Results 1 to 8 of 8
  1. #1
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Altnau, Thurgau, Switzerland
    Posts
    447
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Directory permissions

    I have a puzzling situation with directory permissions on Win 2000 server (Domane server). File system is NTFS.

    I have created a directory call it PrivateStuff. This directory contins sub directories called SubDir1, SubDir2.. It is intended that only one user has access to each SubDir (apart from administrators).


    Members of the Administrator group have complete rights to all directories - set explicitly.
    Inherited rights are not selected for the parent and child directories.
    Everyone has rights to look at but not modify the parent Dir (PrivateStuff).
    Directory SubDir1 has UserA with full rights.
    Directory SubDir2 has UserB with full rights.

    To make it clearer when I look at the security settings of directory SubDir1 there is one group (Administrators) and one user (UserA) in the list of who has / has not got permissions. No user or group has permission specifically removed - they just aren't in the list.

    My problem. I log onto a workstation as UserA and I can go into the directory SubDir2, view contents, open files... Likewise UserB has access into directory SubDir1. That is definately not what I want.


    I have then created a group - Company_All and each user (UserA, UserB..) is a member of this group. This group does not belong to any other groups on the system.

    Now on each SubDir I explicitly add the group Company_All and explicitly remove all permissions I am left with the situation that no-one, not even the explicitly declared UserA can get into SubDir1. Again not what I want.

    What appears to be even worse is that the user logged onto the workstation can modify the rights of the directories. Workstations are running Windows XP Pro, the users are logged on to the domane and on the local system as MainUser (German - Hauptbenutzer). This is not an administrator account locally but one that they can modify some settings.

    Reading the help files I can't see what is wrong with my assignment of permissions.
    Do I need to activate some setting concerning rights on the local machine?
    For the security to function must I transfer ownership of the SubDirs to the individual Users?, currently they are owned by the administrator.
    It looks like my group permissions take priority to the user permissions when in conflict, is that the correct behaviour?

  2. #2
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,577
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Directory permissions

    Andy,
    If you have the Guest account active that is probably why UserB can see SubDir1. Try assigning the Everyone group to SubDir1 with no rights and also assign UserA with the rights you desire. Do the same for SubDir2 and UserB. Unless you need it, disable the Guest account.

    Joe
    Joe

  3. #3
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Altnau, Thurgau, Switzerland
    Posts
    447
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Directory permissions

    Thanks Joe,

    Guest account is disabled (and was already).

    I explicitly remove the rights for the group everyone for the SubDir1. The group administrators has full rights. The user UserA has full rights.

    I am logged on as administrator onto the server at this point, select the Direcory SubDir1 in the explorer and I get a message something like permission refused. (It's the German version thats why I say something like).
    On the client I get similar behaviour in that UserA can't even get at the directory now.

    This is really bugging me - I feel that something basic is very wrong but I don't know what.

    Would it help attatching some screen snapshots? If so what would be of most use.

    Andy.

  4. #4
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Altnau, Thurgau, Switzerland
    Posts
    447
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Directory permissions

    I've found the problem. Each user was a member of a Domain User group. This group had been assigned as a member of the Administrator group! so that each user was actually getting administrator rights albeit indirectly.

  5. #5
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,577
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Directory permissions

    Andy, Terrific. Isn't security wonderful <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15> ?

    Joe
    Joe

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Directory permissions

    > Now on each SubDir I explicitly add the group Company_All and explicitly remove all permissions I am left with the
    > situation that no-one, not even the explicitly declared UserA can get into SubDir1. Again not what I want.

    NT/2000 follows the rule of greatest restriction: if a user has privileges + no privileges, the latter trumps the former. Too bad, because in many cases it would be pretty convenient to be able to do the above.

  7. #7
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Altnau, Thurgau, Switzerland
    Posts
    447
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Directory permissions

    Yeah. Sometimes I wonder if computers are a blessing or a curse. They can certainly make life hell at times.

  8. #8
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Altnau, Thurgau, Switzerland
    Posts
    447
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Directory permissions

    I agree. Logically it would be nice to have a group with one set of permissions and an individual within that group with different permissions for restricting access to that individual. I also realise that whichever way it is resolved some administrator somehwere is not going to be happy.

    With the rule of greatest restriction I must have missed that in the help file sections on security. Thanks for the tip.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •