Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 26, 2016, 03:46:52 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: I need help coming up with a plan to fix my NTFS security permissions problems  (Read 5317 times)

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
If anyone wants to help me out with this, I'd appreciate it greatly.  Here's the background:

After a long time planning, I finally set up my custom storage server.  It's a box with several drives running a windows 2012 server.  After doing some tests and research, i settled on using the FLexraid Traid product, which is a drive pooling software raid system.  I initially tried the new windows storage spaces, but didn't like the speed and features.  Traid sold me on the fact that you can pull a drive out and the files and everything are intact without much fussing around at all.

OK, here's the problem.  I set up my first active directory domain services.  Then, unfortunately, I accidentally removed ALL the NTFS permissions from my main almost root folder.  This was bad and now I've lost access (access denied) on a lot of the folders on the storage array.  I've tried everything to reset the NTFS security and all that.  I tried all the tools out there.

Unfortunately, the developer of the software raid explicitly has said he will NOT spend a second helping people with NTFS security problems.  So I'm stuck on advice.  I've scoured the web and tried everything.

Some interesting facts:
--If I stop the storage array and just connect the drives individually, I can access all the files and folders.  I can also successfully modify the NTFS permissions with those tools mentioned.  When the array is active, however, I cannot access all the folders (access denied).  So that's why I'm confused.  The great thing about flexraid, the reason i got it, is because you can access the files in this manner.

My ideas:
--my first idea is to uninstall/reinstall active directory on the server.  or even reinstall the entire OS.  I have no idea if that will work, I guess I'm assuming if all the active directory details are reinstalled, maybe the files will think it's a new server and can start over?  i don't know.

--My other idea is to copy the contents of the drives to a temporary external drive, then copy them back over or something.  The problem with this is that I'm not sure i can delete the problem directories.  i don't want these broken directories forever on the server.

So I'll take any advice.  I don't think the files are damaged or anything.  Just the NTFS security.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Did you try taking ownership of the folder using your admin account? Go to <Properties><Security tab> <Advanced button><Ownership Change link> to do that. You should be able to do anything you want with the root and subfolders afterwards.


Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,079
    • View Profile
    • Donate to Member
It might even be necessary to adjust the Windows policy of 'taking ownership of files and other objects'. There you can add your user to the (on purpose) very small list of users allowed to do this at all. If memory serves me right, only the user 'Administrator' and user group 'Administrators' are allowed to take ownership in a default Windows Server 2012 installation. 

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 671
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
By all the tools did you include SetACL Studio? I would try installing it (30 day trial), take ownership at the root level and propagate it down all the way, then try giving everyone full at the root level and propagate down.

In any event the software ought to be able to delete folders for you later if you need to.
vi vi vi - editor of the beast

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,548
    • View Profile
    • Donate to Member
Unfortunately, the developer of the software raid explicitly has said he will NOT spend a second helping people with NTFS security problems.  So I'm stuck on advice.  I've scoured the web and tried everything.

This is a pity, because back in my old fashioned business school, this was what they were talking about with "value added". Even if he's busy himself, he just has to get someone else (part time?) who knows this stuff, and then it's "value kept in house".

But a lot of Open Source and apparently other small devs take a narrow view of what they want to work on, so if SuperboyAC's of the world rip out a drive wrong, too bad!


superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
I did use SetACL studio, it is good.  I've done a few rounds of these...I used setacl, i also did a lot with that advanced settings area in the normal properties dialog.  I did take ownership.  I did most of this with the array connected.

I think my plan should be to take ownership of the individual disks while not in the array, because once it's connected, i can't even access the files.  does it matter if i take ownership of a root ?  do i need to do all the subdirectories individually?  i don't think so, that's the point of all these tools.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
friends, I'm still having difficulty with this.  I kind of feel i'm not understanding something about ntfs security or permissions.  But also, am I crazy, or is the developer in the thread below not being terribly helpful?  He has (understandably) refused to help out with ntfs issues that are unrelated to his product.  But I can't tell if I'm being annoying or if he's just being difficult.  I don't really care either way, I'd just like to be aware if I am having a fundamental misunderstanding about something.  here's the thread:
http://forum.flexrai...hp/topic,4984.0.html

some of my personal questions:
--are there such things as "standard" ntfs permissions?  if so, is there a way to quickly restore them once they have been manually removed?  I removed them accidentally, and I'd love to restore them back to default, but the only way i know to restore anything is to set each permission one by one and propagate them through the subfolders.  That is very manual.  is there any button i can press to just reset it back to some default mode?

--i'm think i'm going to just reinstall the whole os, format all the disks, and start from scratch.  I'll never mess with ntfs permissions again, i don't have a need to anyway.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Did you also check your share permissions?

There are two separate security mechanisms (besides group policies) on Wndows server: NTFS permissions and share permissions. If the two permission levels conflict, Windows server will chose the more restrictive permissions granted.

The whole topic of shares vs NTFS permissions can get a little complicated if you let it. And there's some subtleties involved so you may want to Google and read up on them if you're not familiar with the topic. If you're not careful about how and where to use them, you can create a real file access quagmire for yourself on a Windows server. Even the "pros" get confused from time to time when using them.

Find a good overview here: https://technet.micr...-us/library/Cc754178.

tl;dr version:

If permission conflicts are causing the problem, the following from the above link is the short easy solution most of us will use in order to fix a mess enough to redo it (and sometimes screw it up even worse if we try to get too fancy afterwards):

Quote
The following table suggests equivalent permissions that an administrator can grant to the Users group for certain shared folder types. Another approach is to set share permissions to Full Control for the Everyone group and to rely entirely on NTFS permissions to restrict access.

Note: if it's just you - and only you - who will ever be accessing the server, you can also simply grant Full Control permission for the Everyone group across the board and be done with it. Later on, if you decide to give someone else access, you can alway redo your NTFS permissions to add any needed restrictions. Most personal standalone file servers are set up that way. Once you're in - you're in!

You'll want to be a little careful with Internet access if you go that route however. With that arrangement, about the only time that fileserver should be allowed to connect to the Internet is to get Microsoft and AV updates.
« Last Edit: August 13, 2015, 09:25:00 AM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,264
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Note: if it's just you - and only you - who will ever be accessing the server, you can also simply grant Full Control permission for the Everyone group across the board and be done with it.

O_O ... Ggaaaaaaaaaaaaaaaaaaaaaaaaaaaa!!

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,267
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Note: if it's just you - and only you - who will ever be accessing the server, you can also simply grant Full Control permission for the Everyone group across the board and be done with it.

O_O ... Ggaaaaaaaaaaaaaaaaaaaaaaaaaaaa!!

I think something broke...

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
thanks 40, thanks everyone...

The advice given to me by the developer is to "reset" the NTFS permissions to standard.  Ok.  I've searched and searched, and I don't know what "standard" is.  And I use the tools like setacl studio which has a button for "reset permissions"...however, all that does is copy the permissions on the root folder (or selected folder) down thru subfolders.

To me, it sounds like there is a specific set of permissions that would be considered "standard".  How do I apply these settings to all my folders?  I've tried all these tools and they don't reset anything, they just apply my own custom permissions to subfolders and such.  Furthermore, i don't see any documentation that is basically a list of permissions that is considered standard.  I don't get it.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,079
    • View Profile
    • Donate to Member
Did you by any chance use anywhere the 'deny' option and let that change propagate to the underlying folders?

Screenshot - 8_13_2015 , 10_14_28 PM.png

If so, you have clicked away warning messages from the operating system that explicitly state you shouldn't do that unless you are absolutely sure...

'Deny' trumps 'Allow'...practically without mercy and definitely without remorse!

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,397
    • View Profile
    • Donate to Member
To me, it sounds like there is a specific set of permissions that would be considered "standard".  How do I apply these settings to all my folders?  I've tried all these tools and they don't reset anything, they just apply my own custom permissions to subfolders and such.

If you've tried all the tools then you've probably tried this one: ResetPermission

2015-08-14 17_46_20.png

I can only say I've used the previous version of it once to fix the same problem the author had, (unable to access some files after OS install).  You probably want to have it take ownership and don't use it on your OS drive.

Just as a matter of interest, when you're trying to reset the permissions are you performing that on the individual drives or the RAID volume ?
I would have thought it needs to be performed on the RAID volume, then flush the caches afterward.

Another idea that you haven't mentioned might be that since the individual drives can be read OK, delete the array in FlexRAID, uninstall FlexRAID (including any settings/configs), reinstall FlexRAID, then recreate the array using a different volume name/letter.  Technically can't hurt to try ... in theory.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Ok...I think I understand what the dev is telling you.

Standard NTFS permissions on a folder are:

  • Full Control
  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write


Standard file permissions are:
 
  • Full Control
  • Modify
  • Read & Execute
  • Read
  • Write

Note: Standard file permissions are the same as NTFS folder permissions but don't include List Folder Contents.  (Duh! right?)

For convenience, Sharing permissions should be set to Full Control for the Everyone group. After that, only use NTFS permissions to control access. Otherwise you're going to go crazy.

When assigning permissions, get in the habit of putting users (even if it's just you) into groups - and assign permissions to the groups. That way, if you add another person to your circle of trust, you just have to put their UserID into the group with appropriate permissions rather than individually grant them access privileges on a resource by resource basis. Or troubleshoot them individually if something goes wrong. It's hard to completely grok why until you've used a server for a while - but always use groups to control access. Even if you have to set up a group with only one user in it. Trust me. Groups are sanity savers. Because once you get a group set up properly for file access, adding or removing your user's access becomes a piece of cake. I use names like TrustedUsers, Staff, Legal, Finance, etc. for my "company" groups. (Think of groups as style sheets for user access if you need a bad analogy.)

Hope this gets you fixed. If not, let us know.

Luck! :Thmbsup:

P.S. Once you get your permissions, groups and sharing squared away, you can get quick and easy access to your shared resources by typing \\{server_name} in your start menu search box. That will pop up a window with all the shared folders and resources you have access to. You can open them up and use them just like local folders with no need to map them as network drives unless you want to. But if you do, you can also right-click and map them very easily. Same goes for shared printers. Right-click and select Connect - and Bob's yer uncle!

Additional recommended reading - even if this guy disagrees with some of what I said above because he's talking about a business environment in his article rather than a home server: Part-1  Part-2
« Last Edit: August 14, 2015, 11:43:29 AM by 40hz »

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 671
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
What 40hz said - use groups. May not really apply to you at home, especially if you aren't trying to restrict access to anything, just plant that seed though.

That said, even if this wasn't an issue caused by FlexRaid, it would still leave a bad taste in my mouth because of what you're seeing. But I'd likely do what 4wd suggested, save off the data and completely recreate the FlexRaid setup from scratch and copy back in. I just don't know how far I would trust it going forward.
vi vi vi - editor of the beast

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
What x16wda said.

I'd actually take it a bit further at this point and probably just copy off the data and redo the server. It doesn't take that long. And at least that way you'll be sure to annihilate whatever gremlins may still be lurking in your present setup. I'm also not super happy with how that RAID is behaving right now, so I'd probably want to wipe and reinitialize the array while I was at it  - and check for the most recent firmware and drivers for the card.

Besides, it's all good exercise. Because many times you'll need to do a server twice when you're starting out with Windows server. One time to gain experience. The second time to set it up the way you now realize you should have done it in the first place.

I must have redone the first NT Server I ever built six times in the course of three days before I was happy with it. (It used something like 18+ 3.5" floppys to do the install. So it took a loooong time back then.) Novell was even worse if you decided to format and certify your own HD instead of buying one already formatted and ready to use. That alone could take the better part of a day.

We've all been there so it's no reflection on you. Just part of the entry fee to get in the game. :)
« Last Edit: August 14, 2015, 06:46:41 PM by 40hz »

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
Besides, it's all good exercise. Because many times you'll need to do a server twice when you're starting out with Windows server. One time to gain experience. The second time to set it up the way you now realize you should have done it in the first place.
Thanks!  This sounds accurate as to where I'm at right now.  I think I'm going to order a couple of large drives, copy the data that I don't have other places onto it, and redo the whole thing.  The dev said i don't have to do that, but no other suggestion is working.  And also, i haven't reported it, but during my troubleshooting process, I have been encountering errors on the drives that, while they may not be real (virtual part of the software raid), they are making me uncomfortable because of the amount of fiddling i am doing.  So i think i'm going to start over very soon.

also 40...you said to use ntfs permissions to control users...the dev says the opposite.  he says to use sharing permissions and leave ntfs fairly wide open.  and i think that's because of the way he has designed his software, in his words, to play "fast and loose" with ntfs permissions.  this raid solution is like this...you can pull out a drive and access the files no problem any time.  so all his raid is doing is like merging the same directories on different drives together (like windows libraries).  so i think that has to do with why he recommends the sharing.

i've checked my drives, and the ntfs permissions are rock solid and consistent everywhere.  basically full control for everyone and everything, with consistent inherited permissions (using the setacl studio software which is really helpful).

4wd, i have used that software!  it might have been the first thing i tried.  i'm slowly building my server troubleshooting kit.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
also 40...you said to use ntfs permissions to control users...the dev says the opposite.  he says to use sharing permissions and leave ntfs fairly wide open.  and i think that's because of the way he has designed his software, in his words, to play "fast and loose" with ntfs permissions.  this raid solution is like this...you can pull out a drive and access the files no problem any time.  so all his raid is doing is like merging the same directories on different drives together (like windows libraries).  so i think that has to do with why he recommends the sharing.


If he does, that doesn't give me warm fuzzies about his technology...but what can you do?

Ok...if that's the case, do it his way. My point was, when implementing access security, primarily use NTFS permissions - or share permissions - but don't get too fancy with both. Keep one side dirt simple. There are arguments for both approaches. I prefer NTFS permissions, but it would take me a while to explain why. And it's mostly because I'm more familiar and comfortable with that approach.

If you're getting drives, maybe consider opting for "server grade" or "enterprise" drives if you're getting big ones. They're not that much more expensive. A few bucks at most - and they're far better built and reliable. These are the drives primarily engineered for NAS and related applications. A 4TB runs for around $200 - $225 (street) last I looked.

I'd check with your RAID solution first to see if these are a potential problem for it. Because it's generally best to go with the recommended brands and model numbers when doing RAID. Some cards are extremely fussy about the drives that get plugged into them.

Maybe somebody can shake JavaJones's tree and see what he thinks about all this? He's in the "biz" too. But he deals with a greater variety of client types - and sees a broader range of oddball projects - than I do.

Luck! :Thmbsup:

P.S. Your first act after you have a server up and running, plus all the Microsoft updates installed, and all your hardware drivers checked and updated, is to make a system image and create a recovery repair disk. Do it before you add any users, create shares, etc. You want a pure vanilla "known good configuration" and properly functioning server image to fall back on if your project one day decides to all go sideways. That way, if you (or somebody else) borks something big time, you have a "genesis image" to reload and be on your merry way with. Figure twenty minutes to put your server back up vs several hours doing it from scratch.
« Last Edit: August 15, 2015, 05:23:14 PM by 40hz »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
@SB - I forgot to ask...which version of Windows Server do you have? Standard, Essentials, etc.?

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
The first option I considered was using the new windows storage spaces.  I actually tried it, and it was nice.  However, it wasn't terribly fast (although flexraid isn't that much faster, but still faster), it felt more complicated to setup, and it seemed to have more restrictions on it.  Also, the refs file system (which I also tried) isn't proven yet from what i read, and it also has certain restrictions vs ntfs(although those restrictions are not things i care about).  Ultimately, i chose flexraid because of the one fact that you can pull out a drive any time and access the files.  I like that so much, and even in this beginning stage, it's proving to be handy.  My setup is all screwed up, but I'm still able to access my files.  I tried the zfs option with a linux distro also...but quickly got scared, real quick lol!  Like at the startup command prompt to install the OS.  I don't have the time to get used to that right now.

I'll definitely make an image once i get the new one setup.  This is turning out to be a lot of work.  I've been spending most of my free time on it the past 2 weeks.  But having a server with a large storage capacity is already improving my life.  I have all these files all over the place in different media, etc., and i've been managing it for years, and i'm getting tired of it.  I'm looking forward to having a box or two where everything goes.  And i'm also interested in unifying all my increasing number of devices i'm using for different reasons.  You were right, having a server is great...kind of a turning point.

i've been reading about hard drives a lot.  Thanks for recommending the enterprise drives, i wasn't convinced previously.  it's still confusing...take western digital...they've added so many colors the past few years, it's so confusing.  I liked their black caviar drives previously because of the 5 year warranty.  These used to be considered their enterprise drives.  but now they are calling it their "desktop performance" drives.  They also have their NAS drives, which are Red.  And a Red Pro, which is like more enterprise but still desktop, lol.  Their new line of real enterprise drives are called RE, funny enough ("real enterprise?").  the 4TB ones are running around $245 on newegg.  I'm not familiar with the enterprise line of other brands.  I'm fine with the cost, I experienced the deathstars in the early 2000s and have since tried to not compromise on hard drive quality for any kind of cost purpose.

oy...so much stuff.  I tried for a couple years to convince one of my friends or cousins to make me a server, but I wasn't manipulative enough.

@SB - I forgot to ask...which version of Windows Server do you have? Standard, Essentials, etc.?
standard.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,079
    • View Profile
    • Donate to Member
Someone else on the DC forum already mentioned the existence/availability of a new 16 TByte SSD drive model from Samsung. That is 16TByte of storage space in a 2,5 inch hard disk.

A RAID setup with spinning disks isn't going to outperform (I/O) this SSD drive. Or do better in energy consumption. Likely this model won't be cheap, but you'll get a serious pile of bragging rights  :P

I think Samsung also sells an 8TByte SSD model...

A RAID setup with this kind of SSD's...I reckon that would grant you the title of DC Storage Master  ;)  

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
i've been managing it for years, and i'm getting tired of it.  I'm looking forward to having a box or two where everything goes.  And i'm also interested in unifying all my increasing number of devices i'm using for different reasons.  You were right, having a server is great...kind of a turning point.

i've been reading about hard drives a lot.  Thanks for recommending the enterprise drives, i wasn't convinced previously.  it's still confusing...take western digital...they've added so many colors the past few years, it's so confusing.  I liked their black caviar drives previously because of the 5 year warranty.  These used to be considered their enterprise drives.  but now they are calling it their "desktop performance" drives.  They also have their NAS drives, which are Red.  And a Red Pro, which is like more enterprise but still desktop, lol.  Their new line of real enterprise drives are called RE, funny enough ("real enterprise?").  the 4TB ones are running around $245 on newegg.  I'm not familiar with the enterprise line of other brands.  I'm fine with the cost, I experienced the deathstars in the early 2000s and have since tried to not compromise on hard drive quality for any kind of cost purpose.

oy...so much stuff.

You betcha there's so much stuff. Welcome to my world. ;D

Seagate and Hitachi also do enterprise grade. I've used the WDs, Samsungs, and Seagates e-drives with good result. Haven't tried HItachis in a server yet.

For business clients I always recommend they go with the disks that come from the manufacturers of their servers. They pay a premium (sometimes a significant premium) for those. But those babies get QC beyond what the prosumer world has any expectation of getting - and they're priced accordingly. And single sourcing a business server from a major manufacturer also simplifies warranty claims and service contract agreements by having everything come from one manufacturer. It eliminates finger pointing for one thing. And for big companies, that extra convenience and additional assurance alone is worth the higher cost.

I'll probably build one more server for myself before I call it a day with all this. If I do, I'm seriously considering using 2.5" drives and loading them into an ICY DOCK ToughArmour enclosure of some sort. Whatever I decide to build, it will be running a hypervisor with all the servers under it running as VMs. That way, I can setup a new server, or reallocate physical resources anytime I want to. Intel is doing some interesting stuff with their Xeon line lately.

Scope out this monster. It's expensive with it's $4500 est. selling price - until you think about what you're getting: 18 cores supporting hyperthreading and 36 threads.



Running it with a selectable boot from either a drive that configures the who shebang as a DAW/Synthesis workstation; or off a second drive setup to run a hypervisor for a fully virtualized server farm the rest of the time is where I'd like to go eventually. I've outgrown my fascination with rooms full of blinking lights and the roar of fans. ;D

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,070
  • Is your software in my list?
    • View Profile
    • Donate to Member
whoa 40...I like where you are headed with this.  I don't understand hypervisor yet, other than it means a virtual machine, lol.  It sounds like you are planning to have one central server machine with sub-servers running under it in virtualization.  If that's the case, that is ultimately my goal also.  You mention DAW...are you saying that you are going to be comfortable running a DAW on some kind of vm? 

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
You mention DAW...are you saying that you are going to be comfortable running a DAW on some kind of vm? 

It would be fun to try, but I don't think I'm quite that ballsy enough to do it with a production DAW just yet. So I'd probably set up such a machine to dual boot and also probably use a swap-able boot HD to do it at this point.


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
whoa 40...I like where you are headed with this.  I don't understand hypervisor yet, other than it means a virtual machine, lol.

There's two general approaches to virtualization. One method (Type-1) is a bare metal installation with all OSs managed and running under a hypervisor - which is basically just a framework environment for hosting operating systems. Examples would be Xen or Microsoft's Hyper-V. (Think: hardware ---> hypervisor ---> hosted OS)

Type-2 hypervisors are installed under an operating system, and abstract the system resources of that OS to allow virtual machines to run under it. Virtualbox works like that, as does WMWare's workstation. (Think: hardware ---> host OS ---> hypervisor ---> hosted OS)

There are also hybrids like Proxmox, so it can get a little confusing.

Of the two approaches, the Type-1 is a more elegant solution. Type-2 can sometimes be less ideal because the host OS that the hypervisor is running under can crash thereby simultaneously taking down all the VMs running under it as well. So the type-1 hypervisor is better for a VM server, whereas the type-2 is (to me) better suited for running turnkey applications - or virtual workstations - as opposed to servers.
« Last Edit: August 17, 2015, 10:27:27 PM by 40hz »