Announcement

Collapse
No announcement yet.

Active Directory Directory Permission issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Directory Permission issue

    Hi,

    I've installed a win2000 server on desktop level machine. I've a problem with directory permission issue. I've created several users how access the directories according to given permission. There is One directory as ISO which I had given the All modification access to two peoples only. Non from these two peoples shouldn't edit a single file in this directory. All users have only read access to files. But now a day's everyone besides two peoples who having access Read-Only can edit the files and delete the files too. Also permissions cannot applied or work without adding a group "Everyone". Whenever I tried to denied the permission for Everyone group nobody can access the directories. Also I can't remove this group from security options of ISO folder/directory.

    Can anybody help me out with the problem.

    Please please help me...

    Thanks,
    Ashwin.

  • #2
    Re: Active Directory Directory Permission issue

    Your message is a bit unclear, but from what i understand, everyone should have read access and two should have modify rights to them.
    Well that says enough (if we are only talking about NTFS rights).
    Meaning, allow the Domain users group with read access (DO NOT SET DENY RIGHTS).
    Create or use a second group that provides modify rights, add the two users to this group.

    Sharing.
    If this is a share you also have share rights to the directory.
    By default in 2000 the Everyone group has full control. This does not mean that everyone has full control, because the NTFS security settings prevail.

    If you have set NTFS like in my example, everyone would have read accept members of the modify group, who have modify rights.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: Active Directory Directory Permission issue

      Originally posted by Killerbe View Post
      Your message is a bit unclear, but from what i understand, everyone should have read access and two should have modify rights to them.
      Well that says enough (if we are only talking about NTFS rights).
      Meaning, allow the Domain users group with read access (DO NOT SET DENY RIGHTS).
      Create or use a second group that provides modify rights, add the two users to this group.

      Sharing.
      If this is a share you also have share rights to the directory.
      By default in 2000 the Everyone group has full control. This does not mean that everyone has full control, because the NTFS security settings prevail.

      If you have set NTFS like in my example, everyone would have read accept members of the modify group, who have modify rights.
      that won't be enough.
      even if he will do what you are saying there is a good chance that everyone (meaning domain users) would have modify access as well based on his scenario he already gave modify permissions only to 2 users but still every one has edit permissions not only those 2 users.
      this means that the modify permissions are comming from a parent directory or even the volume.
      what you should do is goto the volume (e.g. Drive D goto security, remove "everyone"
      add "domain users" with the following permissions "List Folder Contents" and then do what "Killerbe" wrote to do on the ISO Folder.

      Comment


      • #4
        Re: Active Directory Directory Permission issue

        Originally posted by Akila View Post
        that won't be enough.
        even if he will do what you are saying there is a good chance that everyone (meaning domain users) would have modify access as well based on his scenario he already gave modify permissions only to 2 users but still every one has edit permissions not only those 2 users.
        this means that the modify permissions are comming from a parent directory or even the volume.
        what you should do is goto the volume (e.g. Drive D goto security, remove "everyone"
        add "domain users" with the following permissions "List Folder Contents" and then do what "Killerbe" wrote to do on the ISO Folder.
        If rights are propagated from above the NTFS permissions would be grayed out.
        Than he would need to select advanced and deselect "Inherit from parent........"
        [Powershell]
        Start-DayDream
        Set-Location Malibu Beach
        Get-Drink
        Lay-Back
        Start-Sleep
        ....
        Wake-Up!
        Resume-Service
        Write-Warning
        [/Powershell]

        BLOG: Therealshrimp.blogspot.com

        Comment


        • #5
          Re: Active Directory Directory Permission issue

          Originally posted by Killerbe View Post
          If rights are propagated from above the NTFS permissions would be grayed out.
          Than he would need to select advanced and deselect "Inherit from parent........"
          maybe that is where it is coming from.
          it was never mentioned rather there was a Grey Everyone group or not , just the symptoms showed that it is coming from the root folder/volume

          Comment


          • #6
            Re: Active Directory Directory Permission issue

            Yes, I agreed with Akila. The Everyone group already added in the root level, means at the shared drive D:\. But r u saying that to remove Everyone group from root level? I had done this last time before several weeks and every domain user was not able to access the files or directories in network. I don't know how I come to apply the policies without adding Everyone group at directory level. If I remove or denied the read or execute policy at root level for Everyone group then nobody can access the files.

            Please help me with the problem...

            Thanks for prompt replies from all which appreciated always.

            Ashwin.

            Comment


            • #7
              Re: Active Directory Directory Permission issue

              I told you before.

              what you should do is goto the volume (e.g. Drive D goto security, remove "everyone")
              add "domain users" with the following permissions "List Folder on the Contents" on the Volume and then do what "Killerbe" wrote to do on the ISO Folder. (add permissions to folders as you wish)
              every one that is part of domain users would be able to access the folders but only see the files not read them (b/c you added "list folders on the constants) the rest could access the ISO folder depending on your permissions you decide.

              it's not just removing the Everyone, by doing this no one would be able even to brows to the folder.
              what you do is removing everyone , but also adding to all users the ability to browse the folders up to the ISO point.

              Comment


              • #8
                Re: Active Directory Directory Permission issue

                Dear Akila,

                After applying your R&D stuff on AD I'm still not able to do what I want. As per you said I removed the Everyone from root level (D:\) and added the Domain Users and given the special permission for only list the contents of folder. After applying this stuff I'm not able to access the drive. Plz. suggest me what should I've to do now.

                Thanks and sorry for late replying to this thread.

                Ashwin.

                Comment


                • #9
                  Re: Active Directory Directory Permission issue

                  are all of the subfolders of the volume have the "Inherit from parent the permissions entries..." checked?

                  Comment


                  • #10
                    Re: Active Directory Directory Permission issue

                    Hey Akila,

                    I've checked mark the folder and yes It's resolved my problem right now. Thank you a lot. You had done a massive job for me. Now I can see that another user which I won't to see the files of ISO can't read any content of file but he can see the files listed in folder.

                    Thanks once again..

                    Bye n TC.



                    Ashwin.

                    Comment


                    • #11
                      Re: Active Directory Directory Permission issue

                      no problem, happy to assist.

                      Comment


                      • #12
                        Re: Active Directory Directory Permission issue

                        Hi Akila,

                        Sorry but the issue still persisting with an problem. As I've done some stuff again and implemented the AD with full of Data and given the permission to appropriate users as what I need. It's performing well for not to open the file apart from those users which don't have the rights but it's also giving an problem for the user who having the full control access over the folder. As on ISO folder issue only two users having full control access and both are unable to save any files in the ISO folder. I've checked all the things which supposed raising the issue but no luck to resolve it. Please help me in this issue....

                        Thanks.

                        Ashwin.

                        Comment


                        • #13
                          Re: Active Directory Directory Permission issue

                          is there any "Deny" marked on the folder/s hierarchy?
                          please check on the folder and all parent folders up to the volume and check that there is no "Deny" marked to any one (check one by one marking every User/Group that is listed under the Security tab and check that there is no deny marked to any one, if you find one then tell me which one has it ).

                          Comment


                          • #14
                            Re: Active Directory Directory Permission issue

                            Hi Akila,

                            I've all the settings for "Deny" mark but there is no any check mark enabled. All the settings were correct. Please assists me to resolve this problem.

                            Thanks for your prompt reply.

                            Ashwin.

                            Comment


                            • #15
                              Re: Active Directory Directory Permission issue

                              Hey Akila,

                              Also one thing I've noticed that the ISO folder have Read-Only check mark enabled and after I removed the check mark it will be there checked again. I've done several times to remove the check mark but still it showing the check mark enabled and at the user end it showing me an error 'file is read-only and can't save or overwrite'. What I've to do now..??

                              Ashwin.
                              Last edited by ashwin_think; 23rd June 2008, 13:14.

                              Comment

                              Working...
                              X