Windows 11

User Account and File Troubleshooting in windows 11 and windows 10

User Account and File Troubleshooting

There are two things that are always a certainty with PCs. The first is that they’ll be used by a person (or people), and the second is that these people will be working on files and documents in order to get stuff done. You can just imagine then the chaos that can befall the land when one of these important services is unavailable.
Windows 11 does include powerful features though for managing user accounts, and account problems, but especially for managing disk, folder, and file access and permissions.

Note:I detailed how you can use Group Policy to manage security and access permissions for user accounts. Many IT Pros now though prefer to use Mobile Device Management (MDM) instead of Group Policy for this task. You can read more about MDM on the Microsoft Docs website.

Configuring User Accounts

The configuration and management of user accounts in Windows 11 now takes place entirely in Settings. There are a couple of important aspects of this though that relate directly to business and enterprise usage. These offer options for somebody signing into a PC using their workplace credentials or for when they sign in using their own Microsoft Account and want to add their workplace account as a second set of credentials to the PC.
For the latter, open Settings and then click Accounts, and in the right-hand pane, click Email & accounts. Here, you will see an option to Add a workplace or school account (see Figure 10-1).

Figure 10-1. You can add a workplace account as a supplementary account

This will give the end user three different options for signing in to their workplace account: either through using their username and password, by using a company supplied security key, or by searching for the organization if it has its accounts and user configuration set up on Azure (see Figure 10-2).

Figure 10-2. Microsoft makes it easy for people to sign in using a workplace account

The other method is for people that want to create a whole separate sign-in on the PC for their workplace account. Again, go to Settings and Accounts, and then in the right-side panel, click Access work or school. Here, you can easily connect the PC to a workplace Azure AD account (or a Domain if the user is connecting using their own laptop in the office); see Figure 10-3.

Figure 10-3. You can easily connect a PC to an Azure AD account

Troubleshooting an Azure AD Connection

If you need to troubleshoot a connection to an Azure AD account, you can click the Export button next to Export your management log files. This, as in the description in Settings, exports a series of files to the C:\Users\Public\Documents\MDMDiagnostics folder (see Figure 10-4). The user can be directed to these files so the folder can be zipped and emailed to a support person, or you can use a remote access system to sign in to the PC and obtain them directly.

Figure 10-4. You can export connection telemetry data about an Azure AD connection

Managing Provisioning and Device Management

In Microsoft’s Mobile Device Management (MDM) system, the company provides device management and provisioning systems. This enables a PC that connects to company servers to have certain security managed from a corporate level. None of this affects the end user, but it allows the system administrator to do some important things.

  • Specify a minimum level of security for the PC to meet in order for a connection to the company systems to be established. For example, antivirus protection and Windows Updates must be up to date.
  • Specify that the user account on the PC must have a password or be protected by Windows Hello biometric sign-in to keep corporate data safe.
  • Allow the system administrator to remotely wipe corporate data from the PC after the employee has left the company or for other reasons such as their switching to a different role within the organization.

Additionally, businesses can create Provisioning Packages for remote PCs. These allow the PC to be quickly and easily configured by downloading and configuring required business software and policy settings without the need for reimaging the PC. You can read more about how to create a provisioning package on the Microsoft Docs website.
Both these systems can be configured in Settings. Go to Accounts and Access work or school, and near the bottom of the right panel are links to Add or remove a provisioning package and Enrol only in device management (see Figure 10-5).

Figure 10-5. You can manage provisioning packages and device enrollment in Settings

The first is used if you have provided a provisioning package, either on a USB Flash Drive or by another method such as by emailing it to the user, and the latter can be used if you’re happy for the end user to use their own Microsoft Account on the PC, but you still need control over corporate data they access and store on the PC.

Managing Local Accounts

Then we come to local accounts on the PC. These are both created and managed in Settings under Accounts and Family & other users. In the Add other user section, you can click the Add account button to add somebody’s account to the PC. Also, here, you can then click that account to change the account type (between Administrator and Standard User) or to remove the account and (optionally) its documents and files from the computer (see Figure 10-6).

Figure 10-6. You can add local accounts in Settings

Other than this, there isn’t much you can do in Windows to “troubleshoot and repair” user accounts, and it’s often much simpler to delete the account, create a new one, and port over any settings and files needed. If you open Control Panel though (and again we can expect this to all be folded into either Windows Tools or Settings at some point in the future), you have options to manage file encryption certificates for the user, something we’ll look at in Chapter 17; to manage environment variables, which we’ll discuss in Chapter 11; and to Configure advanced user profile properties (see Figure 10-7).

Figure 10-7. You can still manage some account properties in Control Panel

This isn’t quite as exciting as it sounds, and really all you can do here is switch a Domain profile between a local account and a roaming account (see Figure 10-8), but it is at least an option you may need to use in a managed environment.

Figure 10-8. If you use a Domain, options exist to change the account profile type

Managing User Groups and Accounts

There are many circumstances in which a user could find themselves locked out of files, folders, and even whole disks in a PC. These include a file or disk corruption, working with or from a drive or device on which NTFS permissions aren’t supported, which can sometimes be the case with Network Attached Storage (NAS) drives, reinstalling Windows on the PC, transferring files and documents to a different user, having a user switch from one user “group” to another (we’ll look at these), and using recovered files after a malware or ransomware attack.
The result can be frustrating at best and pretty catastrophic at worst. Being unable to access a file, folder, or even a whole disk is a problem and a huge barrier to productivity. So how do permissions work in Windows 11, what is inheritance, and how do user groups affect how we can access and work with files?

Managing User Groups

You will already be familiar with the two types of user account in Windows. Administrator allows any action to be performed such as changing configuration settings, installing and removing software, and adding and removing users. Standard users are different because these users can only make changes that affect their own account, and not the PC as a whole. This means they can change personalization options but not install software except for Store apps, as an example.
There are other user groups available in Windows 11, and you can also create your own. Many of these are hangovers from previous Windows versions, but other groups can be useful to know about.
If you open Windows Tools and then open Computer Management, you will see a Local Users and Groups link in the left panel. Expanding this lets you view all of the users’ currently assigned accounts on the PC and also the groups (see Figure 10-9).

Figure 10-9. You can manage users and user groups in Computer Management

Some of these groups you will want to work with for PCs on your network, such as Hyper-V Administrators and Remote Desktop Users. If you double-click a group, a dialog will open displaying details of any users assigned to that group, with Add and Remove buttons. Click Add and you can search for users on the PC, clicking the Check Names button to have the system identify the user so they can be added (see Figure 10-10).

Figure 10-10. You can add users to user groups Using the Select Users Dialog

I want to put in a note about the best way to use the Select Users dialog in Windows, as when you’re searching for a user you won’t always find them when you click the Check Names button.
By default, the dialog will search for users on the current PC; in this example, the PC is named Charente. Click the Locations button to see other network-connected PCs on your network that you have access to, as it might be that a server administrator needs to be added to a group on a PC without having an account on that PC themselves.
If you then click the Advanced button, a more detailed search dialog will be displayed. Clicking the Find Now button will display a list of every user account assigned to the currently selected PC (see Figure 10-11). This can make it much simpler to add users to groups.

Figure 10-11. The Select Users dialog can be made to display all users on the PC

Managing User Accounts on the PC

When it comes to user accounts on the PC, again in Computer Management, available from Windows Tools, and by clicking Local Users and Groups in the left panel, you will see a full list of all the user accounts on the PC (see Figure 10-12). These are listed with the user’s full name, if available and applicable, and a description of the account, which is for the default accounts for the Windows system.

Figure 10-12. User accounts are managed from the Computer Management Console

Double-clicking an account will open a dialog with additional details of that account (see Figure 10-13), including whether the account is disabled (and hidden) on the PC and whether the password never expires, if the user must change the password on the next sign-in or if the user cannot change the password.

Figure 10-13. You can manage password settings for accounts

If you click the Member Of tab at the top of this dialog, you will see what, if any, groups that user is assigned to (see Figure 10-14). You will see Administrator or Users for most users, though some, such as DefaultAccount, have their own group. This is because DefaultAccount is the account used as a template when new user accounts are created on the PC.

Figure 10-14. You can see what group(s) a user is assigned to

If the user has a roaming profile on the PC, such as they connect through a Domain or Azure AD, then the Profile tab will allow you to view and change the path to the location of their profile on the server and optionally define a script to be run when the user signs in (see Figure 10-15).

Figure 10-15. You can change environment variables for roaming account types

You can view and modify the permissions for an object by right-clicking it and selecting Properties from the menu that appears. Clicking the Security tab in the Properties dialog will display the different user groups that have permissions on the object, and you can click a user group to check what those permissions are (see Figure 10-16).

Figure 10-16. You can check permissions for any object

To modify the permissions for an object, first make sure you are signed in as an Administrator, and then with the user group you want to change permissions for selected, click the Edit button.
This will display a dialog in which you can choose a user group to change the permissions for (see Figure 10-17). You can click the Add or Remove buttons to add group permissions, and when you are finished, click Apply to set the new permissions; note this may take a few minutes if permissions have to be set on multiple items.

Figure 10-17. You can edit, add, and remove permissions for objects

If you want more advanced control than the Permissions dialog provides, from the Properties dialog you can click the Advanced button. This will display a different dialog with more available options (see Figure 10-18).

Figure 10-18. The advanced properties dialog gives administrators more control

When you select a user group, you will be shown a list of the current permissions that are set (see Figure 10-19). This is very similar to the standard permissions dialog, though additional options are available to you. For example, at the top of the dialog is an option to Allow or to Deny the permissions you set on the object(s).

Figure 10-19. You can manage permissions for objects

Below this is a drop-down menu where you can have much finer control over what the permissions will be set for, and this is where inheritance comes into play which I will detail shortly. You can choose to set the new permissions only for the current folder, for the folder and everything underneath it, or in a more granular way, such as only for files (see Figure 10-20).

Figure 10-20. The dialog allows you to specify what permissions are set for

Lastly, on the right of the dialog is a Show advanced permissions link. Clicking this will display additional permission options that aren’t available in the standard permissions dialog (see Figure 10-21). In fairness though, you should never need these extended permissions.

Figure 10-21. You can view and set advanced permissions

Understanding Inheritance

Inheritance isn’t when a version of Windows dies and leaves you a ton of money in its will, though they do say “Where there’s a will, there’s a wa’hay!”; rather, it’s an easy way to manage permissions on a PC. In short, it means that any object that is created on a disk or in a folder will gain the same permissions as the object it was created from.
Let’s say you have a disk that has certain permissions set; this is the principal object, and anything created underneath it will “inherit” the same permissions that the principal has. In Figure 10-22, we can see an example of this with a disk, on which a series of folders, subfolders, and files has been created. All of these folders and files will have the same permissions as the main disk.

Figure 10-22. Inheritance is when objects gain their permissions from the objects above them in the tree

Where this becomes an issue is when files or folders are copied from one source to another, and the permissions for those objects are copied with them and aren’t automatically updated by Windows to match the permissions currently set on the destination drive or in the destination folder. This can occasionally occur when copying objects to or from a NAS drive that has its own proprietary file system, copying files from a non-Windows computer across the network, or copying files that are encrypted.
Under this circumstance, you will want to change the permissions on the copied items so that they match the permissions for the principal, or so they have different permissions that you define.

Note:If a folder beneath the Principal has different permissions set, it will then become its own Principal for anything created within it.

Let’s say you change the permissions on a folder. You also want to make certain that all the subfolders and files underneath or contained within this folder also have their permissions changed; otherwise, the permissions for those items will remain as they are.
In the advanced permissions dialog, when you change permissions on an object you should therefore make sure in this circumstance to check the box Replace all child object permission entries with inheritable permission entries from this object (see Figure 10-23).
This will ensure that the permissions are set, not only for the currently selected object but also for all the objects beneath it in the folder tree.

Figure 10-23. You need to be careful to tell Windows to set permissions for all child items

Note:For some folders on a PC, you will see a Disable inheritance button in the advanced permissions dialog. You can click this to disable the automatic inheritance for new objects created under the folder, though you will later need to check and set their own permissions appropriately.

Understanding Ownership

Something that can occasionally happen when files and folders are copied from a network store, or from another PC, but that is very common after an operating system reinstall on a PC, or when a faulty user account is deleted and a new one created, is that you can find yourself completely locked out of all access for files, folders, or even a full disk.
This is a feature of Windows called Ownership, and it is where the user account that has been defined by the operating system as the owner of those objects denies access to any other user. This happens for reasons of user security and to prevent one user on a PC from accessing or viewing the private documents created and stored by another user.
When this happens, you need to change the owner for the object(s). In Figure 10-24, we can see the advanced properties for both a disk and a folder. They have different owners, with the owner of the disk being System and the owner of the folder being Mike Halsey.

Figure 10-24. Different objects on a PC can have different owners

Caution:It is vital that the root of any disk has System set as its owner; otherwise, the operating system will not have the permissions it needs to perform vital operations such as virus and malware scans and file backups.

At the top of the advanced permissions dialog, you can click the Change link next to the owner details. In the dialog that appears, you can then select a new owner from the accounts set on the PC (see Figure 10-25). Make certain though you check the Replace all child object permission entries with inheritable permission entries from this object check box, so that all objects under the folder you have selected also have their ownership changed.

Figure 10-25. You can change the owner of a disk, folder, or file

Managing Permissions Using Scripting

If you prefer to use scripting to manage your PCs, you can use the Command Line tool icacls which displays and allows you to modify parameters on what’s called the Access Control Lists for a PC. The operations are performed on Discretionary Access Control Lists (DACLs) on the files, folders, or disks specified.
There are a great many switches you can use to display, create, and modify permissions and ownership using icacls, which is used in the format icacls <filename> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d]] <sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<policy>[...]].

Security is obviously very important when it comes to our PCs and especially our files and documents, so you can find detailed information on Security Identifiers (SIDs) on the Microsoft Docs website.You can also use PowerShell to manage permissions with the Get-ACL and SetACL commands. These are straightforward in the way icacls is, but have many options.

Checking Effective Access for a Disk, Folder, or File

Sometimes, you want to check if a specific user or user group has the correct permissions for a disk or folder, which allows you to determine if those permissions need to be modified. This can be done from the Advanced Permissions dialog by clicking the Effective Access tab.
Click the Select a user link and search for the user or user group you wish to check the access permissions for. When you click the View effective access button, the permissions for that user or that user group on the currently selected object will be displayed (see Figure 10-26).

Figure 10-26. You can check what permissions other users and user groups have on an object

Managing Object Sharing on a PC

Sometimes, you will have a disk, folder, or perhaps an external drive such as a USB hard disk or optical drive that you want to share from a PC. This can be managed from the object’s properties by right-clicking it and selecting Properties from the menu that appears.

Tip:Sharing an optical drive, such as a DVD or Blu-ray drive, is a good way for a laptop or tablet to gain access to data or software it requires that’s only on an optical disk, but where the optical disk drive is physically installed in another desktop computer.

Clicking the Sharing tab reveals options to share the object, but there is also an Advanced sharing button which will allow you to share the item, specify a name for it so it can be found easily on a private or domain network, and to limit the number of simultaneous users that can access it (purely for performance reasons).
If you click the Permissions button, you can then set permissions for everybody or add specific users and user groups (see Figure 10-27). This means you can assign people read permissions, but not allow them to write to the drive or modify any files that are contained on it.

Figure 10-27. You can configure permissions for shared drives

Summary

Disk, folder, and file access and permissions can be a headache for system administrators, power users, and home users alike, especially when something has gone wrong that requires either a reinstall while keeping files and documents intact or deleting and creating a new local profile for a user. Fortunately, Windows has for years now included some excellent and fully featured tools for managing those permissions.
We’ll take this a step further in the next chapter and look in detail at the file and folder structure of Windows itself. We’ll examine what everything is, why it’s important, and why the installed operating system on your hard disk is always significantly larger than the 4GB installer you used to put Windows 11 on the PC in the first instance.