How to understand those confusing windows 7 file/share permissions

Hi all. Our company is running Lotus Notes and recently I installed a MS Outlook interface and it worked well for about two days. Then suddently I am receiving an error message “Microsoft Office Outlook : You don’t have appropriate permission to perform this operation”. This happens when I perform any action in Outlook. I login fine but when try sending or replying to emails. I get this error. I have full access(Admin) on my machine(Win XP) Any ideas on where to start troubleshooting. I cnt stand Lotus anymore. We will be migrated to Outlook only in December or Jan 2013, but I cannot wait that long. Please note that all my emails are coming in to Outlook fine. I just cannot reply or send anything

Thank you in advance

  • Subscribe
  • Subscribe to RSS feed

Report abuse

Although many of the following tips are for vista or Win7, the basic concept often still applies to XP

How to fix Access Rights problem

Sometimes the problem has been that Windows has had problems granting the right access to files, folders and the registry. The following tips provide some workarounds.

As you go from XP to Vista to Win7 certain operations require higher access rights to perform. These access rights are “higher” than even those granted to the Administrator ID by default. These “elevated” rights are accessed by way of the UAC confirmation dialog which is invoked when you select to “Run As Administrator”.

In theory, any one of the following tips should work. The process is: run one of the fixes, run each affected Office app, reboot TWICE (sorry, I don’t know why, but there appears to be some “Voodoo” at play here. We do it because it works!) TWICE (sorry, I don’t know why, but there appears to be some “Voodoo” at play here. We do it because it works!), try the office apps again to confirm the fix worked.

If you want to first confirm that access rights are a problem this article describes how: http://www.windowsecurity.com/articles/Why-Applications-Dont-work-standard-users.html

This is a good tool for reporting on file access rights

Access Rights FYI: How to Understand Those Confusing Windows 7 File / Share Permissions

FYI: One person had to fix access rights to their won %TEMP% folder.

How do I restore security settings to a known working state? – http://support.microsoft.com/kb/313222

FYI: for this situation, you can consider Vista and Win7 to be essentially interchangeable with only minor differences between the user interface in the 2 versions.

In Windows 7, even when you are logged in as administrator, UAC no longer gives you “Full” administrator rights. To get all of the access you now also have “run as administrator”

It appears there is an error where your userid is not being allowed to update the activation information in the registry.

The general process is :

· Close all of the office apps

· Start one of the Office apps using any one of the following “run as admin” techniques

· Start it normally, confirm the message has “gone away”

· If the message is gone, reboot the computer

· Start the office app again to confirm that the message really is gone for good (was saved in the registry)

What you need to do is “runas admin”:

· Go to the start menu and find the program icon you want to start

  • on it
  • Select “Run as …”

If that doesn’t work try this:

· In the start menu, right click on the shortcut for any Office app, select “RunAs Admin”
If runas does not appear, right click and drag the shortcut to the desktop

  • create a shortcut on the desktop.
  • Right click on the desktop shortcut,
  • runas admin should be there.

Activate the application/office:

· 2007 Office button / 2010 File tab

  • Help
  • Click on “Activate the Application”
  • Follow prompts to enter product key
  • Close the app
  • Restart app normally

If that doesn’t work, sometimes the problem has been that Windows has had problems granting the right access to files,folders and the registry. The following tips provide some workarounds.

If you are technically adept, you can try this fix.

Solving setup errors by using the SubInACL tool to repair file and registry permissions – http://blogs.msdn.com/b/astebner/archive/2006/09/04/739820.aspx

If that doesn’t work, try rebooting into Clean Boot mode (with networking) to do the install/activation.

The file server permissions must be carefully implemented to provide appropriate access to content. This involves locking down permissions on the share and physical folders.

Permissions

The following table lists permissions that were used for the file server share and folders in the Shared Hosting Setup mentioned in the Planning the Web Hosting Architecture section of the Hosting Guidance. Based on the shared hosting environment used, server administrators should develop their own custom permissions that meet their needs.

Path Permissions Reason
\server\share$ (share) Domain Administrators – Full Control Domain Users – Change MachineAccounts$ – Full Control The share permissions need to allow the administrators and site accounts to access the content. The physical path will be restricted to actual needed permissions.
E:\Content (physical path of share) Administrators – Full Control System – Full Control This is the folder that is shared. It does not need permissions for any accounts aside from the built-in Administrators group and System account.
E:\Content\ (the container for a specific site or user) Administrators – Full Control System – Full Control Site Owner – List Folder Contents This folder is used as a container for folders like the site’s home directory and its log files. The Site Owner should be able to read this folder but does not need write access.
E:\Content\ \wwwroot (the IIS home directory for the site) Administrators – Full Control System – Full Control Site Owner – Modify App Pool Username – Read This is the root of a Web site belonging to the user account. App Pool Username is used as both the application pool identity and the anonymous username for the Web site.
E:\Content\\Logs (the container for logs) Administrators – Full Control System – Full Control Site Owner – Read Note that this folder for logs is stored ABOVE the root of the site, so that it is not accessible by a visitor browsing the site. It is not recommended that you put this folder in any location accessible from a Web browser, for security purposes.
E:\Content\\Logs\FailedReqLogs (the container for failed request tracing logs) Administrators – Full Control System – Full Control App Pool Username – Full Control This is the folder used to store Failed Request log files, which allow a site owner to diagnose problems with their Web site. These logs are written by the worker process identity, App Pool Username.
E:\Content\\Logs\W3SVCLogFiles (the container for W3SVC traffic logs) Administrators – Full Control System – Full Control MachineAccount$ – Full Control This is the folder used to store the log files for the Web site, which allow a site owner to see their traffic patterns. If the server administrator does not wish to share these files or wants to provide an alternate method for determining traffic, these files can be stored elsewhere. MachineAccount$ is the Web server’s machine account, as these logs are written by HTTP.SYS.

Configuring Permissions

To configure permissions for the share

In Windows Explorer, right-click the folder you want to share, and then click Properties.

On the Sharing tab, click Advanced Sharing.

In User Account Control, click Continue to accept the prompt that Windows needs your permission to perform the action.

In the Advanced Sharing dialog box, check Share this folder.

Set the Share name and Comments as appropriate. To make the share hidden, add a $ to the end of the share name.

Hiding a share means that when you connect to [\server] (file://server/) you will not see the share unless you specifically enter the path [\server\share$] (file://server/share$) .

Click Permissions.

In the Permissions dialog box, remove the Everyone group, if it exists.

Add the appropriate user or group that should have access to the share.

Specify the permissions (Full Control, Change, Read) for the user or group.

Click OK twice and then click Close to close the dialog boxes.

To configure permissions for the folder structure

  1. In Windows Explorer, right-click the folder you want to share, and then click Properties.
  2. On the Security tab, click Edit.
  3. In the Permissions dialog box, add the appropriate users or groups that should have access at each level of the folder structure.
  4. Specify the permissions (Full control, Modify, Read & execute, List folder contents, Read, Write Special permissions) for the users or groups.
  5. Click OK twice to close the dialog boxes.

See C# and PowerShell Scripts Samples for a sample script to configure default documents. as an example of creation of a share and setting of permissions.

Open Windows Explorer by pressing the Windows key and clicking Computer; then browse to the folder whose permissions you want to manage.

Right-click the folder you want to manage and then choose Properties from the contextual menu.

The Properties dialog box for the folder appears.

Click the Sharing tab; then click Advanced Sharing.

The Advanced Sharing dialog box appears.

The dialog box shown appears. This dialog box lists all the users and groups to whom you’ve granted permission for the folder. Initially, read permissions are granted to a group called Everyone, which means that anyone can view files in the share but no one can create, modify, or delete files in the share.

When you select a user or group from the list, the check boxes at the bottom of the list change to indicate which specific permissions you’ve assigned to each user or group.

How to understand those confusing windows 7 file/share permissions

Click the Add button.

The dialog box shown appears.

How to understand those confusing windows 7 file/share permissions

Enter the name of the user or group to whom you want to grant permission and then click OK.

If you’re not sure of the name, click the Advanced button. This action brings up a dialog box from which you can search for existing users.

When you click OK, you return to the Share Permissions tab, with the new user or group added.

Select the appropriate Allow and Deny check boxes to specify which permissions to allow for the user or group.

Repeat Steps 5–7 for any other permissions that you want to add.

When you’re done, click OK.

If you want to grant full access to everyone for this folder, don’t bother adding another permission. Instead, select the Everyone group and then select the Allow check box for each permission type.

You can remove a permission by selecting the permission and then clicking the Remove button.

If you’d rather not fuss with the Share and Storage Management console, you can set the permissions from My Computer. Right-click the shared folder, choose Sharing and Security from the contextual menu, and then click Permissions. Then you can follow the preceding procedure, picking up at Step 5.

The permissions assigned in this procedure apply only to the share itself. The underlying folder can also have permissions assigned to it. If that’s the case, whichever of the restrictions is most restrictive always applies. If the share permissions grant a user Full Control permission but the folder permission grants the user only Read permission, for example, the user has only Read permission for the folder.

About This Article

This article is from the book:

About the book author:

Doug Lowe is the bestselling author of Networking For Dummies and Networking All-in-One Desk Reference For Dummies. His 50+ books include more than 30 in the For Dummies series. He has demystified everything from Microsoft Office and memory management to client/server computing and creating web pages.

A short video at windowsecurity.com, one of my favorite sites, explains the file sharing options on Windows 7, especially as they relate to permissions.

The examples use a system which is a member in a Windows domain. The lesson that Advanced permission settings give you much more flexibility and power than the basic ones goes as well in the case of workgroups/homegroup.

More Inside PCMag.com

About Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—much to his own amazement—he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they’re still in business!) and Chase Econometrics (not so …

More From Larry Seltzer

  • PopupDummy! v2.71
  • SpamKiller
  • Netgear ProSafe VPN Firewall FVS328NA
  • Spy Remover 5.0
  • SpyBot Search & Destroy
Comments

PCMag is obsessed with culture and tech, offering smart, spirited coverage of the products and innovations that shape our connected lives and the digital trends that keep us talking.