Avatar of amoray
amorayFlag for United States of America asked on

Windows keeps responding "Windows cannot access specified device, path, or file. You may not havepermissions..."

Even if I open up all the permissions for this file, Server 2003 keeps saying, "Windows cannot access the specified device, file or path. You may not have the appropriate permissions to access the item." I've opened up the permissions on the whole folder location of the file to everyone and given full control just to get it to work but it still does not work. Same response.
Microsoft Legacy OSMicrosoft Server OSWindows Server 2003

Avatar of undefined
Last Comment
ChiefIT

8/22/2022 - Mon
Brian Pierce

Is it on a share?
Have you set both the share and NTFS permissions ?
When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.
jakinmyfox

Do you have permissions on the sharing side. On the sharing tab and click on the permissions button. Then you also need to add them on the security tab.
Brian Pierce

I think I covered that jakinmyfox!

Another thing to check is that, "File and Print Sharing" in enabled on the firewall on the machine that you are trying to connect to. Go to Control Panel->Firewall and check that File and Print sharing is allowed on the exceptions tab
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
amoray

KCTS: I've got file and printer sharing enabled plus I've got "everyone" on the permissions as full control for that particular folder. It's still giving me that error. If I use this path, \\tpfidb\editariff1\bin\editload.exe, this would give me an error saying Access denied. But if I use C:\Program Files\Eagle Datamation\editariff\bin\editload.exe, this would work. editariff1 is the shared name for that folder. So the shares aren't working?
ChiefIT

Sounds like a missing DNS record rather than a permissions problem.

On the machine, go to the command prompt and type IPconfig /registerDNS.
ChiefIT

Another thing you may be running into is Internet Explorer Enhanced Security. If you are trying to access a file from an a computer with IEES, you may get the same error that you are seeing regardless of who you are. This may sound odd.

Put the UNC path in Intenret Explorer's trusted sites. If this test proves positive, then the fix is to either create a GPO to add all in your domain as a trusted site or some elect to remove IEES.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
amoray

ChiefIT: I did the RegisterDNS and it still gave me the same problem when I tried to call the file using the machine name.

Since this is an application server, I also get the same error when I call an application from another workstation using the shortcut \\tpfidb\editariff1\bin\editload.exe. I either get file not found or access is denied. I've verified the file location and that this is the proper way to trigger it. And yet...

Keep it coming guys. I need all the help I can get. Needless to say, I'm grateful for the help you are extending to me.
ASKER CERTIFIED SOLUTION
ChiefIT

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
amoray

ChiefIT: It worked!! I don't know how you got to figure that one out especially since the fix was totally unrelated to my application, or so it seemed. Thanks a million!!
ChiefIT

Stick around amoray:

Wizards conjure up things. Geniusess take it one step further.

KCTS is one of the best I have seen at GPOs. There are two options to get this to work through your domain.

1) You can create a GPO to make this a trusted Site for all of your domain computers.
2) Or, you can remove Internet Explorer Enhanced Security on these problematic computers.

KCTS, since you originally had this question, can you provide a GPO that will alow all domain computers as a trusted site? I think it would be  something like //*.domainname. Usually folks credit the answer prior to getting the real fix instead of a workaround.

Please credit KCTS for the fix, if provided.



All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ssheaf

Thanks for the tips guys, it helped me too.  No problesm with Windows 2003 32 bit, but 64 bit version spat this one at me.
ChiefIT

Well here it is from M$.

What's effected:
http://support.microsoft.com/kb/815141

You have a couple choices:
Choice 1) Go to Add/remove programs and remove Internet Explorer Enhanced Security.
Choice 2) Tells you how to add your intranet sites as a trusted sites. UNC paths can use the *.* (meaning all) for a qualifier.

By IP block: (anything on this subnet is trusted)
\\10.10.10.*

By FQDN: (All on the fully qualified domain)
\\*.Fully.Qualified.domain.name

By netbios name: (All shares are this computer are trusted)
\\Computername

http://windowsitpro.com/article/articleid/78049/jsi-tip-6644-how-can-i-use-group-policy-to-add-a-site-to-the-trusted-sites-zone.html

I hope this helps.