Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


File permissions

Posted on 2006-05-14
Medium Priority
Last Modified: 2010-04-18
Hi all

I'm hoping this is a common problem for new users of Server 2003 and AD !

There are two indentical machines on our network, with identical software installed.  There are only two users who will log into these two machines, and they have a (group) mandatory profile.

One particular application on the machines wants to create a log file when it launches, and place it in c:\Program Files\Name of software\date.log

On machine number 1, either user can log in, run the software and create the log file.  As a test, I confirmed it's possible to create new text files in c:\Program Files\ and in the relevant subfolders.

On machine number 2, either user can log in but the software is unable to create the log file so the software wont start.  On this machine it's NOT possible to creatae new text files in c:\Program Files.

Both machines are in the same computer OU in Active Directory, both users are in the same user OU too.  The users share a mandatory profile.  I've checked properties for both users and both machines and they're the same.

When we installed the software we were logged in as the LOCAL Administrator.

Any ideas ?!


Question by:SimonUK
  • 3
  • 2
LVL 86

Accepted Solution

oBdA earned 2000 total points
ID: 16678048
Just compare the NTFS permissions for C:\Program Files\Name of software; it's likely that on machine 1, the users have the necessary permissions for the folder, and they don't on machine 2.
Another possibility is that someone added both users to the local administrators or power users group on machine 1, but this never happened on machine 2.

Author Comment

ID: 16678469
Thanks for your speedy suggestion!

I think I checked the NTFS permissions on both machines to compare them, and saw that they were the same for both machines (oddly, read/execute only if I remember rightly, so I don't know how machine 1 is able to do what machine 2 cannot!).  However, I will double check in case I missed it, or there's an inherited permission somewhere.

On user memberships; on the server they are only members of users.  I hadn't thought that someone may have changed their memberships on the local machines, though - is that what you mean?


LVL 86

Expert Comment

ID: 16678623
Yes; I just noticed that they seem to be able to access even C:\Program Files (and not only the program's subfolder) on machine 1, which makes it even more likely that they have more permissions on this one than on the other.

Author Comment

ID: 16678677
Ah OK, I see your thinking.  I did presume that c:\program files would be restricted for write access by default but didn't know for sure... some of this is new ground for me.

I'll check the permissions tomorrow and post back !


Author Comment

ID: 16682920
In the end, it turned out someone had created a LOCAL account with the same name on machine 1.  This didn't really explain why, when logging in with a different account, the user was still able to write to c:\progam files but we removed the local version of the account - and the machine started behaving the correct way (not able to write to that folder).

I then allowed all local users permissions on the c:\program files\Name of software folder - problem solved.

Thanks for your help !


Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question