Solved

Permissions on User Directory - Access Denied

Posted on 2004-08-02
13
951 Views
Last Modified: 2008-03-03
I have a very strange situation. On my Win2k DC, all the user directories are stored under the share 'Home' \ username . everything was fine till last week when a user reported that he cannot do anything other then view in his personal folder. Something weired has happend, all the permissions seem to be fine, i even looked via CACLS and the user has permissions, but they cannot do anyting, modify or write, all they can do is read. if i create a new folder outside of 'home' eveything this fine, but all the user directories under home cannot be accessed for modification except for the domain admins, does anyone have any suggestions or seen this problem before, please let me know.

Thanks!
0
Comment
Question by:z969307
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 1

Expert Comment

by:canner
ID: 11696290
TRY getting full access to the Directory .

take over the ownership of the directory and then grant the user access again.

sometimes you have to do this 2 times to get the problem fixed

0
 
LVL 7

Expert Comment

by:GATOR420
ID: 11696830
Sounds like someone did an apply to all subdirectories when they created a directory higher than where you are and gave it Read Only permissions. You might just end up have to re-permission everyone now.
0
 
LVL 10

Expert Comment

by:pcbrat
ID: 11696840
what are the permissions on the "Home" directory? Have you changed something there and then had it propogate down?

dawne :)
0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Accepted Solution

by:
jon37325 earned 150 total points
ID: 11696903
There is an alternative that you have share permissions that do not coinside with your security permissions. This is often overlooked by many administrators. What you need to make sure is that on your security "tab" and your Sharing permissions are lined up correctly. This can cause serious issues. Just double check both sides and you should be fine.
0
 

Author Comment

by:z969307
ID: 11697119
Thanks for all your comments guys, I figured out the problem, either me or the other admin took off the 'full' and 'change' permission under the 'Share Permissions' and i think this was trickling down, users can modify within their directories after i checked the full and change options. I will split up the point.

I will add bonus point to anyone of you who can assist me with what the standard permissions hierarchy should be on shared user directories on a LAN. And the proper way of doing it. Currently I have the Domain Admin and the user access to the folder, I have taken out everything else, thanks for you help in advance.

Z
0
 
LVL 1

Assisted Solution

by:irjeffb
irjeffb earned 200 total points
ID: 11697505
It is almost always best to just set the share permissions to Everyone - Full Control.  The folders should be secured with NTFS Security, not Share permissions.  This also makes it A LOT easier to manage.
0
 

Author Comment

by:z969307
ID: 11697603
If everyone has full control then everyone else will be getting into everyone elses folders, i don't want the janitors reading the strategic plans.
Thanks
0
 
LVL 1

Expert Comment

by:irjeffb
ID: 11697639
If the folders are properly secured with NTFS Permissions, nobody will get to any data they are not allowed to get to.  Adding the Share Permission level of "security" only unneccessarily complicates things.

If you have a folder and the Share Permissions are Everyone - Full Control, and the NTFS Permissions are Administrator - Full Control (no other entries in Security), ONLY the Administrator account will get in the folder.
0
 
LVL 10

Assisted Solution

by:pcbrat
pcbrat earned 150 total points
ID: 11698607
If this is just a users home directory then I would suggest using a $ to hide it as an Admin share...

this is what we do..

we have users that have their My Doc redirected....the have a mapping in their user properties that maps the "Z drive to their personal directory...they have full control over it and no one else except the admin can see it....

we dont share that directory that holds all their personel folders....its hidden

\\servername\users$\usernamefolder

dawne
0
 
LVL 1

Expert Comment

by:irjeffb
ID: 11698625
pcbrat...
that will work if all of your client PCs are win2k or XP.  Pre-2k cannot map to a folder under a share, only directly to the share.
0
 
LVL 10

Expert Comment

by:pcbrat
ID: 11698958
you are right....and I am...(all win2k/xp)..

:)
0
 

Author Comment

by:z969307
ID: 11715535
Thanks for all the tips. Dawn, your tip was helpful, it is the most basic thing as a net admin you should know which i overlooked, i had my user directories open, I will implement the hidden share on it immediately. The share permission will be everyone 'FCR' and the NTFS on each individual user folder would be that user full control and the domain admins full control and nothing else.

I really appreciate all the comments and suggestions.

Thanks to all.
0
 
LVL 10

Expert Comment

by:pcbrat
ID: 11721840
Your welcome....and glad to know we couls help....sometimes even the best of us overlook the simple things....thats why we have places like EE to help other IT people out there!

got each others back as they say :)
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question