Trustee Rights fail to restrict access. How to restore restriction to folders?

The shared data on a Netware 6.5 server has been organized under Departments.  Right to access files or folders is based on assigning specific employees  trustee rights to certain folders.  I returned after a 3 day absence to a report (which I confirmed by tests) that all employees can see all files in all folders.  I reassigned trustee rights to either specific groups or individual employees and tested access.  An employee without trustee rights to any folders can still see all folders.  Will running DSRepair / Advanced Options / Check Volume Objects and Trustees fix the problem?  Also, I run a daily backup.  But how do I ensure that I have a full backup of data and NDS before running DS Repair?
IT_ClintonAsked:
Who is Participating?
 
IT_ClintonAuthor Commented:
As I reported, the typical ways to reassign Trustees in either removing or adding rights to files and folders was not working.  Very unusual to view the  Trustee rights at the server level for different users and groups showing they had not been deleted but no folders were restricted.  It seemed there was a right from above that all users were inheriting.  This same situation on 1 server  affected 3 other servers.  The tree level rights ( a level above in the network structure) were checked.  After researching and testing different changes, found Entry Rights for Root permissions had Supervisor checked and should only have had the Browse right checked (see attached image).  The solution was to remove the Supervisor right.  Folder views are again restricted by Trustee rights set below on the server level.
FixedViewOfRootPermissionsForExp.bmp
0
 
deroodeSystems AdministratorCommented:
First, Running DSrepair won't harm your system.

You can use a tool like Trustee.nlm to get a list of all the trustees on a volume:

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004280.html

Then use the following command to get a list of all your trustees (on VOL1: in this case)

LOAD TRUSTEE /ET SAVE VOL1: VOL1:\Trustee.txt

Trustee.nlm can also be used to scan for excess filesystem rights or excess NDS rights:

LOAD TRUSTEE EXCESSFILE
LOAD TRUSTEE EXCESSNDS

The latter is important if you cannot find the usual suspects on the filesystem (e.g. <public> has RF rights on the root of the volume). If a user has the S (supervisor) right on the eDirectory Volume object then he also has Supervisor access to the volume contents.

Can all users just see all files and folders, or can they also change everything?
0
 
BudDurlandCommented:
If a security principal (user, group, OU, etc) has been granted right to root of the volume, or to some other top-level folder, they will be able to see all the sub-folders and files unless you configure an inherited right filter, or configure security to explicitly revoke rights.  Unlike windows, generally the best practice in NetWare is to grant access rights as far down the folder tree as possible.  No need to configure anything on the parent folders.

Also, if someone has been granted the 'supervisor' right to the server, everything is visible and you will not be able to block it.
0
 
IT_ClintonAuthor Commented:
The Wizard's solution on 10/01/11 gave the basic area to check as being the Root permissions.  I chose my comment as the solution because it provided the specific choice of Browse rather than Supervisor rights in Entry Rights as the solution.  It took quite a bit of time to drill down and find this specific option.  The solution was applied on 09/26/11 and proved to be the permanent fix.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.