Troubleshoot data access and usage
It can be frustrating when you use a system and something goes wrong. Understanding common areas that can pose problems and their resolutions can often reduce frustration and prevent data loss. Often, the only time you think about troubleshooting and recovery is at the very time a computer fails. Often, this is too late to help. Windows 10 introduces some new features and offers several strong data recovery and restoration tools, which you will review in troubleshooting scenarios.
Troubleshoot data access
Access Denied is not a helpful message, even for experienced administrators. The message tells you that you do not have the necessary level of privilege to access the resource. This can relate to the following.
- User rights assignments
- Security options and permissions
A user rights assignment might mean that you are not allowed to carry out a task, such as accessing the system remotely over the network, or you are not allowed to shut down a system or take ownership of a file. These rights are configured as part of Group Policy, and you can familiarize yourself with the types of circumstances that can be managed by using user rights assignments in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
If you see that user rights are affecting users, you can modify the group membership that relates to the setting or, if the policy has been set in error, you can disable the setting.
Security options often relate to object permissions (such as devices, resources, shares). They can permit or deny the ability of the user to perform a task, such as to log on using a Microsoft account; influence how UAC affects users with administrative accounts; prevent anonymous access to shares; or deny access to a device outside of normal office hours.
These permissions are normally configured in a domain environment, but you can also familiarize yourself with them through local Group Policy to see the types of security policies that can be managed using Security Options, which you can find in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Reviewing the settings and establishing which, if any, are being applied through Group Policy can give you a better understanding of whether users are being affected by these access policies.
If you use the HomeGroup feature, there is a useful troubleshooting wizard that can resolve connection issues with HomeGroup resources over the network. To launch the HomeGroup troubleshooter, type HomeGroup in Search and select Find And Fix Problems With HomeGroup.
Troubleshoot share and NTFS permissions
It can be easy when combining share and NTFS permissions to restrict access to resources across the network. By accepting the default share permissions, you provide standard users with only read access even if NTFS permissions are less restrictive.
Unfortunately, there is no wizard to diagnose which restrictions are in effect, but you can use the Effective Permissions feature in NTFS to determine the permissions being applied to a specific user or group (Principal).
NTFS is all about rules, and they are applied thoroughly by the file system. Wrongly applied settings, often combined with default inheritance, can spread a wrongly configured setting across hundreds of files instantly. Unlike most operations, there is no undo option.
If you simply cannot decipher which NTFS settings are creating the problems, or if the problems are too complex or widespread, you could try to reset the file and folder permissions by using the ICACLs command-line utility.
This is especially useful if you get locked out of files and folders due to incorrect or deleted NTFS permissions.
To reset permissions using ICACLS, follow these steps.
- Log on to your computer, using an administrator user account.
- Open File Explorer and navigate to the folder that is giving you the problems.
- On the File Explorer menu, click File and then click Open Windows PowerShell As Administrator.
- Accept UAC if prompted.
- Type icacls * /RESET /T /C /Q.
The process of resetting files and folders to their default settings is very quick. After the original operating system defaults have been applied, you can configure the desired settings.
Troubleshoot dynamic access control
If you use an Active Directory domain-based environment, your administrator might have deployed dynamic access control (DAC), a new way to implement a very robust method of applying data governance across resources stored in AD DS file servers.
DAC helps organizations control and audit data access by enabling you to set access controls on files and folders, based on conditions that are retrieved from Active Directory. If DAC is enabled, you see the condition statements being applied in the permission entry dialog box relating to the file or folder under review.
Troubleshoot data recovery
When data is deleted or lost due to hardware failure, you will often look to the current backup and restore from disk or from the cloud. Both of these solutions are slow (though often much quicker than the older method, which involved magnetic tape drives). It can take less than a second to delete a thousand files, and yet to restore them from the traditional methods can take a great deal longer. For the recovery of data from Windows 7 backups, Windows 10 retains the traditional Backup And Restore (Windows 7) tool. In a fast-paced, mobile world, users require a more agile and self-service model of recovering files that might become corrupt.
Consider using tools such as the Previous Versions feature, which enables you to restore files to a previous state instantly and empowers users to recover files without calling the help desk.
Another restorative tool that works particularly well when a system becomes corrupted or infected with a virus or malware is to use System Restore, located on the System Protection tab of System Properties in Control Panel. The System Restore feature is disabled by default and cannot repair or restore corrupted files and folders or NTFS permissions, only the system state and registry.
Some of the advancements developed for the data center have also migrated to Windows 10. You can now employ features such as Storage Spaces, which allow for local data resilience, and the new ReFS, which offers file healing and protection features.
A trend that is likely to continue is to use the cloud to decouple data from a device and place it in the data center, where it should be more secure and significantly more resilient to hardware failures. OneDrive enables you to do this at a user level and to synchronize changes made to resources in the cloud.
Recover BitLocker encrypted drives
If you encrypt your device or hard drive by using BitLocker and use a Microsoft account, you can specify that BitLocker saves a recovery key to your Microsoft account that is located in your OneDrive. If you become locked out of your device, perhaps because you moved the hard drive to another computer, and you need to obtain your saved BitLocker recovery key, follow these steps.
- Open an Internet browser.
- Navigate to https://onedrive.live.com/recoverykey and sign in with your Microsoft account.
The Recovery keys for all your BitLocker-protected drives will be available.
Remember the URL for locating the BitLocker recovery key, https://onedrive.live.com/recoverykey. In an enterprise environment, you can use Active Directory or the Microsoft BitLocker Administration And Monitoring (MBAM) tool to help you administer and manage BitLocker deployment and key recovery in enterprise environments.