• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

Trying to set permissions on just one measly file

Here is my current, simple security structure right now on my windows 2000 server (hostname - jefferson).

Group - sdc users  (members - everyone in the company)
Group - sdc dba's  (members - 6 dba's in the company)
Group - sdc dev's  (members - 4 dev's in the company)

I have a user George Bush, who belongs to the sdc users group and the sdc dba's group.

I am trying to limit access to the following file on my server to allow only sdc dba's.  (s:\shared\test-dir\APC\apc_folio.xls).

So I went into the file permissions for this file and unchecked the "allow inheritable permissions from parent to propagate to this object" box and then added the administrators group and the sdc dba's group to the list of objects that are allowed to access this file.

I then go to george bush's computer and map a drive to \\jefferson\shared.  Then, navigate to the apc_folio.xls file and try to open it and can't.  I get the following error:  "Cannot access read-only document 'aps_folio.xls'"

If I change the file permissions to allow "sdc users", george bush can access the file without a problem.

What am I missing here.

 
0
conoverc73
Asked:
conoverc73
  • 5
  • 4
  • 3
  • +3
1 Solution
 
ocon827679Commented:
You didn't "deny" sdc users, did you?  

0
 
Pete LongTechnical ConsultantCommented:
Hi conoverc73,
I agree! Best policy is NOT to deny anything unless you have to!

just remove the everyone group then assign your permissions

Cheers!
0
 
conoverc73Author Commented:
sdc users is not part of the "allow" list.  Only administrators and sdc dba's.

The everyone group was never a part of my allow list to begin with.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Netman66Commented:
That group must have write permission on both the share and that folder.

Office Products tend to want to create a temp file in the same location as the original.  If the user has no write permissions, the temp file cannot be created.

Advise.
0
 
adonis1976Commented:
did you set the NTFS read access to the dba group for that file? if not, you might want to set it first. also you might want to try this..

add the users group into the permission list and deny everything for that object. for dba users and admin.. specifically set the right you want, read,write etc.
0
 
adonis1976Commented:
good point Netman66... yeah office products have that issue.. so you might want to set write permission for the folder for dba users.
0
 
conoverc73Author Commented:
"administrators", "sdc users", "sdc dba's" and "sdc dev's" all have full access to the folder.  I also tried adding the "sdc users" group to the allow list and when I clicked all of the boxes to deny them everything, the group disappeared.
0
 
adonis1976Commented:
can you remove george bush from users group? is it an option? cos what i think is happening is since users dont have access to that file and deny permission always takes precedence over the allow permission.
0
 
conoverc73Author Commented:
I cannot remove george bush from the sdc users group because he would then be denied access to most of the other folders on the S drive.  Basically, the sdc uders group has access to just about everything on the S drive.  This is why I had to implement more restrictive access in the area that I am working on now.......s:\shared\test-dir\APC\apc_folio.xls.
0
 
Netman66Commented:
Do they also have Full Access to the Share?
0
 
conoverc73Author Commented:
Yes.  In the path s:\shared\test-dir\APC\apc_folio.xls, the directory "shared" is being shared to "sdc users", "sdc dba's", "sdc dev's" and "administrators".  All of them have full control.
0
 
Netman66Commented:
Wow...that's a tongue-twister!

Ok, let's be absolutley certain I understand you and you understand me before we go any deeper.

If you go into My Network Places and double-click the servername what you see are shares that are available.  The share (not to be confused with your folder named "share") must allow Full Access to the groups in question - that's the starting point.

Now, also your folder (named "share") must have the appropriate NTFS permissions to allow the type of access you desire.  The best I would assign here is Modify for those groups.

Please let me know if this is what you understood me to be asking previously.
0
 
RDAdamsCommented:
Why not assign another root directory and only allow the dba's and administrators access?

{Share}\directory1 (Access for all users)
{Share}\directory2 (Access for DBA's and Administrators only)
0
 
conoverc73Author Commented:
Netman66 - you and I are totally on the same page.  I understand you 100%.

Looks like problem is fixed now.  This whole time, my users have been getting to the files based on the permissions that I implemented.......without any problems.

The problem lies somewhere with the way I was trying to test the permissions.  I'm using a machine that is not part of a domain (just a workgroup) and for some reason even after mapping a drive to the server, the permissons were not acting like I expected.

Thanks for all your help.
0
 
Netman66Commented:
Excellent.  Glad it's working.

I suppose if I had have known the test machine was in workgroup mode I might have caught this earlier.

Anyway, all is well and I was happy to help out.

Cheers and thanks.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 5
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now