共用方式為


When Shared Documents aren't

I just spent an hour helping a friend debug the strangest problem I've seen here at the Friends And Family Helpdesk.

John sent me an email asking why his Shared Documents folder had been renamed to Documents, and why he now gets Access Denied errors every time he tries to browse into it.  Through the wonders of XP's Remote Assistance feature, I was able to take control of his machine and do some investigating.

I figured I'd start by looking at the Users and Groups MMC snap-in to see what kind of account he had, and then use the Security tab on the folder to take ownership or change ACLs as needed.  As it turns out, he's running XP Home, which offers neither of these features.  But even Home includes cacls.exe, so I used that to see what was going on.

The good news, I suppose, is that everything made sense -- running cacls "c:\Documents and Settings\All Users\Documents" showed that the ACL for the folder was empty, no users had permission to do anything.  I was able to fix it by doing a "/g builtin\administrators:F /t", although I kept getting permission denied errors on some of the subfolders, and had to manually re-run the same command on them.

The bad news is that I am totally stumped as to how this could have happened. It doesn't seem like the Home UI offers any possible way to muck with folder ACLs.  I know John didn't do any hacking with cacls.  And his virus checker reports the machine is clean.  Really strange stuff.  I also couldn't figure out how to tell the shell UI to display the name as "Shared Documents" rather than just "Documents".  John told me that he recently installed Picassa 2.0 and used it to delete some of the pictures in the Shared Docs folder, but I can't imagine why Picassa would ever get invovled in changing ACLs.

I guess there's no real point to this post other than to say wow, that was a strange problem.

[Update: it seems my friend has not been the only person to get into this state: https://support.microsoft.com/default.aspx?scid=kb;en-us;813649&Product=PlusDig]

Comments

  • Anonymous
    January 29, 2005
    I know this won't work with "Remote Assistance", but if you boot XP in "Safe Mode" you get access to the "Security" tab in Explorer.

    I had to do this so that documents placed in "Shared Documents" really good be shared when everybody was a non-Administrator. That is, after I'm done editing/creating a document, everybody else still has rights to change it.

    No idea how things got in such a mess to begin with. But you might get fewer calls at the "Friends and Family" helpdesk if you set everyone up to run w/o Administrator rights.
  • Anonymous
    January 30, 2005
    You can boot into safe mode and view the security tab
    http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
    Not sure how well remote assistance works in safe mode with networking.
  • Anonymous
    January 31, 2005
    Thanks for the safe mode tip, that's good to know. And I agree with Daniel that running as regular user would be a good idea.

    Also, I got an email response about getting the folder name back to "Shared Documents":

    The name "Shared Documents" comes from the hidden %ALLUSERSPROFILE%Documentsdesktop.ini file. You need to [attrib +r "%ALLUSERSPROFILE%Documents"] to get Explorer to pay attention to it.
  • Anonymous
    January 31, 2005
    Running as regular user is a good idea until they want to install some software and then you get a call.

    A better approach from MS would be a service that elevates their pivileges (prompts for admin password) when a user wants to install software. This needs to be very simple for the average home user. RunAs in it's current state is not simple (for the average home user).
  • Anonymous
    January 31, 2005
    Unfortunately, implementing my suggestion can be a bit of a nuisance. The problem is that runas.exe /savecred “is not available on Windows XP Home Edition”.

    So if you try to do “the right thing” and setup everybody to run w/o Administrator privileges, you’ll inevitably find some program that isn’t well behaved. The “right thing” then is to change the shortcut to launch just that program as a Administrator user using runas.exe. But that will prompt for a password. On WinXP Pro, not a big deal after the first time with the /savecred flag, but on WinXP Home, you’ll have to type a password in every time.

    And you wonder why people get excited about a $499 Mac… ½ :-)

  • Anonymous
    February 13, 2005
    I posted a solution to the the mysterious "Shared Documents" -> "Documents" on Microsoft's Newsgroups. Here's the post if you would like to take a look.

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsxp.security_admin&tid=e6c63ec8-9302-4ec6-87d0-9a048c49a0ca&cat=en_US_850c4b7a-113f-45f2-93ff-9d21e03b29f3&lang=en&cr=&sloc=en-us&m=1&p=1