Directory permissions

Topic

New Reply

I have a puzzling situation with directory permissions on Win 2000 server (Domane server). File system is NTFS.

I have created a directory call it PrivateStuff. This directory contins sub directories called SubDir1, SubDir2.. It is intended that only one user has access to each SubDir (apart from administrators).

Members of the Administrator group have complete rights to all directories – set explicitly.
Inherited rights are not selected for the parent and child directories.
Everyone has rights to look at but not modify the parent Dir (PrivateStuff).
Directory SubDir1 has UserA with full rights.
Directory SubDir2 has UserB with full rights.

To make it clearer when I look at the security settings of directory SubDir1 there is one group (Administrators) and one user (UserA) in the list of who has / has not got permissions. No user or group has permission specifically removed – they just aren’t in the list.

My problem. I log onto a workstation as UserA and I can go into the directory SubDir2, view contents, open files… Likewise UserB has access into directory SubDir1. That is definately not what I want.

I have then created a group – Company_All and each user (UserA, UserB..) is a member of this group. This group does not belong to any other groups on the system.

Now on each SubDir I explicitly add the group Company_All and explicitly remove all permissions I am left with the situation that no-one, not even the explicitly declared UserA can get into SubDir1. Again not what I want.

What appears to be even worse is that the user logged onto the workstation can modify the rights of the directories. Workstations are running Windows XP Pro, the users are logged on to the domane and on the local system as MainUser (German – Hauptbenutzer). This is not an administrator account locally but one that they can modify some settings.

Reading the help files I can’t see what is wrong with my assignment of permissions.
Do I need to activate some setting concerning rights on the local machine?
For the security to function must I transfer ownership of the SubDirs to the individual Users?, currently they are owned by the administrator.
It looks like my group permissions take priority to the user permissions when in conflict, is that the correct behaviour?

Reply | Quote

Replies

Andy,
If you have the Guest account active that is probably why UserB can see SubDir1. Try assigning the Everyone group to SubDir1 with no rights and also assign UserA with the rights you desire. Do the same for SubDir2 and UserB. Unless you need it, disable the Guest account.

Joe

--Joe

Reply | Quote

Thanks Joe,

Guest account is disabled (and was already).

I explicitly remove the rights for the group everyone for the SubDir1. The group administrators has full rights. The user UserA has full rights.

I am logged on as administrator onto the server at this point, select the Direcory SubDir1 in the explorer and I get a message something like permission refused. (It’s the German version thats why I say something like).
On the client I get similar behaviour in that UserA can’t even get at the directory now.

This is really bugging me – I feel that something basic is very wrong but I don’t know what.

Would it help attatching some screen snapshots? If so what would be of most use.

Andy.

Reply | Quote

I’ve found the problem. Each user was a member of a Domain User group. This group had been assigned as a member of the Administrator group! so that each user was actually getting administrator rights albeit indirectly.

Reply | Quote

Andy, Terrific. Isn’t security wonderful ?

Joe

--Joe

Reply | Quote

Yeah. Sometimes I wonder if computers are a blessing or a curse. They can certainly make life hell at times.

Reply | Quote

> Now on each SubDir I explicitly add the group Company_All and explicitly remove all permissions I am left with the
> situation that no-one, not even the explicitly declared UserA can get into SubDir1. Again not what I want.

NT/2000 follows the rule of greatest restriction: if a user has privileges + no privileges, the latter trumps the former. Too bad, because in many cases it would be pretty convenient to be able to do the above.

Reply | Quote

I agree. Logically it would be nice to have a group with one set of permissions and an individual within that group with different permissions for restricting access to that individual. I also realise that whichever way it is resolved some administrator somehwere is not going to be happy.

With the rule of greatest restriction I must have missed that in the help file sections on security. Thanks for the tip.

Reply | Quote