EDITOR'S NOTE:
Windows & .NET Magazine welcomes feedback from readers about the magazine. Please send comments to letters @winnetmag.com and include your full name, email address, and daytime phone number with your letter. We edit all letters and replies for style, length, and clarity.
Finding Nltest
In Paul Robichaux's "The Zen of Remote Troubleshooting" (October 2002, InstantDoc ID 26367), the author states that Nltest is in the Microsoft Windows 2000 Server Resource Kit. But Nltest is one of the Win2K Support Tools, and you install it from the \support\tools directory on the Win2K Server CD-ROM.
—Mike Foster
azposse@earthlink.net
You're correct. Nltest is in the Win2K Support Tools package on the product CD-ROM, not in the Win2K Server resource kit. I have a group policy that automatically installs the support tools and the resource kit on each Windows server in my lab, eliminating the need to remember which tool comes from which distribution.
—Paul Robichaux
More Than Scheduling
After reading Mark Weitz's Market Watch: "Server Defragmentation Utilities" (October 2002, InstantDoc ID 26350), you could conclude that the only difference between the Windows 2000 built-in defragmenter and third-party products is the ability to schedule. Nothing could be further from the truth. Organizations evaluating server defragmentation software are looking for a quality job that keeps systems operating at peak efficiency and shortens backup run times. Scheduling is irrelevant if the task isn't getting done.
Users have a right to expect that their defragmenter is doing a complete job. Several of the products Mark cited, including the Win2K defragmenter, are multipass defragmenters that you must run over and over to defragment the disk, especially in cases of heavy fragmentation, limited free space, and very large disks. By design, multipass defragmenters fragment the remaining free space on the disk, which accelerates future fragmentation.
Today's APIs fully support the ability to completely defragment files and free space on any size partition in one pass. Raxco Software's PerfectDisk 2000 delivers single-pass defragmentation on partitions that are greater than a terabyte with as little as 5 percent free space.
—Robert Nolan
President, Raxco Software
bnolan@raxco.com
Clarifying Deny and Allow
I want to give you my compliments on the recent issue that focused on security (October 2002). Security is the most complicated and least understood topic for most systems and network administrators. In Mark Burnett's great article, "NTFS Permissions for IIS Web Servers" (InstantDoc ID 26358), he gives instructions for viewing which username is running which process. I believe you have this option only if you're running Windows 2000 Server Terminal Services. Can you verify this? Also, could you explain the difference between denying a user a permission and simply not allowing a permission? You have two check boxes for each permission—one for Allow and one for Deny. What's the difference between selecting the Deny check box and not selecting the Allow check box?
—Glen Huey
glen_huey@teledyne.com
You're correct; you need to have Win2K Server to view which username is running which process. Regarding permissions, not letting an account have access to a resource is somewhat the same as denying them access. However, you use Deny access control entries (ACEs) to create an explicit exception to an Allow ACE. For example, suppose you let Authenticated Users have Read access to a directory, but you don't want anonymous Web users to have any access to that directory. To do this, create an Allow entry for Authenticated Users, then explicitly Deny the IUSR_computername account. Because Deny ACEs have precedence over Allow ACEs, all Authenticated Users except the IUSR_computername account will have access to the directory.
You can also use Deny ACEs to easily set permissions across a large number of directories. For example, you can deny one user or group access to an entire partition without having any effect on the existing NTFS permissions.
Finally, I sometimes use Deny ACEs for emphasis. If I want to clarify that a specific account isn't allowed to have access, I use a Deny ACE rather than not allowing access so that I'll remember about that account when I'm setting permissions. Also, if someone inadvertently allows access to the account in the future, the Deny ACE will have precedence.
—Mark Burnett
Another File Extension to Avoid
Michael Otey's Top 10: "Safe Email Practices" (October 2002, InstantDoc ID 26422) was a great article—informative and timely. I would add one other file extension to avoid: .src files, which are script files that several viruses use. The extension is the same for screen savers as it is for script files.
—John E. Quigley
johnnyq@johnnyq.com
OOPS
Several readers pointed out that in "Best Systems Management Products" (September 15, 2002), we identified ACD Systems' ACDSee 4.0 as the winner in the Disk Imaging Software category. ACDSee, which lets you manage digital images, appeared in the wrong category; it isn't disk-imaging software. We apologize for any inconvenience this error might have caused.