Windows Server 2003
cancel
Showing results for 
Search instead for 
Did you mean: 

Volume Shadow Copy Restore Permissions

 

Volume Shadow Copy Restore Permissions

Hi,

I've just been looking at Volume Shadow Copies, and am generally fairly pleased with what I can use them for.

There is one area of concern however - when a user looks to restore a deleted file, they look at previous versions of the folder the file was in... it's very easy for an inexperienced user to accidentally restore the entire folder, which if it is a shared folder could be fairly catastrophic for other users work in that folder... So my questions are:

1. If a user has write access to a folder, and accidentaly restores to a previous version will other users work in that same directory also be restored to the previous version?

2. Is there any way to take away this kind of access while preserving it for administrators?

Thanks

Duncan

HTH

Duncan
6 REPLIES 6
Ganesh Babu
Honored Contributor

Re: Volume Shadow Copy Restore Permissions

Ganesh Babu
Honored Contributor

Re: Volume Shadow Copy Restore Permissions

i am sorry.. the url got messed up..

http://www.microsoft.com/usa/presentations/VolumeShadowCopyLab.ppt

In this PPT, there is an slide for additional note.. check that one..

Ganesh

Re: Volume Shadow Copy Restore Permissions

Ganesh,

Yeah, I'd seen this presentation - this is interesting, but doesn't really help...

Here's an example... My File Server (fs1) has a disk D: - on it I have a directory called shares (D:\shares) - I share this out to my users as 'users', so they all mount \\fs1\users

Now its true that any files they create in \\fs1\users they won't be able to restore themselves through shadow copies - they would need an admin in access \\fs1\d$ and restore the file from there... but in the interests of a sensible file hierarchy they won't put all there files in this directory - they will stick them in a bunch of sub-directories. Lets imagine they have a subdirectory \\fs1\users\finance\common that is used by 20 or so accountants to store work-in-progress spreadsheets - they all have write access to the directory... now one of the accountants deletes a spreadsheet in this directory by accident - he decides to pull it back by accessing a previous version of the directory \\fs1\users\finance\common, but he chooses the restore option here and restores the entire dorectory! Now all work since the last shadow copy is lost!

As I said, there should be a way of preventing this, maybe through an AD group policy?

Any ideas gratefully recieved - 10 points for the perfect solution!

CHeers

Duncan

HTH

Duncan
Thomas Bianco
Honored Contributor

Re: Volume Shadow Copy Restore Permissions

this is one reason we disable VSC on our 2003 servers.

it's less work to use the existing tape backup software (not to mention we're pressed for Disk on our san)
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Highlighted
WebWalker
Advisor

Re: Volume Shadow Copy Restore Permissions

Hi duncan,
Unlike a true restore operation, when you restore a file Previous Version, the security settings of the previous version are not stored. If you restore the file to its original location, and the file exists in the original location, the restored previous version overwrites the current version and uses the permission assigned to the current version. If you copy a previous version to another location, or restore the file to its original location but the file no longer exists in the original location, the restored previous version inherits permissions from the parent folder.

At the and of the story are good abits always do a backup of datas before make any changes. Better if you do it with NTbackup utility which backup not the files/folders only, but the securyty settings too.

Hope it helps...

Luca
Louis Reedijk
Occasional Visitor

Re: Volume Shadow Copy Restore Permissions

So still the question remains, is it possible to prevent users from restoring files or folders using VSCS. And still maintain the option to do it as an administrator.
I had a situation with one user in witch I was glad I had VSCS enabled, but like Duncan said. in most situation you don't want users to start restoring files and folders themselves.
I've looked and looked, and read a couple of hundred sites, but I can't find anything regarding this topic :( any help would be nice, or I will be forces to stop using VSCS.

BTW, If I would use a DFS, on a different server, with VSCS enabled on the other server, I could make it work, but then replication could cause VSCS to be to "late" rightÂ