Cisco NSS4000 NTFS Permissions Issue

Similar Messages

• Unexpected NTFS permissions behavior

  I am administering a home server running Windows 2008 R2 (accessed by several Windows 8.1 clients) and have run into an NTFS permissions issue I do not understand.
  On this server there is a S drive that contains all the online storage for our network.
  The structure of the S drive looks like this:
  Files
    Public
      VariousPublicFolders
    Private
      Person1
        Person1sStuff
      Person2
        Person1sStuff
  Temp
  Before any security modifications were made, the root of the S drive had the following permissions:
  SYSTEM : Full Control
  Administrators : Full Control
  Users : Read and Execute
  Also, all the above folders on this drive are owned by the Administrators group.
  Then I started changing permissions in order to satisfy my security requirements.
  For example, I disinherited permissions on Temp and allowed "Everyone" Full Control there.
  That works fine.
  What doesn't work fine is the permissions I am trying to set on the personal folders under the Private tree.
  I want to make sure no one else (other than administrators) has access to anyone's personal data  (the data in the Person1, Person2, etc folders).
  So I disinherted permissions on each of those folders and then explicity set the following:
  SYSTEM : Full Control
  Administrators : Full Control
  PersonX : Full Control
  This, I thought should work beautifully.
  I thought it should give each person full control of what happens in their personal folder, and also allow administrators and the system to get in there.
  But it is giving people in the Administrators group problems.
  I have a user called Custodian which is part of the Administrators group, and I use this user to do administrative tasks.
  As Custodian, when I try to access someone's personal folder in Explorer I am greeted with a message that says "You don't currently have permission to access this folder."
  Whaaaaat?
  I am offered "Click continue to permanently get access to this folder."
  If I say YES then Custodian is explicitly added to the folder ACL, and I can proceed to access the files there.
  But I don't want this.
  Custodian is already an Administrator, and Administrators already have full control of the folder.  Why should I even be prompted, and even worse, have my user unnecessarily added to the ACL?
  This is bad bad bad.
  I think what is going on is that UAC is coming into play.  I read somewhere that Administrators normally do not use their administrative token until they hit something that requires it, then UAC kicks in and asks to elevate them.  This would be
  fine if it happened.  I guess I wouldn't mind having to click OK to enter a folder that requires admin access.  But this is not what is happening.  I am just blanket denied until I explicitly add the Custodian account to the ACL.
  Can someone explain why an admin user is denied access to a folder having full control given to admins?  What is going on here?
  Can someone suggest a way to rig permissions so that my admin user doesn't have to be added explicity?
  I just want to be able to browse and alter the entire drive with ANY administrative user without being bothered to alter permissions.  I don't even mind being prompted for elevation, although honestly I'd prefer not to have that happen either.

  Thank you, Milos, for taking the time to look at this.
  RE: Making the post shorter, I'm not sure I could.  It's not an easy problem to state, and I tried to do so in as few words as possible, any less and I would be leaving out critical info.
  Here are your questions, answered.
  (2) Yes, I am using a workgroup.
  (3) An example calcs output
  S:\Files\Private\Scott DATABANK\Scott:(OI)(CI)F
                         BUILTIN\Administrators:(OI)(CI)F
                         NT AUTHORITY\SYSTEM:(OI)(CI)F
  (4) The share permissions are full, yes, but this is immaterial.  I suffer the problem accessing the files locally/directly on the server.  I probably shouldn't have mentioned anything about the share.  It's just that the problem came to light
  while I WAS accessing the files through the share, but then I tried locally and still had the problem.
  I am unsure of what you mean in (5) (6) (7).  Could you elaborate?

• TMS 14.3.2 - No HTTPS Response from devices (again) - Looks like permissions issues (but possibly down to NetBIOS over TCP/IP)

  Hi All,
  Sometime ago I posted regarding an issue I was seeing on our TMS , where most of the remote devices seemingly showed up as loosing remote connection (no HTTPS Response - https://supportforums.cisco.com/discussion/12290956/tms-lost-https-communciation-devices-not-really). However, I could not figure out the root cause of the error, and now I have managed to break things again - probably due to a Java upgrade which broke TMSPE (see https://supportforums.cisco.com/discussion/12404166/looks-latest-update-java-8-update-31-will-break-tmspe-11).
  However, I thought I would look at little more closely this time to see if I could figure out the problem.
  I am seeing a lot of entries in the Security Log in TMS that seem to indicated that my the account used from a TMSPE connection has a bad or invalid password (this is set in "Administrative Tools --> Configuration --> Provisioning Extension Settings", but this password is correct (I can log into TMS with this account, and reset and restarted services etc).
  The computer attempted to validate the credentials for an account.
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Logon Account: tmspeconnect
  Source Workstation: TMS
  Error Code: 0xc0000064
  and
  An account failed to log on.
  Subject:
  Security ID: IIS APPPOOL\TMSNet40AppPool
  Account Name: TMSNet40AppPool
  Account Domain: IIS APPPOOL
  Logon ID: 0x214b6
  Logon Type: 8
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: tmspeconnect
  Account Domain: TMS
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x860
  Caller Process Name: C:\Windows\SysWOW64\inetsrv\w3wp.exe
  Network Information:
  Workstation Name: TMS
  Source Network Address: 127.0.0.1
  Source Port: 62114
  Detailed Authentication Information:
  Logon Process: Advapi
  Authentication Package: Negotiate
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  I just wanted to check this like file/folder NTFS permissions, or any specific IIS permission . Is there a list of NTFS folder permissions for which the TMS required with regard to the "IIS APPPOOL", and perhaps what may need to be check in IIS?
  Oddly, the error list above refers the our "TMSPEConnect" account from the TMS domain, however this is incorrect - TMS is the machine name. Still we ARE seeing similar error which reference the actual domain name, such as:
  An account failed to log on.
  Subject:
  Security ID: IIS APPPOOL\TMSNet40AppPool
  Account Name: TMSNet40AppPool
  Account Domain: IIS APPPOOL
  Logon ID: 0x49e55
  Logon Type: 8
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: tmspeconnect
  Account Domain: mydomain
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc000006a
  Process Information:
  Caller Process ID: 0xb18
  Caller Process Name: C:\Windows\SysWOW64\inetsrv\w3wp.exe
  Network Information:
  Workstation Name: TMS
  Source Network Address: 1.1.1.1 (changed external IP)
  Source Port: 47620
  Detailed Authentication Information:
  Logon Process: Advapi
  Authentication Package: Negotiate
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Idea welcome.
  Cheers
  Chris

  Hi all,
  After a long a fraught weekend trying to fix things, I am not that much further on, but I am beginning to understand what it isn't........ I think :(
  It looks as though the "DatabaseScanning" service, or anything that runs under the credentials of the "nt authority\network service" seems to have a problem.
  The Audit log show lot of entries where services such as"TMSWebPublic" running under the ISS Application pool "tmsnet40apppool", and actions launched under our own credential appear to communicate just fine with the device, only for the 'network service' to time out the connection a short while later. The same goes for some (not all) of the Phone book updates, which also looks as though it runs under the credentials of the 'Network Service' account.
  26/01/2015 08:30:54
  nt authority\network service
  Update
  System
  our-ctrl1
  System status
  NoResponse
  TMSDatabaseScannerService
  26/01/2015 08:30:54
  nt authority\network service
  Update
  System
  our-ctrl1
  Connection status
  NoHTTPSResponse
  TMSDatabaseScannerService
  26/01/2015 08:29:06
  tmsnet40apppool
  Update
  System
  our-ctr1l
  System status
  Idle
  TMSWebPublic
  26/01/2015 08:29:06
  tmsnet40apppool
  Update
  System
  our-ctrl1
  Connection status
  OK
  TMSWebPublic
  However, I still don't know at this point is this is related to the actual TMS front end, something to do with the domain and policies that have been applied to TMS, or the actual database, or even just communication with the back end database??? I did try running the services under a domain user (service) account, but then ran into other issues as I couldn't log into TMS.
  BTW, removing TMS, and IIS and reinstalling did fix my second issue relating to the 'Communication Errors'.
  Chris

• Can't rename a single file to autorun.inf even all ntfs permissions are correct

  I have this odd problem:
  Logged in as Domin Administrator I couldn't  rename or open for editing an existing file "autorun.inf" even though all the ntfs permissions were correct. Every other files in the same directory (mainly .swf, .docx, .js and .htm files)
  are both editable and can be renamed.
  When I deleted the file "autorun.inf" from the folder and tried to create a new one with the same name, OS (Windows Server 2008 R2) notifies me that I "need permission to perform this action". Furthermore OS notifies me that "You
  require special permission from Administrators to make changes to this file". Neither can I copy a file named "autorun.inf" from another location to this folder. This is in spite of being logged in as Domain Admin.
  In short: I can't create a file called autorun.inf in a folder!
  Could  there be some kind of extra locking concerning files named autorun.inf i.e. some protective mechanism in this particular folder's permissions or SRV2008R2 itself that I've missed. All the other folders allow me to create whatever files i like
  into them.
  I would very much appreciate if anybody can help me with this.

  Yes, by default that will block any access to autorun.ini files. We use the same, so the issue sounded familiar, and of that I asked specificly to that :)
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Share permissions issue - users reporting files readonly

  I have setup a share and the users need to have access to read,modify, write, delete on the files/folders in the new share. The users. For this:
  1. I added the user AD group to the Share Permissions and set 'Change' for the permissions. I noticed that there was already a group called Everyone here and had 'READ' permissions. I did not make any changes to this Everyone group.
  2. I added the user AD group to the NTFS Permissions and set 'Modify, Read&Execute, Read, Write' permissions. 
  It seems the users are seeing the files as 'read only'. They can view and open, but are not able to edit the file. What might be the issue?
  Regards

  Hi,
  I have added share and NTFS permissions the same as yours on a shared folder and I can eide files within the shared folder. Please check the NTFS permissions of the files in the shared folder to see it the NTFS permissions are inherited to the chiled files
  from the parent folder.
  HOW TO: Control NTFS Permissions Inheritance in Windows
  http://support.microsoft.com/kb/313398
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Renaming folder resets NTFS permissions

  Hi
  I have installed a new file server, running Server 2012 R2. I have created a shared folder and set the NTFS permissions. I then renamed the folder and noticed that the NTFS permissions had ben removed and reset.
  I have never seen this behavior before, and I find it a bit worrying???
  Lasse
  /Lasse

  Hi Amy
  The steps I initially did:
  1. Create folder in the root of D:
  2. Disabled inheritance
  3. Added the necessary permissions (The user I use is a domain admin, and is also added)
  4. Shared the folder to Everyone with full control
  5. Right click on the shared folder and selected rename and gave the folder a different name
  6. Vupti dupti, the permissions has changed to the following:
  SYSTEM
  MY USERNAME
  Administrators (LocalServer\Administrators)
  I have just done the same thing on a different server, and it's the exact same behavior, both servers running Server 2012 R2.
  I have also tested it on a Server 2008 R2, and it gives me the same warning as you and if I press continue the folder is renamed and the permissions has NOT been changed.
  So it seems to be a Server 2012 R2 "issue".
  /Lasse

• Coldfusion ignoring NTFS permissions

  I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
  CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 
  Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
  I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
  Thanks!
  Tanya

  Tanya,
  This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.
  I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.
  -Carl V.

• Ntfs permissions on forest trusted share

  We have a two way forest trust. Consider this example:
  Forest A has:
  Domain Controller A
  Server A
  Forest B has:
  Domain Controller B
  Server B
  \\shareB (on Server B)
  I am a domain admin on Forest A, and my account has been given full permissions to Share B.  We have a two way forest trust, and have firewalled everything except communication between Domain Controllers A and B.
  The issue:
  If I log on to Server A, I am able to open \\shareB, but if I attempt to add/change ntfs permissions, I only see 'server B' when I click the 'Locations' button (I do not see either domain).
  If we allow on our firewall port 445 between Server A and Domain Controller B, it works.
  Is this working as designed?  Or is there a way to keep the firewall up and retain this functionality?
  Thanks,
  Jaime

  Hi Jaime,
  >If I log on to Server A, I am able to open \\shareB, but if I attempt to add/change ntfs permissions, I only see 'server B' when I click the 'Locations' button (I do not see either domain).
  How did you add/change NTFS permissions? In addition, would you please post a screenshot of the Locations?
  >If we allow on our firewall port 445 between Server A and Domain Controller B, it works.
  Port 445 has to be open, because User and Computer Authentication, Trusts require it to be.
  More information for you:
  Active Directory and Active Directory Domain Services Port Requirements
  http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
  Best Regards,
  Amy

• What share and NTFS permissions must I give users to deploy software through SCCM?

  What share and NTFS permissions must I give users to deploy software through SCCM? I have one folder with all of the applications and would like to know.
  Thanks
  James A+, Network+, MCP

  That still doesn't help. We're not prying, we're trying to help but we honestly have no idea what you are talking about. The more and better details that you can provide, the better we can help.
  "Because I want to know" adds no value and does not help us help you. We need technical details -- we can't see what you are seeing and we can't read your mind.
  And, you didn't really answer any of my questions.
  I'll take another wild-guess though: If you are talking about the source file locations referenced within packages and applications, users do not access those. The computer account for the systems hosting the SMS Provider needs read access to the location(s)
  specified. Yes, this means both NTFS and share permissions assuming they are being referenced via a UNC.
  Finally, there is no service account. If you've changed the account that the SMS_EXECUTIVE is running under, you're are now in a completely unsupported state that will have many issues. If instead you are talking about the Network Access Account, that is
  *not* a service account and is *not* used to access content source files.
  Once again though, we're simply guessing because no one has any idea what you're doing. Please provide actual, technical details.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Robocopy not copying NTFS permissions

  Hi All, got a 2008 64bit server, copying a 100 GB folder from one disk to another on the same server. And randomly robocopy does not apply NTFS permissions to folders at root level. It leaves them to default.
  This is the command I am using:
  robocopy "F:\Project1" "H:\Project1" /E /Copy:DATSOU /IS /IT /log:c:\Project.txt /TEE
  What could be the issue ?

  Hello,
  If we want to robocopy the whole d:\project1 and all the subfolders to H:\project1 while preserving its NTFS security permission, we can use following command syntax with robocopy.
  Example:
  =============
   Robocopy "F:\Project1" "H:\Project1" /E /SEC
  /e: Copies subdirectories includes any empty directories.
  /sec: Copies files with security.
  For more reference, please refer to:
  Robocopy
  http://technet2.microsoft.com/windowsserver2008/en/library/d4c6e8e9-fcb3-4a4a-9d04-2d8c367b63541033.mspx?mfr=true
  Hope this information will be helpful.
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Reporting Services Point - possibly permissions issue

  I'm having a really hard time configuring a working reporting services point in my test SCCM 2012 R2 environment and was hoping someone might be able to help me work out what's gone wrong.
  My servers are WS2008 R2.  SQL Server 2008 R2 is installed on the primary site server and holds the site database.  I installed SSRS onto a separate site server and added it as a reporting services point.  This worked, and I see the list of
  reports in the SCCM admin console.  However, when I try to run a report - either from the console or via web browser - I get this message:
  The default value expression for the report parameter 'usertokensids' contains an error.  There are no logon servers available to service the logon request. (rsRuntimeErrorInExpression)
     at Microsoft.Reporting.WinForms.ServerReportSoapProxy.OnSoapException(SoapException e)
     at Microsoft.Reporting.WinForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.ProxyMethodInvocation.Execute[TReturn](RSExecutionConnection connection, ProxyMethod`1 initialMethod, ProxyMethod`1 retryMethod)
     at Microsoft.Reporting.WinForms.Internal.Soap.ReportingServices2005.Execution.RSExecutionConnection.LoadReport(String Report, String HistoryID)
     at Microsoft.Reporting.WinForms.ServerReport.EnsureExecutionSession()
     at Microsoft.Reporting.WinForms.ServerReport.SetParameters(IEnumerable`1 parameters)
     at Microsoft.ConfigurationManagement.AdminConsole.SrsReporting.ReportViewerWindowsForms.SetParameterValues_DoWork(Object sender, DoWorkEventArgs e)
  SMSAdminUI.log shows this message:
  [25, PID:3096][06/12/2014 11:24:05] :[fqdnofprimaryserver] : The request failed with HTTP status 503: Server Error.
  Now, the reason I think this is a permissions issue is because srsrp.log on the Reporting Point server shows this:
  (!) Error retrieving folders - [Login failed for user 'domain\reportingservercomputername$'.].
  (I've removed the actual name here, obviously.)
  I'm really puzzled about what's going on here, what is trying to authenticate with the SSRS server's machine credentials, and what for.  Looking in SQL Server Management Studio on the primary site server which hosts the SQL database, I can see that
  the account has a login listed and it has its default schema listed as DBO.  On the SSRS server, in Reporting Services Configuration Manager, the Report Server Service Account is set to a dedicated domain user account.  The Current Report Server
  Database Credential is set to my own Windows login using Current User - Integrated Security - I can't seem to get it to accept the dedicated user account.
  Can anyone help me figure out what's gone wrong and how I fix it, please?  I'm by no means a SQL person, and I'm at my wit's end with this!
  Thanks,
  M

  The plot thickens.
  The SSRS server has these:
  "The report server has detected a possible denial of service attack. The report server is dropping requests for service from the IP address 192.168.113.163" (this is the IP address of the primary site system, which hosts the SQL database)
  and then
  "Report Server Windows Service (MSSQLSERVER) cannot connect to the report server database"
  The primary site system, meanwhile, has got thousands of these:
  "Login failed for user 'DOMAIN\SSRSSERVERNAME$'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 192.168.113.164]" (that's the IP of the SSRS server)
  The Windows firewall is off for both systems.  They're on an isolated test network.  I still don't understand where the setting is that tells it to make SQL queries using the SSRS server's machine account, rather than the dedicated service account
  I created.
  Any more ideas?  Thanks for your help so far - I really appreciate it!

• How do I migrate from one user to another to resolve sleep/permissions issues?

  My MacBook Pro's been having several issues, mainly with waking from sleep. I've tried Repairing Permissions, Repair Disk, running tools like OnyX and Drive Genius, but they can't find any issues. I checked the Console log, and there was some sort of denial from displaying the login window after I woke up from sleep.
  Initially I thought this had to do with some of my peripherals being plugged in when I already had the lid closed; the Mac would wake up, not realize the lid was closed, and never go back to sleep. Nothing--keyboard or trackpad touches--would wake the machine up. I'd have to hard reset by holding the Power button on.
  I had an Apple Genius suggest that I create a new user and test it out with the (same) default sleep settings as the buggy user account. It wakes up from sleep lightning fast, and has thus far never had any issues.
  I'm leaning toward sticking with this new user and migrating over my things bit by bit, to try and avoid potential permissions issues. But since I don't know where the source of this sleep problem lies, how should I go about it?
  I've read through Pondini's Transfer Guide here http://pondini.org/OSX/Transfer.html, but I'm just wondering where people would start, knowing that the machine has had permissions issues with some files. (The permissions issues, btw, I believe were caused by a mangled Time Machine restore. I replaced my internal HD with another one, but the Time Machine/Migration Assistant restore wasn't complete. I did it a second time from within the user account that got created, then tried to delete the malformed one and rename the complete one, but that's when the issues started.)

  I wasn't intending to move the entire home folder, rather, moving things like what's inside my Documents folder in chunks.
  From what I read, tracking down the origin of sleep/wake problems on a computer is notoriously hard, especially if Disk Utility and similar tools don't give any clues during Repair Disk or Repair Permissions. Creating the new user seemed to help, but I don't know why that alone would "fix" anything, so I haven't moved any files as of yet nor done anything with the new user account.
  Trying to move the things from my Library folder to my desktop also seems a bit risky; it's hidden in Lion and Mountain Lion because a lot of system files are there, right? Wouldn't moving them cause problems, not just help me find what file/folder (if any) could be the culprit?

• "screen shot can't be saved" and other permissions issues

  After having my iMac at the Apple Store for four days solving a problem with "quit unexpectedly" issues with all Apple built-in Apps on OS X Yosemite, I got the machine back with those problems solved.  It involved re-installing OS X and restore files from backup.  I thought all was well; the Genius Bar dude showed me that it's fixed. He said it took so long because of bizarre permissions issues he'd never seen before.
  Now that I've lugged this 40lb machine back home (after verifying the fixes in the store) I now find that several (other) functions don't work.  When I try to do a screenshot, I get this message:"Your screen shot can't be saved.  You don't have permission to save this file in the location where screen shots are stored."  Message could have been more helpful; the "location" is the desktop.  Pretty descriptive, though.  Seems I can't save anything to the desktop.
  I tried creatng a folder on the desktop.  Got this message: "Finder wants to make changes. Type your password to allow this".  Type password and new folder appears.  Drag the new folder to the trash, get same message..
  I tried copying a file from a network drive to the desktop. I get this dialog: "Modifying Desktop requires and administrator name and password.  I clicked "authenticate" and after a 3 minute delay (with "Preparing.." ) I get this dialog; "Finder wants to make changes.  Type your password to allow this".  I type the password and the file appeared on the desktop.  Before the work at the Apple Store, this never happened.  BTW I have only one user account and it's marked "Allow user to administer this computer".  Thinking something might be goofy with the pw, I changed it (took 3 minutes to do, oddly) and rebooted. No joy. Same thing happens when I try to drag something from the desktop to the trash.  Long time "moving" message followed by having to provide and admin pw.
  I tried to save a Safari attachment to the Downloads folder and got this message: "Safari could not download the file xxxxx because there is not enough free disk space".  Since I have more than 600GB of available space, I think the message is wrong and that it's really a permission issue with the Downloads folder.
  Tried to reset the password again.  Click to unlock the Users & Groups panel, get "System Preferences is trying to unlock Users & Groups preferences.  Type your password to allow this".
  All this tells me that somehow Yosemite is in "nag" mode (reminiscent of Windows Vista.
  Any ideas?
  Chaz

  Back up all data before proceeding.
  This procedure will unlock all your user files (not system files) and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.
  Step 1
  If you have more than one user, and the one in question is not an administrator, then go to Step 2.
  Triple-click anywhere in the following line on this page to select it:
  sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting.
  You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
  The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.
  Step 2 (optional)
  Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.
  Start up in Recovery mode. When the OS X Utilities screen appears, select
            Utilities ▹ Terminal
  from the menu bar. A Terminal window will open. In that window, type this:
  res
  Press the tab key. The partial command you typed will automatically be completed to this:
  resetpassword
  Press return. A Reset Password window will open. You’re not going to reset a password.
  Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select
             ▹ Restart
  from the menu bar.

• Permissions Issue, Colour Wheel, Hard Drive Issue??

  Hi!
  I have had issues with my mid 2009 MBP recently and I'm wondering what the best way to fix them would be. 
  First off, I have some major permissions issues with my accounts.  I am using 3 different users regualrly on the same machine and needed to access files from the home folder so I changed them a long time ago, and am not sure how to fix that.  I have repaired the permissions countless times in the disk utility and it seems like there's always loads more to do each time.  When I varify the disk, it says its all okay.
  Secondly, I have had the machine freeze on me several times while doing very little on it.  This happened awhile ago, and thought that it was just the permisions thing and so I did that again, and it started working better, for awhile.  It would go a few days or weeks before doing the same thing, sometimes not even getting past the apple logo on startup before freezing.  This makes me think it may be a hard drive issue???????
  This morning, I tried dozens of times to boot, with no success at all.....  until about the 25th time when it miraculasly booted.  I have run permissions repair a few more times and it seems to be working okay at the moment, but the problem seems to be happening more often over time. 
  To complicate matters, I am traveling at the moment and will not be home for several months.  I purchased an external harddrive last night and was able to successfully back up my data. 
  Question 1: Is it the permissions that are causing these problems, or is it related to something else.  The computer seems to work fine when its working, and then once in awhile, decides its not going to do anything. 
  Question 2:  Would upgrading to Lion (currently running 10.6.8) fix the permissions issues or just carry them forward?  I would like to consolidate the 3 users into one, if that would solve it.  Does the migration utility preserve permissions or does it give you a brand new start?
  Question 3:  If neither solving the permissions or the OS upgrade would fix the problem and it does need a new harddrive, is it possible to buy one and install it myself?  I do not have apple care left on this machine and am on a very tight budget.  I am used to taking things apart and all that as part of my job and it seems simple enough.  Where can you buy a replacement?? 
  Hopefully someone out there will be able to help me out on this one. 
  Cheers!!!!
  Brian

  bgroot422 wrote:
  First off, I have some major permissions issues with my accounts.  I am using 3 different users regularly on the same machine and needed to access files from the home folder so I changed them a long time ago, and am not sure how to fix that.  I have repaired the permissions countless times in the disk utility and it seems like there's always loads more to do each time.  When I verify the disk, it says its all okay.
  Disk Utility permissions are separate from User account permissions.
  This link is how to fix them
  https://discussions.apple.com/thread/2181549?start=0&tstart=0
  Disk Utility will always show something to be needing repair, but that's ok
  Apple supoort doc.
  https://support.apple.com/kb/TS1448?locale=da_DK
  Verify Disk is good, that's a good thing.
  To complicate matters, I am traveling at the moment and will not be home for several months.  I purchased an external hard drive last night and was able to successfully back up my data. 
  Your data is backed up, hopefully not with TimeMachine alone, but if you did, then get another drive and backup data manually to that as well. If the TM drive gets messed up, it's a pain to get your data off of it.
  Question 1: Is it the permissions that are causing these problems, or is it related to something else.  The computer seems to work fine when its working, and then once in awhile, decides its not going to do anything.
  Well you could call Apple for replacement 10.6.x disks, and just reinstall 10.6 and bundled programs, but this can kick out kext files out of the /System/Library/Extensions folder installed by some third party software.
  This method fixes OS X, but doesn't touch your files or most programs.
  Nor will this method fix your Users accounts if the issue is in there.
  A creation of a new user, then deletion of the others, return files from backup (set permissions) will fix User folder issues if the above user permissions fix doesn't work.
  (Of course you could wipe the drive from the 10.6 disk, but you have to install all software again)
  Would upgrading to Lion (currently running 10.6.8) fix the permissions issues or just carry them forward?
  No, you don't want to install Lion, it won't fix those issues in User folders, not only that Lion has it's own issues and doesn't work with a lot of older software etc.   No use clusterfscking a already bad situtation when it's seems it's only localized to the User accounts.
  I would like to consolidate the 3 users into one, if that would solve it.
  Yes that could very nicely and tidy up things in the process.
  What you do is transfer all files to one regular powered storage hard drive.
  (Don't use/disconnect the TimeMachine drive for this as it preserves the users seperated and you don't want all those users back restoring  with Migration Assistant)
  Create the New User on the machine as Admin, log into it and delete all the other Users, transfer all your files back from the regular storage drive, changing all the permissions to yourself before placing them into their respective folders as they will have three different permissions.
  Notes:
  If you have a extensive iTunes playlists on one User (say #1), then create the new user with that same name (will require some work, create User 4, delete Users 1-3, reboot, create User 1, delete User 4) then transfer your iTunes folder to Music of that User 1 (same name as before). This will preserve the pathnames of your song locations and your playlists will be preserved.
  (before you ask, no you can't combine playlists)
  Also if you have photo's in iPhoto Library, you have to right click on it and "show package contents" inside is a folder called Originals, copy them out and import into the iPhoto of the User #1.
  Does the migration utility preserve permissions or does it give you a brand new start?
  Yes it preserves user permissions, no it doesn't give you a brand new start. Only a fresh install, creation of new users and then just transferring of files does that.
  Nothing about TimeMachine or Migration Assistant gives one a "fresh start", it's if hosed, so is your restore.
  If you want that sort of pristine protection, you need to clone your ideal boot partition/drive using Carbon Copy Cloner (free/donationware) occasionally as a hold the option key bootable drive, then you can erase and reverse clone the pristine saved clone.
  One can also update the clone on occasion, this way keeping the clone pristine.
  I maintain 3 clones time dated, even have my boot drive partitioned 50/50 and auto-cloned, this way I have two boot partitions on the road and two externals at home.
  I never use TimeMachine, it's not bootable (well it is on 10.7.2 only to restore though)

• Can't Customize, Change Settings, or Move Files -- Permissions Issue?

  Hey all:
  Just got a new MBP w/ 10.5.2. Successfully migrated most of my user settings and applications from the old Tiger HDD (old laptop died a horrible death).
  The problem is that aside from everything appearing to be the same, I'm finding that I don't have the access to do a whole lot with my own files. Several different problems that "seem" like they're stemming from the same accessiblity/permissions issue include:
  Intermittent trouble downloading files with Firefox's default download tool.
  Complete inability to change desktop background.
  Programs fail to remember setting changes after quit and re-launch.
  System Preferences do not remember changes to settings.
  Certain files can not be moved, renamed, opened, or deleted w/o admin authorization, or in some cases, at all.
  The problems started after I migrated the old system over after having an interim user account running for a few days prior. After migrating, I attempted to reconcile the two together and that's when things got hairy.
  In the past couple days, I have tried:
  1.) Archive and Install (preserving User settings - now down to just one admin).
  2.) Changing permissions to system read/write, admin read/write, everyone read only for the entire /User directory, applied to all enclosed items.
  3.) Repairing Permissions (which took about 10 minutes!)
  I'm at the end of my rope here. I'm stuck with my OS acting the way it wants to, which is the exact way it was after being archived and reinstalled, no matter what changes I try to apply in the Finder, Preferences, or in any programs.
  I'm thinking maybe a clean install and then migrating over the backup I just made on my external HD will get me my stuff without whatever troublesome thing is freezing me out, but I'm not really sure, and I don't really understand much about command lines in Terminal.
  Does anyone have any ideas? Many thanks.

  Oddly enough I just had a spastic moment with a mouse click and put my Drop Box in the Trash (I keep the Delete thing in my window toolbar, which is handy, but can lead to accidents)... Since I was playing with it I noticed its absence immediately. Realized what I had done after a moment's reflection, and put it back. Which just goes to confirm something I ALWAYS do before I empty the Trash: open it and see what's in there first, then click empty.
  As to whether removing ACLs is for advanced users only: well, up until Leopard that's the way it always was, there were, until now, NO ACLs on the users folders. So should everyone have been an advanced user until now? Did you ever delete a folder in Jaquar or Panther or Tiger and empty your Trash without checking? Indeed, if you use Time Machine, available in Leopard but not before, you are already protected from such goofs, since you can recover things accidently deleted using Time Machine, so actually you are in better shape with Leopard than ever before, WITHOUT the ACLs if you use Time Machine. Until Leopard there was neither belt nor suspenders to automatically protect you from losing data. Leopard supplies both.
  The situation reminds me of the continuing debate about virus protection on the Mac. Personally, I have seen various anti-virus programs cause all sorts of problems, and it has yet to protect any Mac system from anything (since as yet there are no Mac system viruses). Anti-virus software may have saved some users of Microsoft Office who share files with Windows users from getting a macro virus in their Word docs, and it might have kept a Mac user from passing on some email virus to some Windows users by forwarding stuff from the Internet. But still.... if you don't use MS Office or forward email junk, you get no benefit and may get some problems.
  Same seems to me to be true of ACLs: it is possible to get a benefit (you can't accidently toss your Movies folder and lose data, assuming you mindlessly empty your Trash and don't have a backup), but an awful lot of people are having an awful lot of problems.
  Francine
  Francine
  Schwieder