Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Trustee Rights fail to restrict access.  How to restore restriction to folders?

Posted on 2011-09-20
4
Medium Priority
?
633 Views
Last Modified: 2012-05-12
The shared data on a Netware 6.5 server has been organized under Departments.  Right to access files or folders is based on assigning specific employees  trustee rights to certain folders.  I returned after a 3 day absence to a report (which I confirmed by tests) that all employees can see all files in all folders.  I reassigned trustee rights to either specific groups or individual employees and tested access.  An employee without trustee rights to any folders can still see all folders.  Will running DSRepair / Advanced Options / Check Volume Objects and Trustees fix the problem?  Also, I run a daily backup.  But how do I ensure that I have a full backup of data and NDS before running DS Repair?
0
Comment
Question by:IT_Clinton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 19

Expert Comment

by:deroode
ID: 36572059
First, Running DSrepair won't harm your system.

You can use a tool like Trustee.nlm to get a list of all the trustees on a volume:

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004280.html

Then use the following command to get a list of all your trustees (on VOL1: in this case)

LOAD TRUSTEE /ET SAVE VOL1: VOL1:\Trustee.txt

Trustee.nlm can also be used to scan for excess filesystem rights or excess NDS rights:

LOAD TRUSTEE EXCESSFILE
LOAD TRUSTEE EXCESSNDS

The latter is important if you cannot find the usual suspects on the filesystem (e.g. <public> has RF rights on the root of the volume). If a user has the S (supervisor) right on the eDirectory Volume object then he also has Supervisor access to the volume contents.

Can all users just see all files and folders, or can they also change everything?
0
 
LVL 17

Expert Comment

by:BudDurland
ID: 36896844
If a security principal (user, group, OU, etc) has been granted right to root of the volume, or to some other top-level folder, they will be able to see all the sub-folders and files unless you configure an inherited right filter, or configure security to explicitly revoke rights.  Unlike windows, generally the best practice in NetWare is to grant access rights as far down the folder tree as possible.  No need to configure anything on the parent folders.

Also, if someone has been granted the 'supervisor' right to the server, everything is visible and you will not be able to block it.
0
 

Accepted Solution

by:
IT_Clinton earned 0 total points
ID: 36909919
As I reported, the typical ways to reassign Trustees in either removing or adding rights to files and folders was not working.  Very unusual to view the  Trustee rights at the server level for different users and groups showing they had not been deleted but no folders were restricted.  It seemed there was a right from above that all users were inheriting.  This same situation on 1 server  affected 3 other servers.  The tree level rights ( a level above in the network structure) were checked.  After researching and testing different changes, found Entry Rights for Root permissions had Supervisor checked and should only have had the Browse right checked (see attached image).  The solution was to remove the Supervisor right.  Folder views are again restricted by Trustee rights set below on the server level.
FixedViewOfRootPermissionsForExp.bmp
0
 

Author Closing Comment

by:IT_Clinton
ID: 36938126
The Wizard's solution on 10/01/11 gave the basic area to check as being the Root permissions.  I chose my comment as the solution because it provided the specific choice of Browse rather than Supervisor rights in Entry Rights as the solution.  It took quite a bit of time to drill down and find this specific option.  The solution was applied on 09/26/11 and proved to be the permanent fix.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question