RLAInc
asked on
Share permissions on shared db: Everyone group full control
I am not finding a work around to this issue. Any network device connected to the same network as our ACT server (XP Pro OS) has full read/write access to all data in our shared db. Sage supports position on this security issue is that if they don't have ACT installed on their workstation, then they can't do anything w/ these files. Anybody that manages a network knows that this isn't an acceptable solution.
So, is there a way to use a group other than the Everyone group for the Full Control share permission to our shared DB?
So, is there a way to use a group other than the Everyone group for the Full Control share permission to our shared DB?
ASKER
That is correct. ACT users do need full control. How ACT does this is by giving the group Everyone full control on the share permission. I cannot use any other group other than Everyone. I want to use a custom group which has all of my ACT users in it as the full control share.
What happens when you try to use a custom group?
ASKER
The below dialog box occurs:
"Cannot find database supplemental files folder (our database) files in this location (our ACT server). This could be a problem with the share, or the folder may not exist. Please contact the administrator of your database."
Note that the "shared" act database folder can be accessed via explorer and does have full read/write privileges to all data of the shared folder.
When the share permissions are changed to use the "Everyone" group, this error goes away.
"Cannot find database supplemental files folder (our database) files in this location (our ACT server). This could be a problem with the share, or the folder may not exist. Please contact the administrator of your database."
Note that the "shared" act database folder can be accessed via explorer and does have full read/write privileges to all data of the shared folder.
When the share permissions are changed to use the "Everyone" group, this error goes away.
You should have full-control, not just read/write - http://tinyurl.com/5fzsbx
Are you on a Domain or a Workgroup?
If on a Domain, is the database on the DC?
Are you on a Domain or a Workgroup?
If on a Domain, is the database on the DC?
ASKER
- Domain, not workgorup.
- ACT server is not on a DC. Its an XP Pro workstation.
- I have seen the link. It states the below which is making me think there's no way around this issue w/out getting into the SQL db:
"It is recommended the user named Everyone have Full Control permissions to the shared folder. In some cases, it is necessary to add the specific names of the remote users to this Share Permissions list, to ensure that each domain user has Full Control of the shared folder."
- ACT server is not on a DC. Its an XP Pro workstation.
- I have seen the link. It states the below which is making me think there's no way around this issue w/out getting into the SQL db:
"It is recommended the user named Everyone have Full Control permissions to the shared folder. In some cases, it is necessary to add the specific names of the remote users to this Share Permissions list, to ensure that each domain user has Full Control of the shared folder."
There are two sets of rights. There is a set of rights on the folder and there is a set of rights on the share. I think need to be set so that the group has access.
Failing that try adding the individual users and see if that works
Failing that try adding the individual users and see if that works
ASKER
I have tried that already. No worky :>(
Note: Setting it for individual users is not desired. I have a single point of managment setup style w/ permissions (heavy use of groups).
Note: Setting it for individual users is not desired. I have a single point of managment setup style w/ permissions (heavy use of groups).
Can you try it for some individual users as a test?
What folder is the database actually in?
What folder is the database actually in?
ASKER
For grins, I tried it using a user. No joy.
The folder resides on the ACT server itself (XP workstation).
The folder resides on the ACT server itself (XP workstation).
But what Path... if it's in My Docs, there can be issues like this.
If that's where it is, create a folder c:\ACT\Databases and use Backup, Restore, Restore As to move the database
Open the PAD file in Notepad and post the contents
If that's where it is, create a folder c:\ACT\Databases and use Backup, Restore, Restore As to move the database
Open the PAD file in Notepad and post the contents
ASKER
It is not in My Documents. It's on a separate partition in its own folder.
I'll have to get back to you on the .pad contents. I am currently moving the server (it's a VM) to some beefier hardware to increase performance.
Note: If you want to know if the sharing is enabled by seeing that there is a HOST entry, it is. This was one of the trouble shooting tips that was given by Sage. I was hoping that this is where the group information is stored. It's not.
I'll have to get back to you on the .pad contents. I am currently moving the server (it's a VM) to some beefier hardware to increase performance.
Note: If you want to know if the sharing is enabled by seeing that there is a HOST entry, it is. This was one of the trouble shooting tips that was given by Sage. I was hoping that this is where the group information is stored. It's not.
I was thinking about changing the machine name in the PAD to the IP address.
With the share and folder security just one user, do it allow the user access logged in locally?
How about an Admin user (explicitly added) from a workstation?
How about Everyone in the folder security and only the needed users in the Share (and also in the folder with Everyone)?
With the share and folder security just one user, do it allow the user access logged in locally?
How about an Admin user (explicitly added) from a workstation?
How about Everyone in the folder security and only the needed users in the Share (and also in the folder with Everyone)?
ASKER
- Good thinking on the IP. I tried that as well before posting. No joy.
- As for differnet share / security permission alternate configurations, I've tried all of what you suggested (and then some). Any configuration other than Everyone: Full Control on the share permission is no joy.
Am I the only one that has a problem w/ this? Does it make sense to not use the Everyone group?
- As for differnet share / security permission alternate configurations, I've tried all of what you suggested (and then some). Any configuration other than Everyone: Full Control on the share permission is no joy.
Am I the only one that has a problem w/ this? Does it make sense to not use the Everyone group?
Can you try one other:
Everyone and a domain admin as security on the folder
Just domain admin on the share
Log in as domain admin
You didn't say if it has the problem when logging in locally on the server?
Everyone and a domain admin as security on the folder
Just domain admin on the share
Log in as domain admin
You didn't say if it has the problem when logging in locally on the server?
ASKER
Not following on the logging on locally suggestion. It's local. It doesn't need to use the share. It access it directly from the folder on the partition (D:\ACT_DB).
I have to wait on the admin try (still copying the VM).
I have to wait on the admin try (still copying the VM).
Locally only uses the Folder permissions, not the Share... allows to see which is the issue
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't think so, Steve. Those services use the Local System account and have access to everything on the local machine
ASKER
My apologies for this being open for so long. I still have this as an open issue for us although its not a top priority. GLComputing, you've been the most help on this question. If you are comfortable leaving this open, let me know. Otherwise I'll just award you the points and close this question.
Fine by me, I guess.
What's the current status?
What's the current status?
The ACT! users need full-control of the ACT! database folder, not the Everyone group