Solved

Trying to set permissions on just one measly file

Posted on 2003-11-14
15
415 Views
Last Modified: 2010-04-14
Here is my current, simple security structure right now on my windows 2000 server (hostname - jefferson).

Group - sdc users  (members - everyone in the company)
Group - sdc dba's  (members - 6 dba's in the company)
Group - sdc dev's  (members - 4 dev's in the company)

I have a user George Bush, who belongs to the sdc users group and the sdc dba's group.

I am trying to limit access to the following file on my server to allow only sdc dba's.  (s:\shared\test-dir\APC\apc_folio.xls).

So I went into the file permissions for this file and unchecked the "allow inheritable permissions from parent to propagate to this object" box and then added the administrators group and the sdc dba's group to the list of objects that are allowed to access this file.

I then go to george bush's computer and map a drive to \\jefferson\shared.  Then, navigate to the apc_folio.xls file and try to open it and can't.  I get the following error:  "Cannot access read-only document 'aps_folio.xls'"

If I change the file permissions to allow "sdc users", george bush can access the file without a problem.

What am I missing here.

 
0
Comment
Question by:conoverc73
  • 5
  • 4
  • 3
  • +3
15 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 9748860
You didn't "deny" sdc users, did you?  

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9748886
Hi conoverc73,
I agree! Best policy is NOT to deny anything unless you have to!

just remove the everyone group then assign your permissions

Cheers!
0
 

Author Comment

by:conoverc73
ID: 9748936
sdc users is not part of the "allow" list.  Only administrators and sdc dba's.

The everyone group was never a part of my allow list to begin with.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9749075
That group must have write permission on both the share and that folder.

Office Products tend to want to create a temp file in the same location as the original.  If the user has no write permissions, the temp file cannot be created.

Advise.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9749086
did you set the NTFS read access to the dba group for that file? if not, you might want to set it first. also you might want to try this..

add the users group into the permission list and deny everything for that object. for dba users and admin.. specifically set the right you want, read,write etc.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9749100
good point Netman66... yeah office products have that issue.. so you might want to set write permission for the folder for dba users.
0
 

Author Comment

by:conoverc73
ID: 9749159
"administrators", "sdc users", "sdc dba's" and "sdc dev's" all have full access to the folder.  I also tried adding the "sdc users" group to the allow list and when I clicked all of the boxes to deny them everything, the group disappeared.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 11

Expert Comment

by:adonis1976
ID: 9749327
can you remove george bush from users group? is it an option? cos what i think is happening is since users dont have access to that file and deny permission always takes precedence over the allow permission.
0
 

Author Comment

by:conoverc73
ID: 9749538
I cannot remove george bush from the sdc users group because he would then be denied access to most of the other folders on the S drive.  Basically, the sdc uders group has access to just about everything on the S drive.  This is why I had to implement more restrictive access in the area that I am working on now.......s:\shared\test-dir\APC\apc_folio.xls.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9749597
Do they also have Full Access to the Share?
0
 

Author Comment

by:conoverc73
ID: 9749663
Yes.  In the path s:\shared\test-dir\APC\apc_folio.xls, the directory "shared" is being shared to "sdc users", "sdc dba's", "sdc dev's" and "administrators".  All of them have full control.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 9749793
Wow...that's a tongue-twister!

Ok, let's be absolutley certain I understand you and you understand me before we go any deeper.

If you go into My Network Places and double-click the servername what you see are shares that are available.  The share (not to be confused with your folder named "share") must allow Full Access to the groups in question - that's the starting point.

Now, also your folder (named "share") must have the appropriate NTFS permissions to allow the type of access you desire.  The best I would assign here is Modify for those groups.

Please let me know if this is what you understood me to be asking previously.
0
 
LVL 17

Expert Comment

by:RDAdams
ID: 9749911
Why not assign another root directory and only allow the dba's and administrators access?

{Share}\directory1 (Access for all users)
{Share}\directory2 (Access for DBA's and Administrators only)
0
 

Author Comment

by:conoverc73
ID: 9751215
Netman66 - you and I are totally on the same page.  I understand you 100%.

Looks like problem is fixed now.  This whole time, my users have been getting to the files based on the permissions that I implemented.......without any problems.

The problem lies somewhere with the way I was trying to test the permissions.  I'm using a machine that is not part of a domain (just a workgroup) and for some reason even after mapping a drive to the server, the permissons were not acting like I expected.

Thanks for all your help.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9751536
Excellent.  Glad it's working.

I suppose if I had have known the test machine was in workgroup mode I might have caught this earlier.

Anyway, all is well and I was happy to help out.

Cheers and thanks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now