Solved

Windows Server 2003 - Files not inheriting permissions properly.

Posted on 2008-10-27
13
1,101 Views
Last Modified: 2012-05-05
I have a folder which I've given FULL EVERYTHING access to the IUSR account.

When I copy a new EXE into that folder, the IUSR account shows that it has read/write/execute/modify -- but the FULL radio button is not checked.

Also, IUSR clearly does not have full access to the newly-copied EXE file because IUSR cannot even run the EXE file.

To fix this, I have to click the "Full" button under security on the EXE for the IUSR (internet guest account).



Why wasn't this inherited from the parent folder?

Why is it showing that IUSR has read/write/execute/modify on the EXE, but it can't even execute the file?


I suspect windows has some special "behavior" for the IUSR account. Any thoughts on how I can combat this? I want to be able to copy the EXE into that folder knowing that it will gain the permissions of the parent folder.

Thanks.
0
Comment
Question by:hamlin11
  • 6
  • 6
13 Comments
 
LVL 4

Assisted Solution

by:Syncromind
Syncromind earned 480 total points
ID: 22818824
I really dont know so much about the IUSR account, but you might first go to properties of the folder, security tab, advanced, and uncheck the "inherit permissions...." from parent folder, when warning appears, select "copy".

After that check the last checkbox, that enables propagation of security setting on child objects and containters and apply.

If that doesnt solves,please tell me and I will search a little more info for you.

Hope it helps.
0
 
LVL 4

Assisted Solution

by:majidhajali
majidhajali earned 20 total points
ID: 22819329
check the owner of the file. maybe your administrator user account isn't the owner of the file and so you can't change permissions properly.
0
 

Author Comment

by:hamlin11
ID: 22834487
Syncromind,

This didn't work. I still get the same behavior. I suspect that there are some global "deny" privileges set for the IUSR account that get automatically propagated to the file. And to the best of my knowledge, a global deny will trump a parent "allow".

Any ideas?
0
 
LVL 4

Expert Comment

by:Syncromind
ID: 22834556
can you print screen the security tab of that folder , the advanced security tab and the owner tab information?
0
 

Author Comment

by:hamlin11
ID: 22835147
sync, please see attachment descriptions for each screen shot

ee1.png
ee2.png
ee3.png
ee4.png
ee5.png
ee6.png
ee7.png
ee8.png
0
 
LVL 4

Assisted Solution

by:Syncromind
Syncromind earned 480 total points
ID: 22835282
Ok, now we are fine. With that screnshots, you can see that IUSR have full controll. It is a normal behaviour that Full control, and the "replace permission entries on child objects" doesnt stay checked on. That is normal.

What I can say is that ISUR account (respecting to ntfs permissions) have a valid rights assignment.

So you should begin to look in otherside the reason of your problem. What kind of ee file is that? Is that a frameworks.net builded exe file?
With some intermediate languajes, you need speciall permissinos defined in DCOM components configuration, because windows wont allow to execture the intermediate lenguaje from  network unless you specify it on the frameworks control.

Besides it, what errorare you having when you try to execute the file from the iusr account?
You might have execute permissions, and .exe added on MIME types on IIS server to allow you execute that kind of files.

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:hamlin11
ID: 22835610
Sync,

The EXE is a .NET framework 3.5 file generated by VB 2008 compiler.

I do not get an error report anywhere -- not in the windows log files or in the PHP error log. I am using php's exec() or shell_exec() to execute the app. The behavior of that function is to return nothing if the application fails to start.

I'm not familiar enough wither either DCOM or MIME types on IIS Server to successfully implement what you suggested in your last two paragraphs.

Can you be a little more specific for me? Thanks
0
 
LVL 4

Assisted Solution

by:Syncromind
Syncromind earned 480 total points
ID: 22835759
try the following:
put that exe file on a network shared folder, and try to execute that exe file from network.
You might have a error, because frameworks doesnt allows that.
I can help you to find hot to run .net exe files from network, but it will be a little more difficult, and I have to search more info for it and I am at work at this moment.
try that to see if that is the error, is that is the case, I suggest you begin a new question, where more skilled people in .net frameworks network policies, would help you.

Hope it helps!!!
0
 

Author Comment

by:hamlin11
ID: 22835966
I would try that but I cannot, because it is a dedicated web server at some misc. point in the world (i have no idea where).

Do you have any other ideas?
0
 
LVL 4

Assisted Solution

by:Syncromind
Syncromind earned 480 total points
ID: 22836130
But how do you access the server? if you have remote desktop connection, or vpn connection with administrative prvileges, you should connect via vpn an write:
\\serverinternalip\sharename  in a browser and you will access.

Anyway, as I told you, i really suggest you to post a thread in programming, to deploy the programm execution using the .net frameworks configuration utility. I really dont remember exactly how to do that, and i am not sure what kind of changes has .net 3.5 regarding this issue.

0
 

Author Comment

by:hamlin11
ID: 22836369
I connect view remote desktop. How do I do what you're saying via remote desktop?

Thanks
0
 
LVL 4

Accepted Solution

by:
Syncromind earned 480 total points
ID: 22837079
How you connect to the ermote desktop.?

If you dont dial a vpn connection to make remote desktop, you cannot try the last suggestiion.
If that is the case, please try posting a comment on programming section, asking about how to execute a .net frameworks 3.5 file from an web application using IUSR account.
Sorry, but I dont know so hard of programming, elseway I would help you more.
0
 

Author Closing Comment

by:hamlin11
ID: 31510588
Thanks for the try
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now