Solved

Problem with Netware 6.5 Access Rights

Posted on 2008-10-09
19
852 Views
Last Modified: 2010-04-21
Our company is running Netware 6.5 on a small, single-server network with 10 users.

One of our staff reported the other day that files in a directory to which she has always had read-only access were now offering her the option of opening them read-write (they are MS Excel files which have the 'read-only recommended' option enabled). On checking I found that the same thing was happening with another colleague in the office.

In both cases, their access to this directory is via group membership rather than individual user rights. I checked via ConsoleOne, and the rights of the relevant group to the folder in question were correctly set to read and file scan only.

I exited ConsoleOne without having changed anything. The colleague subsequently reported that, after logging out of and back into Netware, her access rights had reverted to read-only. However the next morning when she logged into the network it was back to read-write.

What makes all this really weird is that a third member of staff in the office, who has the same group memberships as the the other two, has had just read-only access to these files throughout.

I've gone through the access rights for every user and group, and can't find anything untoward. What could be causing this?
0
Comment
Question by:rodomahony
  • 7
  • 7
  • 5
19 Comments
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
Well, what are her Effective rights?  I don't care about group membership or OU rights, etc.  All I want to see are her Effective Rights.  Look them over - if all she has is R and FS, then she is fine.

And what do you mean by offering her the option?  Excel databases and Access databases hold their own security that should also be looked over, as it's a different set of rights and credentials that can be used.
0
 

Author Comment

by:rodomahony
Comment Utility
The effective rights are (or say they are) as I said - Read and File Scan only. However she is nevertheless
able to open the files read-write. She gets these rights not through her user ID, but through one of the groups of which she is a member.
 
What I meant about the Excel files 'offering her the option' is that one of the Save options for MS Excel is 'Read-only recommended'. If this is enabled (which it is on these files) AND if the user has read-write access to the files, then opening one of them brings up a dialogue box asking the user to confirm if they want to open the file read-write - without this our user would probably not have noticed the change in her access rights. If the user has only read-only access, then the file should open read-only regardless of the settings in Excel.
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
The effective rights are (or say they are) as I said - Read and File Scan only. However she is nevertheless able to open the files read-write. She gets these rights not through her user ID, but through one of the groups of which she is a member.

Well I'm not going to nitpick, but no, you never said anything about "Effective Rights".  I saw you discussing group rights and the like.  Not the same thing.  Effective rights look at everything in a cumulative value, and not things on an individual object level, like container or group rights do.


0
 

Author Comment

by:rodomahony
Comment Utility
Well, the effective rights are (so they say) Read / File scan only, and the user is nevertheless able to open the files read-write.
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
Where are you checking the ER's from?
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
Also are you looking at ER's for the file/folder or both?
0
 

Author Comment

by:rodomahony
Comment Utility
Right-click on the relevant directory on the user's PC in Windows Explorer.
Select 'Inherited Rights and Filters'. The only trustee object is the group through which this user has access to the directory.
Right-click on the trustee and select 'Current Effective Rights'. Only Read and File Scan are checked.
0
 

Author Comment

by:rodomahony
Comment Utility
I was checking at folder level (as above) but if I go to one of the files and select Properties / Netware Rights then it's the same - only Read and File Scan are listed under Effective Rights. Despite this, I can open the file read-write.
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
Can you do it from ConsoleOne just to be sure.  Windows Explorer's interface with the "plugins" is something I don't use because it lies from time to time.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:rodomahony
Comment Utility
It's the same from within ConsoleOne. Effective rights for both the folder and the files within it for this user show as Read & File Scan only.
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
I'd do this then.  On the server where the user is housed,
Run DSREPAIR | ADVANCED OPTIONS | CHECK VOLUME OBJECTS AND TRUSTEES

Tell us if it reports any errors.  Then test the account out again.
0
 
LVL 2

Expert Comment

by:JManicki
Comment Utility
It doesn't sound like you're providing all the necessary information here...

"...only Read and File Scan are listed under Effective Rights. Despite this, I can open the file read-write."


I'm guessing that you're talking about Excel itself opening the file in read-write mode?  If so, the next logical piece of information required would be "Can they actually SAVE changes to the file in the folder where NetWare shows them only having R FS access?"

If they can actually save it, you've got a problem with NetWare. If they CAN'T save the changes (like they shouldn't be able to with only R FS rights), then it's a problem with Excel not interpreting the file rights properly.
0
 
LVL 8

Expert Comment

by:Ghost96
Comment Utility
The bottom line is that with all of the information provided on the ER's being R and FS only, the rights are correct.

The ONLY thing that I have ever seen cause this issue that is Netware-related is the updating of the rights link with the user object itself. That's why I said to run the dsrepair. If everything comes back correctly and you are still having a problem, it isn't netware-related. Feel free to chime in and prove me wrong. And before you do it, put a file in the folder in question and prove to me that you can delete it/modify it, etc., with those effective rights the same way you can do it with the excel spreadsheet.
0
 

Author Comment

by:rodomahony
Comment Utility
I guess I should have tried saving the file before! I should have known better than to assume a file is read-write just because Windows / Excel says it is.

Although the file appears to open in read-write mode, if I try to save it I get the message "Cannot create backup file. Save [file] without backup?' If I select OK to this, it then says it can't find the path to save it.

So, as you both obviously guessed all along, the problem seems to be one of Excel's interpretation of the file rights. I'm not sure where I go with that, however, as it's a problem of Excel in conjunction with Netware, so if I posted it in an Excel section of EE they'd probably tell me to come back here. Given that the users can't in practice make any changes to the files it's obviously not a serious issue, but I'd still like to clear it up if possible.

The other thing I should have realised before is that both users who have been affected by this have recently been given new workstations. The Netware client version on these is 4.91 SP3, whereas the other user with similar access rights who isn't affected has an older machine with the original 4.91 client. Could there be something which has changed in the default client properties of SP3 which might have a bearing on it?

The DSREPAIR came back without any errors, by the way.
0
 
LVL 2

Expert Comment

by:JManicki
Comment Utility
It's possible that Workbook Sharing may have gotten enabled somehow on the Excel file or that the settings of the file got corrupted and it thinks it's supposed to be shared.

I'd try logging in as someone with RWCEMF rights to that file/folder and make a backup copy of the file.  Next check the workbook sharing options.  If they are on, simply turn them off and save the file.  If they are not on, I'd turn them on, save the file, close Excel, open the file again and turn off workbook sharing.

If all that fails, you can copy the data from the wonky file and paste it into a brand new file.  Any configuration options should not follow if you're only copying and pasting just the data.

Then again, it may be a problem in the user's Excel installation.  Remember the "Three 'Rs' of Microsoft"... Retry, Reboot, Reinstall!  Uninstall Office, clear out all the files and folders left behind - if any, clear out any orphaned registry entries, reboot then reinstall Office.


0
 
LVL 2

Accepted Solution

by:
JManicki earned 250 total points
Comment Utility
Ah, I didn't see that comment about Novell Client differences.

How are you installing Novell Client?  I'd really recommend you use the ACU.exe utility and an UNNATTEND.TXT file for all your configuration options.  Is the Client Configuration the same on all machines?  From what you said, I would be willing to bet that "File Caching" (also known as "Opportunistic Locking" in the Windows world) is enabled (default setting) on the workstations with the newer client.

What this does is create a local copy of a file loaded from the network and then directs any IO requests to the local copy until you close it when it writes the file back to the network location.  If Excel is interacting the locally cached copy through the Novell Client, it is highly likely that Excel actually DOES have RWCEMF rights to the locally cached copy so it is asking to open it in Read/Write mode.  When Excel tries to save the file to the network, it no longer has RWCEMF rights to the network location and gives an error if you try to save the file.

Check the Novell Client options.  Right click the big red "N" icon in the icon tray near the clock, pick "Novell Client Properties" then click ont he "Advanced Settings" tab.  Scroll down until you see "File Caching" and see if that's on or not.

I would highly recommend turning off "File Caching" (both of them, there's a "File Caching on exclusively opened files" option as well) for all your workstations.  It works great in some situations but in others it can have some unforseen side effects that make problems really hard to troubleshoot.

While you're in that section of the options, I'd make sure that "File Commit" is turned ON.
0
 
LVL 2

Expert Comment

by:JManicki
Comment Utility
I think it was Novell Client SP2 that made changes to the File Caching and OpLocks.

I forgot that you can set your oplock and file caching options on your server instead.

SET LEVEL 2 OPLOCKS ENABLED=OFF
SET CLIENT FILE CACHING ENABLED=OFF

Level 2 Oplocks is for sharing files on the server that are already opened read/write by another user.  First user that accesses it gets Read/Write ability, any users thereafter get only Read ability.

Client File Caching is the same option as in the Novell Client but the server overrides whatever the client setting is.  There's no Client option to turn of level 2 OpLocks.

There are some tech notes that turning off OpLocks and File Caching can hamper performance but I've had these off for years and have never had any troubles.  Maybe if you have some HUGE spreadsheets or something but I've never noticed it on a 100 Mb network and some of my users have 1Gb MS Access database files on the network that they access just fine.

0
 
LVL 2

Expert Comment

by:JManicki
Comment Utility
I just thought of something else...

If it is the File Caching causing the problem, one simple solution may be to just enable the "Read Only" attribute on the files on the server.  

If the actual Read-Only file attribute on the network file is NOT enabled (rather than inheriting the Read Only setting from the file/folder rights), then when the Novell Client caches the file locally, the local file might not have the Read-Only attribute set.  If that's the case, Excel would see the file as being writable and prompt the user.  

If the read-only file attribute is set on the network file, then it's likely that the locally cached copy will also have the Read-Only attribute set and then when Excel opens the file, it sees it as Read-Only and will not prompt the user.

See, with all these possibilities, maybe it did turn out to be a NetWare issue after all!
0
 

Author Closing Comment

by:rodomahony
Comment Utility
Hi JMnaicki,

Many thanks for your various suggestions. I checked the File Caching option on the client properties first, and that seems to have fixed it for both the affected users.
We've got a couple of other users with the 4.91 SP3 client as well, but they have full read-write access anyway so this issue was never noticed with them.
I'll probably also change the setting at server level as you suggest, to avoid having to remember every time I install a new client!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now