Solved

fileSystem object and remote permissions

Posted on 2004-03-26
22
475 Views
Last Modified: 2006-11-17
You can have every point I've got if you can help me make this work... that's only 224 don't get excited.

<%
set fso = server.CreateObject("scripting.filesystemObject")
listpath = "\\server\listdirectory\"
masterpath = "\\server\masterdirectory\"
scriptpath = "\\server\scriptdirectory\"
fso.CreateFolder listpath
fso.CreateFolder masterpath
fso.CreateFolder scriptpath
%>

I'm getting a permission denied error.  I'm sure it's some kind of user rights issue with IUSER_server but I can't figure it out.  
0
Comment
Question by:1cell
  • 10
  • 6
  • 4
  • +2
22 Comments
 
LVL 20

Expert Comment

by:jitganguly
ID: 10689562
Make sure IUSER_server user has all the permission
0
 
LVL 6

Expert Comment

by:sforcier
ID: 10689723
To clarify, navigate to the folder c:\inetpub\wwwroot\listdirectory\ (if you're web app isn't on the root, then it will have a different path). Right click on the folder, choose properties, choose security, click "Add", select the "IUSR_server", and change their permissions to include read, write, and (I believe you'll also need) modify. Repeat this process for the other folders. After you get it working, try removing the modify permissions and see if it still works. The weaker the permissions for IUSR_server (while still being functional), the better.
0
 
LVL 6

Author Comment

by:1cell
ID: 10689867
sforcier, to clarify a bit more....  \\server\directory\ is a directory on a remote server.  it's not on the same machine as the web server.

jitganguly, domain\IUSER_server has everything but Delete Subfolders and Files, Change Permissions, and Change Ownership. is ALL really necessary???
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10689988
For this to work the IUser_server account must have permissions to write to the folder and it must have rights to access these directories using the same username and password that the IUSR account has.

Now if that is a problem the solution is to add the paths as virtual directories using the correct password. This would open up the directories to the outside world so turn authentication on for those virtual directories and disable all IP addresses apart from that of the server to block them again.

HTH
Steve
0
 
LVL 6

Author Comment

by:1cell
ID: 10690049
mouatts, I let windoze manage the IUSER password.  I don't even know what it is unless I assign it.  I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

Maybe the virtual directories solution is best.  I didn't really give it much thought because of the security issues but authenticating on IP would work.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10690137
> I figured if that was managed BY windows that the domain user info would be supplied to other servers.  Do you think I'm wrong about that?

I think so. Certainly looking at my servers the USR account is a local one. The only USR account which is a domain one is for the web server that sits on the domain controller.

Steve
0
 
LVL 6

Author Comment

by:1cell
ID: 10690173
well, I tried creating a virtual directory under the existing site but I'm still getting a permission denied error.  In the properties for the virtual directory, I used a user with full permissions to the parent directory and applied them all to all subdirectories.

I can browse the virtual directory through IIS mgr so the password is correct, right?
0
 
LVL 6

Author Comment

by:1cell
ID: 10690316
I also got the same result when trying to map a drive letter and do it that way.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10690340
No you don't want to do it via a drive letter. When you do that it is your account that is allowed access not the IUSR account.
When you create the virtual directory enter the UNC filename and on the next screen it will prompt you for the username and password.

Steve
0
 
LVL 6

Author Comment

by:1cell
ID: 10690359
and for that user I can use any user with the permissions to the target directory?

that's what I did, and I've been playing with, but I can't get it to go.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10690425
Trying restarting IIS it's sometimes a bit of a pig to get this to take. Trust me it works but believe me when I tell you I have spent hours retyping the bloody thing before it seems to connect :(

Steve
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 11

Expert Comment

by:mouatts
ID: 10690435
Just a though you may need the domain name in front of the username eg mydomain/adminsitrator
0
 
LVL 6

Author Comment

by:1cell
ID: 10690524
restarted, same error

the domain name is in front of the username.

I was reading an article about duplicate anonymous accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;184566
0
 
LVL 6

Author Comment

by:1cell
ID: 10690531
and this...

http://support.microsoft.com/default.aspx?scid=kb;en-us;169271

I'm gonna see what I can mess up in that direction.
0
 
LVL 6

Accepted Solution

by:
sforcier earned 224 total points
ID: 10690976
Another road to go down might be to change the user that the ASP page "behaves like" (I skimmed the previous posts, so if this has been suggested, please ignore). To do this, open IIS Manager, navigate to the ASP page that needs access (not the folders your trying to get to), right click the file and choose properties. From there, choose the "file security" tab, click "Edit" in the Anonymous Access section. Check the "anonymous access" checkbox at the top, click "edit" or "browse" to change the anonymous user account. Choose a pre-existing user with sufficient privledges (if you're just testing, perhaps just use a domain admin, but be careful as this is a security risk). Uncheck "Allow IIS to manage password for me" and type in the password. Then click "apply/ok" until you're back at the IIS Manager screen.

If you have this in a test environment and it is adequately shielded from the outside, then use the Domain Admin account. Otherwise, you could create a new domain user and give them lots of privledges on the folders, test the ASP page, and then slowly back off the privledges until it no longer works.
0
 
LVL 6

Author Comment

by:1cell
ID: 10691084
HEY! There you go!  Lemme fiddle around with this a bit and make sure I can apply it to my situation.  It worked for my testing purposes.
0
 
LVL 6

Author Comment

by:1cell
ID: 10706278
thanks a lot to everybody but sforcier's idea worked very well for me and I'll be able to enforce user level security on it as well so I can implement it per page and not worry about other holes.
0
 
LVL 6

Expert Comment

by:sforcier
ID: 10706384
I'm glad I could help! I just want to reiterate how careful you should be when doing this. Granting an ASP page more power makes it easier to hack. I'm sure you're aware of this, and I'm sure you'll use due dilligence; I just can't stress this point enough.
0
 
LVL 6

Author Comment

by:1cell
ID: 10706438
that's what I mean about enforcing user level security.  While the page has permissions, I can set requirements within it by using userLevels that already exist in my app..... so, only specific logged in users can even access the page.  anybody else gets redirected.

you think that's adequate???
0
 
LVL 6

Expert Comment

by:sforcier
ID: 10706857
I don't know that I fully understand what you mean by "user level access" specifically. If you mean disabling anonymous access or using NTFS security on the individual ASP pages, then yes, that should certainly be adequate.
0
 

Expert Comment

by:joninhas
ID: 10987226
I have an asp application that colects images from a folder generated by a scanner. This folder is in a network drive (like \\a_drive\scanner). I wish to move all images from this folder to another folder wich is located in my local server.
Please help...
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10989388
joninhas you will need to post your own question. You can't just piggy back another.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now