If I have "read only" access to something, allow me to restore to another location.  If I have read/write, I should be able to restore whatever I choose.  My NTFS permissions determine what I can "see" in the backup set.  This would be something like Apple's "Time Machine", but stored on the WHS.  This is an opportunity for MS to excel.  I'm doubt this is a trivial feature I am asking for, but for a company that has decided that homes need servers, I think you have to "think different"! Wink

     

    Of course, there are other things I want to suggest, but I'll keep them in another thread.

     

    Saturday, February 2, 2008 3:37 PM
  •  

    Prelector said:

     

    "[Backups] are created and stored on a PC by PC basis, and owned by the WHS admin.  Because of this, you can't restrict access to individual backup files by user name, it's all or nothing."

     

    That's just because that is how you've been conditioned to think about backups by existing solutions in a professional IT world.  But, aren't we constantly reminded these are simpleton home users looking for simple solutions?!?

     

    In the "home" arena, there needs to be more thinking outside the box.  It's amazing how a product can take off when it offers something that is unconventional.  Ask Steve Jobs about it.  And check out TimeCapsule to see if it works like this.


    I completely understand and like the Windows Security Model, but it does not have to be black and white when taken into the home space.  If MS had the choice between restricting to only admins, or making it open to all, then clearly they made the right choice.  I get that.

    But there *are* other choices.  Security does not have to be black and white.  1 or 0.  It can be fuzzy and still secure.

     

    For Example:

     

    WHS knows what PC the file came from.


    When a user attempts to restore a file via Connector from that PC, a security check is performed to see if they are a LOCAL Admin.  If so, they are allowed (they can see all of the data on the PC anyway).  They have access to all of the data at that point anyway, and even if they weren't an admin at the time of the backup, a local admin who probably was has GRANTED them admin privs over the entire PC.  They are trusted, so let them at it.  I'd be ok with this model.  It also requires exactly 0 bits to store this on the server.  It's all determined at runtime.  MS would add this feature *tomorrow* and it would start working on existing backups!  But some may not like the relative "open-ness" so...

     

    Alternatively, and only slightly more complex, at the time when WHS and Connector perform the backup, WHS could store a list of all Administrators on that machine.  These are people who would have access to all data anyway.  Later, at restore time, only users who were Admins at the time of the backup are allowed to browse the backup to restore individual files.  Requires minimal bits on the server to store, but would require a new round of backups before it would start working.  Still very easy to implement, and NO LESS SECURE than the current implementation.  The only down side is now users may create everybody as admin, which is not good for Little Linda who is only 7.  So....


    Well, by storing the exact ACL's from the client PC, WHS can later duplicate the *exact* visitibility that user had into the data domain on that PC at the time of the backup, and it can then allow them to view and restore ONLY which they could originally see.  Difficult?  Yes, but not impossible.  DE is tougher to bulid than this.  And, it wouldn't require many bits to store this data, but more than above, becuase ACL's don't change frequently so the bits are for the most part only there once.  And of course, a new round of backups is needed to get it working.  I'm not saying this will be easy to implement, but it is doable, and would be a very nice feature, mostly becuase it will work in a manner of how those simpleton home users will expect ther new, simple backups to work.  After all, these are people who figured "oh, my data is backed up, what's this history stuff all about?  I don't need *that*!". ;-)

     

    WHS is not just a new product.  It's a new *type* of product.  If MS doesn't push the envelope and think outside the box, then Apple will.

     

    The funny thing is in this forum, time and time again, we see things like "Home users aren't IT professionals!" and "They are clueless!" and "The product has to be SIMPLE!!!".  These are used to defend WHS design decisions.


    Well guess what?  What's good for the Goose is good for the Gander.  Existing solutions to problems shouldn't simply be copied into the home space just because that's how it's done by IT professionals!!!  We are reminded constantly that these aren't professional IT people.  So don't expect them to view data they created as an IT professional would!!!  What happened to simplicity?  Where did that mantra go?


    Well, this very thread is PROOF that there are users out there who don't understand the Windows Security Model, but *rightuflly* *so* expect they should have access to what they consider is their own data!  Whether they placed it on a Shared Folder, or WHS copied it as a backup, they expect to see it. If they forgot to turn on version history, or understandably didn't think they had to because they had "backups" (gee...why would home users think they can access their own backups?!?), then the only place they have to go to get the file is the backup. 


    The bottom line is MS could extend the backup feature w/o losing a bit of security, and whlie also making the users who just don't "get it", at least be able to "get at" their backed up data if they didn't have it elsewhere.

     

    Otherwise,it's not logical to use for those people, and thus not simple for them either.

     

    Ryan

    Saturday, February 2, 2008 7:19 PM
  • I have to say that I personally look at this issue a little differently. If I have WHS running in my home, backing up my computer, my wifes computer, my kids computers (for example) and a restore is needed then its more likely that I would do the restore (either the entire computer if it was severe enough) or just some files but opening the backup file and copying the relevant files.

     

    If I wanted anyone else in my family to do that then I would just tell them the WHS admin password as the connector is already installed.

     

    If I dont want them to have access to those features then I wont give them the password - simple as that. If I do, then I will. We are not talking about a normal "work" scenario here - as the admin, your users are actually your family, not a bunch of strangers who you wouldnt want to trust with your data.

     

    Perhaps the real confusion, or misdirection here is having the account called Administrator which immediately makes people think of an enterprise scenario.

     

    I dont see there is any real need to change the way WHS works with backups and restores - its fairly simple and it works.

     

    Andrew

    Saturday, February 2, 2008 9:58 PM
    Moderator
  • I agree it's simple, to me.  And it works, for me.  But clearly others are confused becuase the product is not allowing them to do something with their data that they expect they should be able to do.  I'm not a member of the WHS target market. They *are*.  So their concerns are far more valid than the fact that folks like us "get it".

     

    What's crazy from a security standpoint is the idea of handing out the keys to the castle (admin password) just so that user can retreive a single file from a snapshot of their own PC on which they are Administrator, and Creator of the file to begin with.  Why would I want to give them access to EVERY feature of the WHS?  With that password they can now log into the WHS and give their normal user account access to everything I've restricted them from.  No thanks.


    I'm not advocating throwing away the security model.  I'm just saying it could be enhanced (potentially slightly) in a way that would make these particular customers less confused.

     

    And yes, I understand that this use case can be addressed by other features, if the user used them.  The problem is if this user to begin with is dim enough to delete their only local working copy, then they are probably not bright enough to have turned on versioning, or stored it on a server share for versioning.  If they were informed enough to do this, then the whole use case is likely unnecessary from the start.

     

    At the end of the day, there is of course the option to simply say: "learn to use the software".  This may very well be one of those cases, and thus the "need" for the feature enhancement is unnecessary b/c the user should have been smart enough to use the other features to avoid the need to go fetch the file to begin with.

     

    But like I said, don't be suprised if competitors products work in a way that their target market expects them to work. 

     

    Ryan

    Sunday, February 3, 2008 11:25 AM
  • Hi Ryan

     

    Yep, I think to a certain degree you are correct. I know that "parental controls" for want of a simple description is something that is being look at for V2 of WHS. Hopefully that could and will include an easy way for a user to access their own backups rather than relying on the "administrator".

     

    One thing I will say though, is that V1 of WHS is really aimed at sharing your data with your family. It you want data on there you dont want shared then you probably shouldnt put it on there (other than using the limited permission model).

     

    That is why this version has only 3 real permissions at a folder level.

     

    Andrew

     

    Sunday, February 3, 2008 1:22 PM
    Moderator
  •  ryan.rogers wrote:
    When a user attempts to restore a file via Connector from that PC, a security check is performed to see if they are a LOCAL Admin.  If so, they are allowed (they can see all of the data on the PC anyway).  They have access to all of the data at that point anyway, and even if they weren't an admin at the time of the backup, a local admin who probably was has GRANTED them admin privs over the entire PC.  They are trusted, so let them at it.  I'd be ok with this model.  It also requires exactly 0 bits to store this on the server.  It's all determined at runtime.  MS would add this feature *tomorrow* and it would start working on existing backups!  But some may not like the relative "open-ness" so...

    That's how it works today, Ryan, with one added caveat: the WHS team made a design decision that all user interaction with the server would be through the Windows Home Server console, which is an application that runs on the server and is presented to the user in a remote desktop session. I can think of numerous reasons why this decision might have been made, but don't know which combination of them is right. Not that it matters, once you decide to use the WHS console as the interface to the backups. Logically, anyone with the WHS console password is a "WHS administrator" and (in a simple security model for the home) should have access to any backup, for any PC. So if your 8 year old son, in a fit of pique, deletes all his 7 year old brother's save games, they go to Mom or Dad (whichever one usually wears the administrator hat) and after a proper talking-to the files (or drive) are back.


     ryan.rogers wrote:
    Well, by storing the exact ACL's from the client PC, …

    I am reasonably certain (though it has been many months since I tested this by setting up a bunch of odd security) that ACLs are preserved in a backup, and restored when you restore a disk image. When you restore loose files, logically they won't be restored, because you could otherwise wind up with a situation where someone who has the authority (local/WHS administrator access) to do the restore doesn't have sufficient rights to access the file they want to restore. In a home environment, I think this was the right way to go, for the same reasons as above: you have to be a WHS admin to restore loose files in the first place, which logically should mean you're an admin throughout the home domain.


     ryan.rogers wrote:
    The bottom line is MS could extend the backup feature w/o losing a bit of security, and whlie also making the users who just don't "get it", at least be able to "get at" their backed up data if they didn't have it elsewhere.

    Maybe they will for a future version of the product. But I would make it a much lower priority for this product than, say, better media integration. Right now you need to be a local administrator to write loose files during that type of restore operation, and you need to be a WHS administrator to access a specific backup (either for a full image restore or loose files). To me, it's a simple, robust security model for the home; what you want to do is bring all the complexity of NTFS in and then build a pretty interface on top.

    Sunday, February 3, 2008 2:35 PM
    Moderator
  • Yeah I'm ACL's are stored as well, but they aren't really consulted when determining visibility.  But like I said, this wouldn't be simple to build.

     

    I also would rather see things like better media server integration, inherent WMP11 support, etc.  This is certainly small fry.

     

    Personally, I could care less if such a sub-feature to backup ever made it in.  I'll never use it.  ;-)

     

    I just thought it was interesting that several people were confused by this, and that in theory, the data is all there to allow permission-based single-file restore out of the backups, and there confusion would have gone away if they were allowed to do this.

     

    Ryan

    Sunday, February 3, 2008 4:21 PM
  • I don't see how the server can determine if a user is a local administrator. The server doesn't have access to the clients SAM and even if it would (through the connector) it couldn't be trusted because the connector is running on the users PC.

    Monday, February 4, 2008 4:34 AM
  • Everything on the client PC was backed up.  A copy of the SAM resides within that backup image.  It may not be easy for us to directly access, but we don't have access to every line of Windows source code.  Given that, it becomes a programming exercise.

     

    So whether the Connector is authentic or not is irrelevant since it need not be trusted.  The WHS user can be authenticated, and whether they are an admin or not at the time of backup safely determined.  It would of course be validating that the usernames match, but that's the Workgroup model, and it is used elsewhere in the WHS product.

     

    Ryan

    Monday, February 4, 2008 11:51 AM
  • Bezalel, the server doesn't need to make a determination of whether the user is a local administrator or not. That determination is made on the client PC where the restore is being attempted. I think it's done through the file system pseudo-driver that gets installed to support the loose file restore process, but I know that you can't open a backup to restore files unless you're an administrator locally and have the WHS Console password (which makes you an administrator in the home "domain"). Assuming you have the proper credentials, you can restore files from any PC in your house.
    Monday, February 4, 2008 3:59 PM
    Moderator