Solved

Permissions on User Directory - Access Denied

Posted on 2004-08-02
13
949 Views
Last Modified: 2008-03-03
I have a very strange situation. On my Win2k DC, all the user directories are stored under the share 'Home' \ username . everything was fine till last week when a user reported that he cannot do anything other then view in his personal folder. Something weired has happend, all the permissions seem to be fine, i even looked via CACLS and the user has permissions, but they cannot do anyting, modify or write, all they can do is read. if i create a new folder outside of 'home' eveything this fine, but all the user directories under home cannot be accessed for modification except for the domain admins, does anyone have any suggestions or seen this problem before, please let me know.

Thanks!
0
Comment
Question by:z969307
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 1

Expert Comment

by:canner
Comment Utility
TRY getting full access to the Directory .

take over the ownership of the directory and then grant the user access again.

sometimes you have to do this 2 times to get the problem fixed

0
 
LVL 7

Expert Comment

by:GATOR420
Comment Utility
Sounds like someone did an apply to all subdirectories when they created a directory higher than where you are and gave it Read Only permissions. You might just end up have to re-permission everyone now.
0
 
LVL 10

Expert Comment

by:pcbrat
Comment Utility
what are the permissions on the "Home" directory? Have you changed something there and then had it propogate down?

dawne :)
0
 

Accepted Solution

by:
jon37325 earned 150 total points
Comment Utility
There is an alternative that you have share permissions that do not coinside with your security permissions. This is often overlooked by many administrators. What you need to make sure is that on your security "tab" and your Sharing permissions are lined up correctly. This can cause serious issues. Just double check both sides and you should be fine.
0
 

Author Comment

by:z969307
Comment Utility
Thanks for all your comments guys, I figured out the problem, either me or the other admin took off the 'full' and 'change' permission under the 'Share Permissions' and i think this was trickling down, users can modify within their directories after i checked the full and change options. I will split up the point.

I will add bonus point to anyone of you who can assist me with what the standard permissions hierarchy should be on shared user directories on a LAN. And the proper way of doing it. Currently I have the Domain Admin and the user access to the folder, I have taken out everything else, thanks for you help in advance.

Z
0
 
LVL 1

Assisted Solution

by:irjeffb
irjeffb earned 200 total points
Comment Utility
It is almost always best to just set the share permissions to Everyone - Full Control.  The folders should be secured with NTFS Security, not Share permissions.  This also makes it A LOT easier to manage.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:z969307
Comment Utility
If everyone has full control then everyone else will be getting into everyone elses folders, i don't want the janitors reading the strategic plans.
Thanks
0
 
LVL 1

Expert Comment

by:irjeffb
Comment Utility
If the folders are properly secured with NTFS Permissions, nobody will get to any data they are not allowed to get to.  Adding the Share Permission level of "security" only unneccessarily complicates things.

If you have a folder and the Share Permissions are Everyone - Full Control, and the NTFS Permissions are Administrator - Full Control (no other entries in Security), ONLY the Administrator account will get in the folder.
0
 
LVL 10

Assisted Solution

by:pcbrat
pcbrat earned 150 total points
Comment Utility
If this is just a users home directory then I would suggest using a $ to hide it as an Admin share...

this is what we do..

we have users that have their My Doc redirected....the have a mapping in their user properties that maps the "Z drive to their personal directory...they have full control over it and no one else except the admin can see it....

we dont share that directory that holds all their personel folders....its hidden

\\servername\users$\usernamefolder

dawne
0
 
LVL 1

Expert Comment

by:irjeffb
Comment Utility
pcbrat...
that will work if all of your client PCs are win2k or XP.  Pre-2k cannot map to a folder under a share, only directly to the share.
0
 
LVL 10

Expert Comment

by:pcbrat
Comment Utility
you are right....and I am...(all win2k/xp)..

:)
0
 

Author Comment

by:z969307
Comment Utility
Thanks for all the tips. Dawn, your tip was helpful, it is the most basic thing as a net admin you should know which i overlooked, i had my user directories open, I will implement the hidden share on it immediately. The share permission will be everyone 'FCR' and the NTFS on each individual user folder would be that user full control and the domain admins full control and nothing else.

I really appreciate all the comments and suggestions.

Thanks to all.
0
 
LVL 10

Expert Comment

by:pcbrat
Comment Utility
Your welcome....and glad to know we couls help....sometimes even the best of us overlook the simple things....thats why we have places like EE to help other IT people out there!

got each others back as they say :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now