stuart100
asked on
Windows 2003 Server password requirments
I have just installed a new Windows 2003 Server. It is in a workgroup model and have all the latest updates etc. I have about 50 users on it some with passwords and some without. Everything seems to work fine until this morning (Cheesy "dun dun dun" music heard in the background)
I created a folder on a drive and created a group and added 10 users to the group. I then gave them full rights to the group and turned off the inherit flag. Then I went over and tried to logging each user in, the users with passwords set on the server got in just fine. The users without passwords set got an access denied message. If I look at their effective rights they say they have full access but they can't get in. I have seen this before and the way I got around it was just adding passwords for these users...but I don't want to do that this time...I need to be able to let them have access without passwords.
I created a folder on a drive and created a group and added 10 users to the group. I then gave them full rights to the group and turned off the inherit flag. Then I went over and tried to logging each user in, the users with passwords set on the server got in just fine. The users without passwords set got an access denied message. If I look at their effective rights they say they have full access but they can't get in. I have seen this before and the way I got around it was just adding passwords for these users...but I don't want to do that this time...I need to be able to let them have access without passwords.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't have a solution for this. And i think microsoft disabled users on a folder with permissions without a password for security reasons.
But ask yourself the question from a security point of view. Whats the point setting permissions on a folder if someone can login without a password.
User A knows that user B doesn't have a password. User A logs in as user B and deletes all files. There is noway to check who has done what.
Whats the point of setting permissions at all, why not make the folder public to everyone ? Apparently the data isn't that important since no password users are able to acces it and delete it.
I would go for rights for everyone.
Sorry if this comment isn't helpfull on your situation but i really think you should reconsider how to handle this problem.
Question there must be a really good reason for you to let users have acces to your network without a password. I'm really curious as of why ?
But ask yourself the question from a security point of view. Whats the point setting permissions on a folder if someone can login without a password.
User A knows that user B doesn't have a password. User A logs in as user B and deletes all files. There is noway to check who has done what.
Whats the point of setting permissions at all, why not make the folder public to everyone ? Apparently the data isn't that important since no password users are able to acces it and delete it.
I would go for rights for everyone.
Sorry if this comment isn't helpfull on your situation but i really think you should reconsider how to handle this problem.
Question there must be a really good reason for you to let users have acces to your network without a password. I'm really curious as of why ?
ASKER
First off....jebeckham
Thanks that worked points are yours.
Secondly....Maasdriel
Long story and I am not sure if I really care to dive into it all or for that matter if it is really any of your business...not to mention that fact I didn't ask for thoughts on my security structure. I guess I will enlighten you a bit. We are a high production office that works many hours a day...(very limited time to make network server changes) The department that this server belongs to has 7 other servers that their data is spread across. This is all in a workgroup model. In the past these users did not have passwords and we are planning on changing this. We are currently moving all that data one server at a time to a brand new server running 2003. (Pretty much one server per weekend) Once all 7 are consolidated into 1 we plan on giving everyone a password and most likely going to a domain model. Either way it made more sense to us, to consolidate first..set passwords and go from there. Otherwise we have to visit each server and make password changes for each user repeatedly. I believe we went with the best choice. Most of our employees also have 10 or more years with us and we kind of trust them..(I know that is tough to believe or swallow.) Let’s just say that by putting permissions on that folder I am just helping keep the honest people honest until stage two flips in.
Now I know you will have ten other comments to say about this or easier ways to do it but frankly not sure stating those will help. If I wanted comments about how to secure my servers I would have asked a question about the best security policies to put in place. The fact is I didn't ask that question because I already know the answer and I am heading in that direction right now...but I guess you didn't know that before you made your post.
Respectfully,
Stuart
Thanks again,
jebeckham
Thanks that worked points are yours.
Secondly....Maasdriel
Long story and I am not sure if I really care to dive into it all or for that matter if it is really any of your business...not to mention that fact I didn't ask for thoughts on my security structure. I guess I will enlighten you a bit. We are a high production office that works many hours a day...(very limited time to make network server changes) The department that this server belongs to has 7 other servers that their data is spread across. This is all in a workgroup model. In the past these users did not have passwords and we are planning on changing this. We are currently moving all that data one server at a time to a brand new server running 2003. (Pretty much one server per weekend) Once all 7 are consolidated into 1 we plan on giving everyone a password and most likely going to a domain model. Either way it made more sense to us, to consolidate first..set passwords and go from there. Otherwise we have to visit each server and make password changes for each user repeatedly. I believe we went with the best choice. Most of our employees also have 10 or more years with us and we kind of trust them..(I know that is tough to believe or swallow.) Let’s just say that by putting permissions on that folder I am just helping keep the honest people honest until stage two flips in.
Now I know you will have ten other comments to say about this or easier ways to do it but frankly not sure stating those will help. If I wanted comments about how to secure my servers I would have asked a question about the best security policies to put in place. The fact is I didn't ask that question because I already know the answer and I am heading in that direction right now...but I guess you didn't know that before you made your post.
Respectfully,
Stuart
Thanks again,
jebeckham
Sorry it isn't my bussiness. But i was really curious as of why someone would chose to go this way.
Thank for your comment. Yesterday i coudn't think of 1 reason why someone would want this. I can see your point of view. I didn't think of this scenario :)
Thanks again for taking the time to explain this to me.
Goodluck with your project.
Repectfully,
Evert
Thank for your comment. Yesterday i coudn't think of 1 reason why someone would want this. I can see your point of view. I didn't think of this scenario :)
Thanks again for taking the time to explain this to me.
Goodluck with your project.
Repectfully,
Evert
ASKER
The drive the folder is on is the share they have mapped....all users can get to the rest of the folders but the ones without passwords just can't access the folder I created with special permissions set.