Solved

Trying to set permissions on just one measly file

Posted on 2003-11-14
15
426 Views
Last Modified: 2010-04-14
Here is my current, simple security structure right now on my windows 2000 server (hostname - jefferson).

Group - sdc users  (members - everyone in the company)
Group - sdc dba's  (members - 6 dba's in the company)
Group - sdc dev's  (members - 4 dev's in the company)

I have a user George Bush, who belongs to the sdc users group and the sdc dba's group.

I am trying to limit access to the following file on my server to allow only sdc dba's.  (s:\shared\test-dir\APC\apc_folio.xls).

So I went into the file permissions for this file and unchecked the "allow inheritable permissions from parent to propagate to this object" box and then added the administrators group and the sdc dba's group to the list of objects that are allowed to access this file.

I then go to george bush's computer and map a drive to \\jefferson\shared.  Then, navigate to the apc_folio.xls file and try to open it and can't.  I get the following error:  "Cannot access read-only document 'aps_folio.xls'"

If I change the file permissions to allow "sdc users", george bush can access the file without a problem.

What am I missing here.

 
0
Comment
Question by:conoverc73
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +3
15 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 9748860
You didn't "deny" sdc users, did you?  

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9748886
Hi conoverc73,
I agree! Best policy is NOT to deny anything unless you have to!

just remove the everyone group then assign your permissions

Cheers!
0
 

Author Comment

by:conoverc73
ID: 9748936
sdc users is not part of the "allow" list.  Only administrators and sdc dba's.

The everyone group was never a part of my allow list to begin with.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 51

Expert Comment

by:Netman66
ID: 9749075
That group must have write permission on both the share and that folder.

Office Products tend to want to create a temp file in the same location as the original.  If the user has no write permissions, the temp file cannot be created.

Advise.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9749086
did you set the NTFS read access to the dba group for that file? if not, you might want to set it first. also you might want to try this..

add the users group into the permission list and deny everything for that object. for dba users and admin.. specifically set the right you want, read,write etc.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9749100
good point Netman66... yeah office products have that issue.. so you might want to set write permission for the folder for dba users.
0
 

Author Comment

by:conoverc73
ID: 9749159
"administrators", "sdc users", "sdc dba's" and "sdc dev's" all have full access to the folder.  I also tried adding the "sdc users" group to the allow list and when I clicked all of the boxes to deny them everything, the group disappeared.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9749327
can you remove george bush from users group? is it an option? cos what i think is happening is since users dont have access to that file and deny permission always takes precedence over the allow permission.
0
 

Author Comment

by:conoverc73
ID: 9749538
I cannot remove george bush from the sdc users group because he would then be denied access to most of the other folders on the S drive.  Basically, the sdc uders group has access to just about everything on the S drive.  This is why I had to implement more restrictive access in the area that I am working on now.......s:\shared\test-dir\APC\apc_folio.xls.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9749597
Do they also have Full Access to the Share?
0
 

Author Comment

by:conoverc73
ID: 9749663
Yes.  In the path s:\shared\test-dir\APC\apc_folio.xls, the directory "shared" is being shared to "sdc users", "sdc dba's", "sdc dev's" and "administrators".  All of them have full control.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 9749793
Wow...that's a tongue-twister!

Ok, let's be absolutley certain I understand you and you understand me before we go any deeper.

If you go into My Network Places and double-click the servername what you see are shares that are available.  The share (not to be confused with your folder named "share") must allow Full Access to the groups in question - that's the starting point.

Now, also your folder (named "share") must have the appropriate NTFS permissions to allow the type of access you desire.  The best I would assign here is Modify for those groups.

Please let me know if this is what you understood me to be asking previously.
0
 
LVL 17

Expert Comment

by:RDAdams
ID: 9749911
Why not assign another root directory and only allow the dba's and administrators access?

{Share}\directory1 (Access for all users)
{Share}\directory2 (Access for DBA's and Administrators only)
0
 

Author Comment

by:conoverc73
ID: 9751215
Netman66 - you and I are totally on the same page.  I understand you 100%.

Looks like problem is fixed now.  This whole time, my users have been getting to the files based on the permissions that I implemented.......without any problems.

The problem lies somewhere with the way I was trying to test the permissions.  I'm using a machine that is not part of a domain (just a workgroup) and for some reason even after mapping a drive to the server, the permissons were not acting like I expected.

Thanks for all your help.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9751536
Excellent.  Glad it's working.

I suppose if I had have known the test machine was in workgroup mode I might have caught this earlier.

Anyway, all is well and I was happy to help out.

Cheers and thanks.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Recreate New ADC 1 294
Windows 2003 server: List of EVENT IDs 1 742
Server 2000 DC moving to Server 2012R2 - forest functional level 15 254
Install Window 2012 Domain on 9 139
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Not everyone has adapted to a rapid advancement in technology; there are people who are reluctant or afraid to delve into this brave new world of IT. If you have a friend or a family member who suffers from the so-called technophobia, here is how yo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question