Can open files from Explorer, but not from within Apps

Posted on 2005-03-09
Medium Priority
Last Modified: 2010-04-10
Users can browse to a folder and double click a file and the file opens.  If the user opens any Office application (Word, Excel, or Outlook) and tries a "file->open" command and selects the folder from the dialog box, they get "Access denied" error.
Even when opening a file via explorer, the user is unable to save changes despite security settings that say they can.

Some background:
We're migrating to a new domain; The file server in in the NEW domain.  The user accounts are in the OLD domain.  
The folder with the data in it is \\SERVER\ROOT\SUBFOLDER1\SUBFOLDER2\FILE
Despite the reference to Office above, I think this is a security issue because if I use an account from the (NEW) domain admins group, I can open and save from everywhere (desktop AND application).  (haven't tried it with a basic user account from the NEW domain, as there aren't any yet...)
There is a security group set up with limited access to SUBFOLDER 1 & 2 (essentially 'view contents'), and individual user-level access on individual files in SUBFOLDER2 (certain users can only open certain files)
Question by:slassalle
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3

Expert Comment

ID: 13502331
What OS are you running with on the clients and the Server?

Expert Comment

ID: 13502553
1. When opening the file from MS Office, do you go through Network Neighbourhood or Map drive?

2. Can you give the real value for "\\SERVER\ROOT\SUBFOLDER1\SUBFOLDER2\FILE"?
Sometimes the subfolder name is too long or contain an invalid character.

3. There are two Domain mentioned, are they NT 4.0 and 2000/2003 AD ? or what is the old Domain, and what is the new Domain? (not domain name, but what OS hosting the domain?)

- Alex.
LVL 28

Expert Comment

ID: 13504546
Your users should belong to the new domain, not the old. My guess is that the files they access have Everyone Read rights. That's why they can read but not write. The user rights are only effective in the domain to which they logged in (except Everyone).

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 12

Expert Comment

ID: 13509677
Agree with peakpeak, bad SID's

There's probably a way to join the SID's, maybe by making a domain trust, I can't remember it off hand.

You could make a new Group in the new domain and import the users from the old domain.

Once migrated, you'd have to figure out how to cut the umbilical cord.

Also agree on asking the OS's, domains, etc..
LVL 12

Expert Comment

ID: 13509697
As an afterthought, did you synchronize the domains yet?

Author Comment

ID: 13510015
When opening files, users go through a mapped drive....They can open the mapped drive fine in explorer.  If they save an Office doc to the desktop, they can drag & drop or cut & paste to the mapped drive, but if they try to open or save to the same mapped drive from within an app they get "access denied". (G: = \\FILESERVER\SUBFOLDER1\SUBFOLDER2)  I'm starting to thinkn that this issue relates to the FILESERVER or SUBFOLDER1 security....Users have access to SUBFOLDER2, but limited rights to FILESERVER and SUBFOLDER1

The clients are mixed: NT4.0, 2000 Pro and XP Pro, all see the same situation...

The OLD domain server is Windows 2000 Server, the NEW domain server is Server 2003 (running AD)...

Regarding the user accounts being in the wrong domain..."Security" tab lets me add users from OLD domain to the files/folders on the NEW domain, so I don't think it's a trust issue...

EVERYONE isn't even on the list...just Administrators (from NEW domain), CREATOR/OWNER, SYSTEM, and Security groups from OLD domain as applicable...

New development...Playing with security settings, I got to a point where I could save a file from Excel...As soon as I did, the owner changed from Administrator to (Cannot display owner information)...  ?  I just put everything back to the way it was since that obviously didn't work...


Expert Comment

ID: 13513722
A simple test:
create a share (call it "test") in D:\test folder of your SERVER-1

then map the G: drive on the client to \\SERVER-1\test
copy the files you are having problem with, and see if you can now have a full access to it.

As requested previously, could you plese put the real value for \\FILESERVER\SUBFOLDER1\SUBFOLDER2

sometimes the sharename is the issue.

- Alex.

Author Comment

ID: 13517285
It's looking more like a security issue:
I can create, map to, and use a D:Test share...
If I go to an address bar and type \\FILESEVER\SUBFOLDER1\SUBFOLDER2 the folder opens with all of my files and (from the desktop) I can read and write whatever I want....IF, however, in that same address bar, I type \\FILESEVER or \\FILESERVER\SUBFOLDER1, I get an access denied message....The users only have access to their respective subfolder, not the top-level folder...Is there something about the way that Office handles shares that requires access to the root of the share or drive?  And what rights / permissions do I need to assign to the root drive and/or top-level folder so that I can eliminate the error above, but they still only have access to their respective subfolder...(The top-level folder (SUBFOLDER1) contains several folders, some of which contain confidential information, some of which contain public information. Regardless, we want only some people to have access to only some folders.  We have another share set up for "public" folders...which works fine.)
LVL 12

Expert Comment

ID: 13527554
1.)  The application does not have permission to write the file :

"When opening files, users go through a mapped drive....They can open the mapped drive fine in explorer.  If they save an Office doc to the desktop, they can drag & drop or cut & paste to the mapped drive, but if they try to open or save to the same mapped drive from within an app they get "access denied"."

Obviously, Microsoft Operating System components, such as Explorer, and the drag n drop desktop, cut n paste, do.

Q.:  What user is the application running as?

2.)  Permissions :

Microsoft has a really long slant on this, when Group overrides User, when Inherited overrides Group and/or User, when ServerShare overrides User, and so on.  Basically, if at the end of the chain, you place any "deny" in certain chains, all permissions are denied, regardless of former authority.

I have fallen into this trap many times.  While setting permissions by removing everybody, then setting up Groups, Users, etc., I have locked out even Administrators on various occasions.  Mostly because at the end of the chain I had denied some set, like Users, after having allowed individuals user accounts, and vice versa.

The current methods of XP for permissions is kind of oversimplified too.  "Share this folder on the network" is a far cry from allowing read, write, and execute permissions on a per Group, Users, Others environment.

You also said:

"New development...Playing with security settings, I got to a point where I could save a file from Excel...As soon as I did, the owner changed from Administrator to (Cannot display owner information)...  ?  I just put everything back to the way it was since that obviously didn't work..."

That's because you set permissions to be inherited from the Owner, but when you saved the file, permissions where inherited from the Owner, rather than the Administrator who was merely saving a copy of the file.  So you must have somehow denied the Administrator from taking ownership, about the same as denying any one user from taking ownership of any other user, even when saving a local copy.  That is tight security, and the way it should be.

The only time the sharename should be an issue is when it matches another name, like a folder name.  Then, the permissions may collide.

So, if you have a share named "SUBFOLDER2" and a real folder named "SUBFOLDER2" on the server, they're going to collide.  This is because of the precedence in resolving permissions, and the fact that the server also sees them pretty much as the same object because of the use of canonical names, especially in a Distributed File System and/or a Network File System.

The key is in the fact that the OS can can drag n drop them or cut n paste them, while explorer can save them as well.  That all points to a failure of the Application having sufficient permissions to do a write to that specific subfolder, perhaps to any folder whatsoever.  Which points to the permissions of the application and what it can act as, and what it can do; example, [dangerous, check before you use] "act as part of the operating system."  More than likely, it is something like "write to User files and folders" or "write to Group files and folders."

The old domain is 2000, the new domain is 2003 [NT 5.x and 5.y]

They should pretty much work as the NT did.  The file system is NTFS, yes?  The NT file security is just that, right down to the file level.  Per Server, Per Group, Per User, and so on, with a plethora of specialized permission, including permissions for programs that run as a service under a user account.  You want to check this out because if it isn't the application that is getting permission denied, you can at least eliminate that from the list of possibilities.

I wish Windows had a chmod!


Author Comment

ID: 13806062
Turns out that this was a Microsoft issue (big surprise...)  There is a hotfix that corrected the problem.  (see http://support.microsoft.com/default.aspx?scid=kb;en-us;829576 for a description...)

Obtained and installed on the affected machines and everybody's happy (more or less...)

LVL 12

Expert Comment

ID: 13813128
Glad you found it; I got tired of wading through waiting for them to fix it, so they finally did huh, well bust my britches!

Accepted Solution

PAQ_Man earned 0 total points
ID: 14104862
PAQed with points refunded (250)

Community Support Moderator

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question