No announcement yet.

Permissions Inheritance Issue - 2003 Ent Server.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions Inheritance Issue - 2003 Ent Server.

    3 tier folder setup - This is on a Windows 2003 Ent Server SP1, 2 node cluster.


    Permissions set on the dir "Saved"

    (inherited from drive root)
    Admin > FC
    Everyone > Read
    System > FC

    (additional permissions - all set to This folder, subfolders and files)
    Network Service > Mod
    IUSR_1 > Read and Delete
    IUSR_2 > Read and Delete

    When I look at the permissions on <systemID> (3rd party software creates these as needed, so can't set them manually each time).

    The permissions are still there and inherited, but the IUSR_x special permissons are set to "This folder only", but Network Service is still set correctly.

    When I then look at the directory <UserID>, all the Drive root permissions are set and even the Network Service is set, but the IUSR_x permissions are not even listed !!!

    If I change the IUSR_x permissions to modify, then it all works fine, just when the permissions are special (only read and delete wanted !!!), the book stops at the first subfolder.

    Any Ideas. See attachment if none of the above makes sense.


    I'm sure I must be missing something totally obvious, surely this isn't one of Bill's "special features".
    Attached Files
    * Shamelessly mentioning "Don't forget to add reputation!"

  • #2
    This rings a bell. I ran into that once. It's been a couple of years since I did this, so I'm a bit hazy on the details.

    The thing is, the NTFS inheritance is not quite what it seems. If you set an inheritable permission there is no automatic kernel process that will propagate them down to all files/folders. The setting process needs to do it. Normally this is the Explorer, xcacls, or something like that. Seems that this propagation is not happening now. In other words, it looks like this 3rd party product is to blame.

    You should be able to fix it by removing and adding the toplevel permissions. Or kick the app, of course.


    • #3
      Willem is right, but in this case I think the problem is caused by explicit permissions set on wwwroot folder.
      Explicit denys overwrite the inherited Allows, explicit allows take precedence over inherited ones, etc...

      Take a closer look at the ACL set on G:\inetpub\wwwroot folder.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"