Link to home
Start Free TrialLog in
Avatar of vasp
vaspFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Folder Permissions and Group Policy (Win2k)

Hi guys,

Members of the Administrators group on our server (Windows 2000 homogenous network.) can change network drive folder permissions (for which they have access) but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder).  I'm not keen on this behaviour as it means a standard-project-folder-creating-batch-file I've written doesn't work properly.  Now, I've recently installed the NSA security configuration inf files (with some tweaks) and I think it might have something to do with the problem I'm having:

My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.

I know I've likely caused this problem - I'm hoping someone might be able to shed some light on how to fix it?

vasp
Avatar of mdiglio
mdiglio
Flag of United States of America image

Hello,

A lot of this will depend upon which config file you downloaded

But I would first look here in the group policy.
I can't say which Group Policy to look at until I know more about the config file.

computer configuration >> windows settings >>security settings >> file system

Hopefully it will be clear which one is causing the problem.
If not post the link to the config file you downloaded from NSA
Avatar of vasp

ASKER

It was the W2kDC.INF from link:

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

A few days after I'd installed it and a server reboot, I decided I'd strip out the file system and registry permissions it sets from the group policy.  So I'll have a trawl through the inf file and see if I can see it.

vasp
Hello,
If it will help here is where you can find the .inf files

You should copy it to your desktop so you are trudging through the 'live' file

this policy is default domain controllers policy
%systemroot%\sysvol\Sysvol\'DomainName'\policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit

this policy is default domain policy
%systemroot%\sysvol\Sysvol\'DomainName'\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
Or maybe you can download the Group Policy Management Console.

This has a settings tab that will let you view the current settings of any Group Policy

I really thought I remember that there was a checkbox somewhere when editing the Group Policy
that will show you only the configured parts but I can't seem to find it again.
I thought it was under the 'view' menu item

Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
You say: -

>>>but members of the Domain Users group can only view them (even when they have been explicitly granted FULL access to the folder).  

Add domain users to Special Group called "Authenticated Users" Group because they are accessing or setting permissions over the network so they must be added to this group.

>>>Now, I've recently installed the NSA security configuration inf files (with some tweaks) and I think it might have something to do with the problem I'm having:

It is not necessary to install any third party security template for ur problem and don't install it for time being.

>>>My guess is that there is a security setting somewhere that restricts the change folder permission to the Administrator group - only I can't find it.

The only thing i can say that by default Windows Security settings are not applied to any user in the domain unless otherwise specified in the Default Domain Policy.

Thankx
SystmProg
Avatar of vasp

ASKER

Moving away from the real issue......  Rephrase and up the points......

Is there a setting somewhere (Group Policy, Domain Controller Policy, Domain Policy, Local Policy etc etc) that can be used to grant or deny user groups (or maybe even just individual users) the change permission right?

My problem is exactly this - only users that are a member of the Administrators group can change file/folder permissions.  Domain Users for example cannot even change permissions when they have FULL access to the folder.

I'm thinking there must be a setting somehwere that overrides this.

Please help if you can.

vasp
Good idea!
You can look in
computer configuration >> security settings >> file system
Avatar of vasp

ASKER

Not what I'm after.... that only covers system drive files.... looking for something more like a global override of the change permission right...

vasp
ASKER CERTIFIED SOLUTION
Avatar of mdiglio
mdiglio
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of vasp

ASKER

mdiglio,

It was the permissions on the share...  I couldn't see the wood for the trees!

Thanks,

vasp
Good Job, glad you got it working!