Solved

Trustee Rights fail to restrict access.  How to restore restriction to folders?

Posted on 2011-09-20
4
596 Views
Last Modified: 2012-05-12
The shared data on a Netware 6.5 server has been organized under Departments.  Right to access files or folders is based on assigning specific employees  trustee rights to certain folders.  I returned after a 3 day absence to a report (which I confirmed by tests) that all employees can see all files in all folders.  I reassigned trustee rights to either specific groups or individual employees and tested access.  An employee without trustee rights to any folders can still see all folders.  Will running DSRepair / Advanced Options / Check Volume Objects and Trustees fix the problem?  Also, I run a daily backup.  But how do I ensure that I have a full backup of data and NDS before running DS Repair?
0
Comment
Question by:IT_Clinton
  • 2
4 Comments
 
LVL 19

Expert Comment

by:deroode
ID: 36572059
First, Running DSrepair won't harm your system.

You can use a tool like Trustee.nlm to get a list of all the trustees on a volume:

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004280.html

Then use the following command to get a list of all your trustees (on VOL1: in this case)

LOAD TRUSTEE /ET SAVE VOL1: VOL1:\Trustee.txt

Trustee.nlm can also be used to scan for excess filesystem rights or excess NDS rights:

LOAD TRUSTEE EXCESSFILE
LOAD TRUSTEE EXCESSNDS

The latter is important if you cannot find the usual suspects on the filesystem (e.g. <public> has RF rights on the root of the volume). If a user has the S (supervisor) right on the eDirectory Volume object then he also has Supervisor access to the volume contents.

Can all users just see all files and folders, or can they also change everything?
0
 
LVL 17

Expert Comment

by:BudDurland
ID: 36896844
If a security principal (user, group, OU, etc) has been granted right to root of the volume, or to some other top-level folder, they will be able to see all the sub-folders and files unless you configure an inherited right filter, or configure security to explicitly revoke rights.  Unlike windows, generally the best practice in NetWare is to grant access rights as far down the folder tree as possible.  No need to configure anything on the parent folders.

Also, if someone has been granted the 'supervisor' right to the server, everything is visible and you will not be able to block it.
0
 

Accepted Solution

by:
IT_Clinton earned 0 total points
ID: 36909919
As I reported, the typical ways to reassign Trustees in either removing or adding rights to files and folders was not working.  Very unusual to view the  Trustee rights at the server level for different users and groups showing they had not been deleted but no folders were restricted.  It seemed there was a right from above that all users were inheriting.  This same situation on 1 server  affected 3 other servers.  The tree level rights ( a level above in the network structure) were checked.  After researching and testing different changes, found Entry Rights for Root permissions had Supervisor checked and should only have had the Browse right checked (see attached image).  The solution was to remove the Supervisor right.  Folder views are again restricted by Trustee rights set below on the server level.
FixedViewOfRootPermissionsForExp.bmp
0
 

Author Closing Comment

by:IT_Clinton
ID: 36938126
The Wizard's solution on 10/01/11 gave the basic area to check as being the Root permissions.  I chose my comment as the solution because it provided the specific choice of Browse rather than Supervisor rights in Entry Rights as the solution.  It took quite a bit of time to drill down and find this specific option.  The solution was applied on 09/26/11 and proved to be the permanent fix.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now