So I have a guy who's the IT resource in our DC office. That office has a manager who's bristling at our deployment of Sharepoint, but it's also has basic internet connectivity issues that the ISP, the LEC, and we've gone around and around on.
My boss, tired of hearing this manager whine about having our processes migrated to Sharepoint, send me and one of my IT peeps down to this DC office to "investigate if they're really a problem or if they're just whining." And we went.
Back to the IT resource. We'll start with the positives...he's a nice guy. And....did I mention he's a nice guy? The downsides...he has no short term memory, he's scared of the manager because they ask him for justification when he wants to do things, and he incompetent as an IT guy. But other than that, he's a nice guy.
Case in point: The first 1 1/2 hours of our trip I spent fixing his laptop. See, Windows 7 was sharing his media files to others running Windows 7. Obviously this isn't secure so he decided to fix it. He *tells* me that he removed access to the Users group from the C: drive on his laptop. Which is dumb, but shouldn't be THAT hard to fix. Log in as an admin, seize ownership, and reset permissions to default. If he set any custom permissions, I hope he wrote them down, but I got other things to do.
But that doesn't work. I can't even get to the Advanced view of the Security dialogs for the C: drive. I get an error loading the access control dialog because it's not accessible. Part of the problem is UAC, so I figure I'll need to remove the laptop from the domain so I can disable UAC and log in as the local admin to get it to work.
So I remove it from the domain, and my wonderful IT changed the password for the local admin and can't remember it. So I get the linux administrator password reset tool and blank it out so I can log in. Still can't get to the Advanced Security pages, but I can run cacls from the command line to see that he did NOT remove the Users group from the C: drive, he explicit DENIED Full Control access to the Users group on the C: drive.
For this of you who don't deal with NTFS permissions (and be happy you don't), most of the time permissions are set on a least access required policy. Meaning I give the bare minimum permissions required for functionality, and only add the least amount necessary as requirements change. So if I don't want someone to have access to a folder, I just omit them from permissions, I don't deny them access. Deny permission in NTFS is a sledghammer that trumps all other permissions. If I Deny you, then no matter what other permissions may give you access, you're not getting access.
So...since everyone is automatically a member of the Users group, and he Denied access to the Users groups, by the associative property (relative property, identity preoperty? I forget...) of IT stupidity, EVERYONE was denied access to his ENTIRE hard drive.
But Windows is smart enough to never totally lock out the local Administrator, so I was able to use TAKEOWN and icacls to sieze ownership and grant myself permissions, and then I rest all the default permissions on the drive.
I'll vent about how he didn't have the network switches or the router or the firewall plugged into the malfunctioning UPS another day.