| Author |
Message |
Guest
|
 Posted:
Wed Nov 02, 2005 9:51 am Post subject:
NTFS permissions/deny override bug? |
|
|
Hi,
I have a Windows 2003 server, and Windows 2003 terminal server with the
following scenario.
I have a folder, with share permissions allowing full access to:
Domain\users
And I want to deny one specific user, so i setup a DENY entry.
I have found this did not work. The above "allow" is inherited, whereas
the DENY was not. The DENY should have overridden, but the user
continued to have access to the folder.
I have found however, changing the allow to :
Domain\Domain users
Does continue allowing access, however, correctly (as far as I
understand) DENY's the user in question access.
What am I doing wrong here, or is this a bug? |
|
| Back to top |
|
 |
Guest
|
| Posted:
Wed Nov 02, 2005 9:51 am Post subject:
Re: NTFS permissions/deny override bug? |
|
|
Allow me to correct the above.
The share permissions are "full" to everyone.
I am using NTFS permissions. |
|
| Back to top |
|
|
Arek Iskra [MVP]
Guest
|
| Posted:
Wed Nov 02, 2005 1:50 pm Post subject:
Re: NTFS permissions/deny override bug? |
|
|
Did you ask user to logoff/disconnect from the share after you made changes?
--
Arek Iskra
MVP for Windows Server - Software Distribution |
|
| Back to top |
|
|
Daryl Lufor
Guest
|
| Posted:
Wed Nov 02, 2005 9:51 pm Post subject:
Re: NTFS permissions/deny override bug? |
|
|
Hi Daryl Lufor from mauriitus
the following rules should be apply according to me
remove the Everyone group from the Share permissions
on the ntfs permissions remover every users and group
then add the authenticated users group and assign your full control
then add the "user" :( i always recomment the A G DL P Strategy so put the
users in at least a Domain Local group and call the group Deny access to
folder X then deny access to that group
check if yu have sub folders or file that permission inheritance check box
is checked
Cheers
Daryl (MCT) |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Nov 03, 2005 9:51 am Post subject:
Re: NTFS permissions/deny override bug? |
|
|
Double check how the user is authenticating to that share/server. If
persistent alternate credentials are used for a mapped drive or stored
credentials for XP Pro the user may not be authenticating as himself. Next
time the user is connected to the share you can use Computer Managed/shared
folders-sessions to see what users are connected to the share and from what
computer. If that does not help use xcacls.vbs to enumerate permissions for
the folder and post results in a reply. Also check the users "effective"
permissions in the advanced page of security properties for the folder and
compare results to a server where you are not having the problem and make
sure the user in question is not owner of the folder.
http://support.microsoft.com/?id=825751 --- xcacls.vbs |
|
| Back to top |
|
|
Guest
|
| Posted:
Thu Nov 03, 2005 9:51 am Post subject:
Re: NTFS permissions/deny override bug? |
|
|
Yep. Rebooted the machine several times, though I don't think this
should matter.
I'm still replicating it on other servers successfully. Create a file
with these permissions:
Domain\Users ALLOW FULL
Domain\Bob DENY FULL
Logon as Bob. You will have full access to everything, despite DENY
supposed to being an override. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in