asked on Folder Permissions and Group Policy (Win2k)
Hi guys,
Members of the Administrators group on our server (Windows 2000 homogenous network.) can change network drive folder permissions (for which they have access) but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder). I'm not keen on this behaviour as it means a standard-project-folder-cr
My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.
I know I've likely caused this problem - I'm hoping someone might be able to shed some light on how to fix it?
vasp
Members of the Administrators group on our server (Windows 2000 homogenous network.) can change network drive folder permissions (for which they have access) but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder). I'm not keen on this behaviour as it means a standard-project-folder-cr
My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.
I know I've likely caused this problem - I'm hoping someone might be able to shed some light on how to fix it?
vasp
OS Security
Last Comment
mdiglio
ASKER
It was the W2kDC.INF from link:
http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1
A few days after I'd installed it and a server reboot, I decided I'd strip out the file system and registry permissions it sets from the group policy. So I'll have a trawl through the inf file and see if I can see it.
vasp
http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1
A few days after I'd installed it and a server reboot, I decided I'd strip out the file system and registry permissions it sets from the group policy. So I'll have a trawl through the inf file and see if I can see it.
vasp
Hello,
If it will help here is where you can find the .inf files
You should copy it to your desktop so you are trudging through the 'live' file
this policy is default domain controllers policy
%systemroot%\sysvol\Sysvol
this policy is default domain policy
%systemroot%\sysvol\Sysvol
If it will help here is where you can find the .inf files
You should copy it to your desktop so you are trudging through the 'live' file
this policy is default domain controllers policy
%systemroot%\sysvol\Sysvol
this policy is default domain policy
%systemroot%\sysvol\Sysvol
Or maybe you can download the Group Policy Management Console.
This has a settings tab that will let you view the current settings of any Group Policy
I really thought I remember that there was a checkbox somewhere when editing the Group Policy
that will show you only the configured parts but I can't seem to find it again.
I thought it was under the 'view' menu item
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
This has a settings tab that will let you view the current settings of any Group Policy
I really thought I remember that there was a checkbox somewhere when editing the Group Policy
that will show you only the configured parts but I can't seem to find it again.
I thought it was under the 'view' menu item
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
You say: -
>>>but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder).
Add domain users to Special Group called "Authenticated Users" Group because they are accessing or setting permissions over the network so they must be added to this group.
>>>Now, I've recently installed the NSA security configuration inf files (with some tweaks) and I think it might have something to do with the problem I'm having:
It is not necessary to install any third party security template for ur problem and don't install it for time being.
>>>My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.
The only thing i can say that by default Windows Security settings are not applied to any user in the domain unless otherwise specified in the Default Domain Policy.
Thankx
SystmProg
>>>but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder).
Add domain users to Special Group called "Authenticated Users" Group because they are accessing or setting permissions over the network so they must be added to this group.
>>>Now, I've recently installed the NSA security configuration inf files (with some tweaks) and I think it might have something to do with the problem I'm having:
It is not necessary to install any third party security template for ur problem and don't install it for time being.
>>>My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.
The only thing i can say that by default Windows Security settings are not applied to any user in the domain unless otherwise specified in the Default Domain Policy.
Thankx
SystmProg
ASKER
Moving away from the real issue...... Rephrase and up the points......
Is there a setting somewhere (Group Policy, Domain Controller Policy, Domain Policy, Local Policy etc etc) that can be used to grant or deny user groups (or maybe even just individual users) the change permission right?
My problem is exactly this - only users that are a member of the Administrators group can change file/folder permissions. Domain Users for example cannot even change permissions when they have FULL access to the folder.
I'm thinking there must be a setting somehwere that overrides this.
Please help if you can.
vasp
Is there a setting somewhere (Group Policy, Domain Controller Policy, Domain Policy, Local Policy etc etc) that can be used to grant or deny user groups (or maybe even just individual users) the change permission right?
My problem is exactly this - only users that are a member of the Administrators group can change file/folder permissions. Domain Users for example cannot even change permissions when they have FULL access to the folder.
I'm thinking there must be a setting somehwere that overrides this.
Please help if you can.
vasp
Good idea!
You can look in
computer configuration >> security settings >> file system
You can look in
computer configuration >> security settings >> file system
ASKER
Not what I'm after.... that only covers system drive files.... looking for something more like a global override of the change permission right...
vasp
vasp
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
mdiglio,
It was the permissions on the share... I couldn't see the wood for the trees!
Thanks,
vasp
It was the permissions on the share... I couldn't see the wood for the trees!
Thanks,
vasp
Good Job, glad you got it working!
A lot of this will depend upon which config file you downloaded
But I would first look here in the group policy.
I can't say which Group Policy to look at until I know more about the config file.
computer configuration >> windows settings >>security settings >> file system
Hopefully it will be clear which one is causing the problem.
If not post the link to the config file you downloaded from NSA