Trying to set permissions on just one measly file

Here is my current, simple security structure right now on my windows 2000 server (hostname - jefferson).

Group - sdc users  (members - everyone in the company)
Group - sdc dba's  (members - 6 dba's in the company)
Group - sdc dev's  (members - 4 dev's in the company)

I have a user George Bush, who belongs to the sdc users group and the sdc dba's group.

I am trying to limit access to the following file on my server to allow only sdc dba's.  (s:\shared\test-dir\APC\apc_folio.xls).

So I went into the file permissions for this file and unchecked the "allow inheritable permissions from parent to propagate to this object" box and then added the administrators group and the sdc dba's group to the list of objects that are allowed to access this file.

I then go to george bush's computer and map a drive to \\jefferson\shared.  Then, navigate to the apc_folio.xls file and try to open it and can't.  I get the following error:  "Cannot access read-only document 'aps_folio.xls'"

If I change the file permissions to allow "sdc users", george bush can access the file without a problem.

What am I missing here.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You didn't "deny" sdc users, did you?  

Pete LongTechnical ConsultantCommented:
Hi conoverc73,
I agree! Best policy is NOT to deny anything unless you have to!

just remove the everyone group then assign your permissions

conoverc73Author Commented:
sdc users is not part of the "allow" list.  Only administrators and sdc dba's.

The everyone group was never a part of my allow list to begin with.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

That group must have write permission on both the share and that folder.

Office Products tend to want to create a temp file in the same location as the original.  If the user has no write permissions, the temp file cannot be created.

did you set the NTFS read access to the dba group for that file? if not, you might want to set it first. also you might want to try this..

add the users group into the permission list and deny everything for that object. for dba users and admin.. specifically set the right you want, read,write etc.
good point Netman66... yeah office products have that issue.. so you might want to set write permission for the folder for dba users.
conoverc73Author Commented:
"administrators", "sdc users", "sdc dba's" and "sdc dev's" all have full access to the folder.  I also tried adding the "sdc users" group to the allow list and when I clicked all of the boxes to deny them everything, the group disappeared.
can you remove george bush from users group? is it an option? cos what i think is happening is since users dont have access to that file and deny permission always takes precedence over the allow permission.
conoverc73Author Commented:
I cannot remove george bush from the sdc users group because he would then be denied access to most of the other folders on the S drive.  Basically, the sdc uders group has access to just about everything on the S drive.  This is why I had to implement more restrictive access in the area that I am working on now.......s:\shared\test-dir\APC\apc_folio.xls.
Do they also have Full Access to the Share?
conoverc73Author Commented:
Yes.  In the path s:\shared\test-dir\APC\apc_folio.xls, the directory "shared" is being shared to "sdc users", "sdc dba's", "sdc dev's" and "administrators".  All of them have full control.
Wow...that's a tongue-twister!

Ok, let's be absolutley certain I understand you and you understand me before we go any deeper.

If you go into My Network Places and double-click the servername what you see are shares that are available.  The share (not to be confused with your folder named "share") must allow Full Access to the groups in question - that's the starting point.

Now, also your folder (named "share") must have the appropriate NTFS permissions to allow the type of access you desire.  The best I would assign here is Modify for those groups.

Please let me know if this is what you understood me to be asking previously.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Why not assign another root directory and only allow the dba's and administrators access?

{Share}\directory1 (Access for all users)
{Share}\directory2 (Access for DBA's and Administrators only)
conoverc73Author Commented:
Netman66 - you and I are totally on the same page.  I understand you 100%.

Looks like problem is fixed now.  This whole time, my users have been getting to the files based on the permissions that I implemented.......without any problems.

The problem lies somewhere with the way I was trying to test the permissions.  I'm using a machine that is not part of a domain (just a workgroup) and for some reason even after mapping a drive to the server, the permissons were not acting like I expected.

Thanks for all your help.
Excellent.  Glad it's working.

I suppose if I had have known the test machine was in workgroup mode I might have caught this earlier.

Anyway, all is well and I was happy to help out.

Cheers and thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.