Solved

Trustee Rights fail to restrict access.  How to restore restriction to folders?

Posted on 2011-09-20
4
609 Views
Last Modified: 2012-05-12
The shared data on a Netware 6.5 server has been organized under Departments.  Right to access files or folders is based on assigning specific employees  trustee rights to certain folders.  I returned after a 3 day absence to a report (which I confirmed by tests) that all employees can see all files in all folders.  I reassigned trustee rights to either specific groups or individual employees and tested access.  An employee without trustee rights to any folders can still see all folders.  Will running DSRepair / Advanced Options / Check Volume Objects and Trustees fix the problem?  Also, I run a daily backup.  But how do I ensure that I have a full backup of data and NDS before running DS Repair?
0
Comment
Question by:IT_Clinton
  • 2
4 Comments
 
LVL 19

Expert Comment

by:deroode
ID: 36572059
First, Running DSrepair won't harm your system.

You can use a tool like Trustee.nlm to get a list of all the trustees on a volume:

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004280.html

Then use the following command to get a list of all your trustees (on VOL1: in this case)

LOAD TRUSTEE /ET SAVE VOL1: VOL1:\Trustee.txt

Trustee.nlm can also be used to scan for excess filesystem rights or excess NDS rights:

LOAD TRUSTEE EXCESSFILE
LOAD TRUSTEE EXCESSNDS

The latter is important if you cannot find the usual suspects on the filesystem (e.g. <public> has RF rights on the root of the volume). If a user has the S (supervisor) right on the eDirectory Volume object then he also has Supervisor access to the volume contents.

Can all users just see all files and folders, or can they also change everything?
0
 
LVL 17

Expert Comment

by:BudDurland
ID: 36896844
If a security principal (user, group, OU, etc) has been granted right to root of the volume, or to some other top-level folder, they will be able to see all the sub-folders and files unless you configure an inherited right filter, or configure security to explicitly revoke rights.  Unlike windows, generally the best practice in NetWare is to grant access rights as far down the folder tree as possible.  No need to configure anything on the parent folders.

Also, if someone has been granted the 'supervisor' right to the server, everything is visible and you will not be able to block it.
0
 

Accepted Solution

by:
IT_Clinton earned 0 total points
ID: 36909919
As I reported, the typical ways to reassign Trustees in either removing or adding rights to files and folders was not working.  Very unusual to view the  Trustee rights at the server level for different users and groups showing they had not been deleted but no folders were restricted.  It seemed there was a right from above that all users were inheriting.  This same situation on 1 server  affected 3 other servers.  The tree level rights ( a level above in the network structure) were checked.  After researching and testing different changes, found Entry Rights for Root permissions had Supervisor checked and should only have had the Browse right checked (see attached image).  The solution was to remove the Supervisor right.  Folder views are again restricted by Trustee rights set below on the server level.
FixedViewOfRootPermissionsForExp.bmp
0
 

Author Closing Comment

by:IT_Clinton
ID: 36938126
The Wizard's solution on 10/01/11 gave the basic area to check as being the Root permissions.  I chose my comment as the solution because it provided the specific choice of Browse rather than Supervisor rights in Entry Rights as the solution.  It took quite a bit of time to drill down and find this specific option.  The solution was applied on 09/26/11 and proved to be the permanent fix.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Novell with OSX? 10 648
GroupWise attachment 9 526
Novell client for Apple iMac 4 1,110
iPrint Error 0x406 12 1,302
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question