| Author |
Message |
John Pugh
Guest
|
 Posted:
Wed Dec 15, 2004 4:45 pm Post subject:
ACL Permissions |
|
|
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box that
can only be accessed using a set username and password (used for accessing
web stats over the internet) I have done this many times before without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This is
the standard setup I have on all our boxes. I have also tried recreating all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access, therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the requested
resource." error when trying to login as stats-viewer. I have tried using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh |
|
| Back to top |
|
 |
Andra
Guest
|
| Posted:
Wed Dec 15, 2004 8:35 pm Post subject:
Re: ACL Permissions |
|
|
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
| Quote: | Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box that
can only be accessed using a set username and password (used for accessing
web stats over the internet) I have done this many times before without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This is
the standard setup I have on all our boxes. I have also tried recreating
all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access, therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the requested
resource." error when trying to login as stats-viewer. I have tried using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh |
|
|
| Back to top |
|
|
John Pugh
Guest
|
| Posted:
Wed Dec 15, 2004 10:05 pm Post subject:
Re: ACL Permissions |
|
|
Thanks for the reply, I have compared the permissions between the two boxes
(one that works and this one) and I can see very little differences, none in
sections that I think might affect this problem is there anything specific
that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
| Quote: | Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box
that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This is
the standard setup I have on all our boxes. I have also tried recreating
all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the requested
resource." error when trying to login as stats-viewer. I have tried using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Dec 16, 2004 5:13 am Post subject:
Re: ACL Permissions |
|
|
Enable auditing on logon events for success and failure and privilege use
and object access for failure [probably only temporally]. Enable auditing on
that folder for that user. Then look in the security logs and Event Viewer
in general for any possible helpful messages. I would also look in Local
Security Policy on each computer and look for any differences under local
policies for security options or user rights. Any differences found between
the two boxes could be suspect. Also check any deny permissions to the
folder which you user could be affected by group membership. If this is a
domain computer, run the netdiag support tool on it looking for any
pertinent errors. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 -- needs
object access enable first.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
| Quote: | Thanks for the reply, I have compared the permissions between the two
boxes (one that works and this one) and I can see very little differences,
none in sections that I think might affect this problem is there anything
specific that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box
that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before without
a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This
is
the standard setup I have on all our boxes. I have also tried recreating
all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the
requested
resource." error when trying to login as stats-viewer. I have tried
using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
John Pugh
Guest
|
| Posted:
Thu Dec 16, 2004 4:39 pm Post subject:
Re: ACL Permissions |
|
|
Hi Steve & Everyone else,
I have looked through the local policy and everything seems the same between
the boxes, I setup auditing, but again I get no failures and the box that is
not working produces the same results as the others yet it still won't let
me view the web pages, grrr.
If it was a office computer I would be reinstalling windows at this point!
but as it is in a data centre 100 miles away, thats not an option. By the
way it is a stand alone server and not part of a domain
Thanks for all your help, anymore suggestions ?
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:egjPCsv4EHA.2604@TK2MSFTNGP10.phx.gbl...
| Quote: | Enable auditing on logon events for success and failure and privilege use
and object access for failure [probably only temporally]. Enable auditing
on that folder for that user. Then look in the security logs and Event
Viewer in general for any possible helpful messages. I would also look in
Local Security Policy on each computer and look for any differences under
local policies for security options or user rights. Any differences found
between the two boxes could be suspect. Also check any deny permissions to
the folder which you user could be affected by group membership. If this
is a domain computer, run the netdiag support tool on it looking for any
pertinent errors. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 -- needs
object access enable first.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
Thanks for the reply, I have compared the permissions between the two
boxes (one that works and this one) and I can see very little
differences, none in sections that I think might affect this problem is
there anything specific that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box
that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before without
a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This
is
the standard setup I have on all our boxes. I have also tried
recreating
all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP
Error
401.3 - Unauthorized: Access is denied due to an ACL set on the
requested
resource." error when trying to login as stats-viewer. I have tried
using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which
doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Dec 16, 2004 10:49 pm Post subject:
Re: ACL Permissions |
|
|
Hmm. I can't think of much else other than also checking the special
permissions for that folder in security/advanced to make sure that there is
no group with deny permissions and also viewing the "effective permissions"
tab for your user. Another thing to try is temporally add that user to the
local administrators group or use the built in administrator account as the
access account temporally to see if that works. If that does work then there
is a lack of permission or privilege for the regular user account. If it
does not work something else weird is going on. Check the group membership
of the user accounts that you are using to make sure that they are at least
members of the local users group. --- Steve
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:u5Tg2t14EHA.2124@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi Steve & Everyone else,
I have looked through the local policy and everything seems the same
between the boxes, I setup auditing, but again I get no failures and the
box that is not working produces the same results as the others yet it
still won't let me view the web pages, grrr.
If it was a office computer I would be reinstalling windows at this point!
but as it is in a data centre 100 miles away, thats not an option. By the
way it is a stand alone server and not part of a domain
Thanks for all your help, anymore suggestions ?
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:egjPCsv4EHA.2604@TK2MSFTNGP10.phx.gbl...
Enable auditing on logon events for success and failure and privilege
use and object access for failure [probably only temporally]. Enable
auditing on that folder for that user. Then look in the security logs and
Event Viewer in general for any possible helpful messages. I would also
look in Local Security Policy on each computer and look for any
differences under local policies for security options or user rights. Any
differences found between the two boxes could be suspect. Also check any
deny permissions to the folder which you user could be affected by group
membership. If this is a domain computer, run the netdiag support tool on
it looking for any pertinent errors. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 -- needs
object access enable first.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
Thanks for the reply, I have compared the permissions between the two
boxes (one that works and this one) and I can see very little
differences, none in sections that I think might affect this problem is
there anything specific that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box
that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before
without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This
is
the standard setup I have on all our boxes. I have also tried
recreating
all
the permissions the wwwroot directory has and putting it in the
wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP
Error
401.3 - Unauthorized: Access is denied due to an ACL set on the
requested
resource." error when trying to login as stats-viewer. I have tried
using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which
doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
John Pugh
Guest
|
| Posted:
Mon Dec 20, 2004 5:02 pm Post subject:
Re: ACL Permissions |
|
|
It works as an Administrator, but not as a User even though the user in
question is in the right groups, is there anyway to see what permissions
each of the groups get? so that I can see what is difference between the
working boxes and this one.
Cheers
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:euvf7544EHA.3616@TK2MSFTNGP11.phx.gbl...
| Quote: | Hmm. I can't think of much else other than also checking the special
permissions for that folder in security/advanced to make sure that there
is no group with deny permissions and also viewing the "effective
permissions" tab for your user. Another thing to try is temporally add
that user to the local administrators group or use the built in
administrator account as the access account temporally to see if that
works. If that does work then there is a lack of permission or privilege
for the regular user account. If it does not work something else weird is
going on. Check the group membership of the user accounts that you are
using to make sure that they are at least members of the local users
group. --- Steve
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:u5Tg2t14EHA.2124@TK2MSFTNGP15.phx.gbl...
Hi Steve & Everyone else,
I have looked through the local policy and everything seems the same
between the boxes, I setup auditing, but again I get no failures and the
box that is not working produces the same results as the others yet it
still won't let me view the web pages, grrr.
If it was a office computer I would be reinstalling windows at this
point! but as it is in a data centre 100 miles away, thats not an option.
By the way it is a stand alone server and not part of a domain
Thanks for all your help, anymore suggestions ?
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:egjPCsv4EHA.2604@TK2MSFTNGP10.phx.gbl...
Enable auditing on logon events for success and failure and privilege
use and object access for failure [probably only temporally]. Enable
auditing on that folder for that user. Then look in the security logs
and Event Viewer in general for any possible helpful messages. I would
also look in Local Security Policy on each computer and look for any
differences under local policies for security options or user rights.
Any differences found between the two boxes could be suspect. Also check
any deny permissions to the folder which you user could be affected by
group membership. If this is a domain computer, run the netdiag support
tool on it looking for any pertinent errors. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 -- needs
object access enable first.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
Thanks for the reply, I have compared the permissions between the two
boxes (one that works and this one) and I can see very little
differences, none in sections that I think might affect this problem is
there anything specific that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to help,
The problem is that we have created a directory on a 2k3 standard box
that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before
without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control
and
stats-viewer (the user who needs access) read and read & execute.
This is
the standard setup I have on all our boxes. I have also tried
recreating
all
the permissions the wwwroot directory has and putting it in the
wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that
is
working, but when IUSR access is taken away it throws back a "HTTP
Error
401.3 - Unauthorized: Access is denied due to an ACL set on the
requested
resource." error when trying to login as stats-viewer. I have tried
using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which
doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Dec 21, 2004 2:09 am Post subject:
Re: ACL Permissions |
|
|
You can use the free tool Dumpsec from Somarsoft or the Resource Kit tool
showacl to see permissions to a folder or folders. Try adding the user that
is denied access normally to the local administrators group to see what
happens. If that works then I tend to think the user is lacking a user
right. If it does not work then I think the user is a member of a group that
has deny permissions applied somewhere along the line. To check user rights,
open Local Security Policy [secpol.msc] and look for any user right where
both administrators and IUSR user are included but the user or group that
the user is a member of is not. Also keep in mind that any "deny" user right
will override he same allow user right so take a close look at any deny user
rights. Verify the user group membership with the " net user username "
command [using real user name of course]. --- Steve
http://www.somarsoft.com/ --- Dumpsec.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OMkOwNo5EHA.2180@TK2MSFTNGP12.phx.gbl...
| Quote: | It works as an Administrator, but not as a User even though the user in
question is in the right groups, is there anyway to see what permissions
each of the groups get? so that I can see what is difference between the
working boxes and this one.
Cheers
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:euvf7544EHA.3616@TK2MSFTNGP11.phx.gbl...
Hmm. I can't think of much else other than also checking the special
permissions for that folder in security/advanced to make sure that there
is no group with deny permissions and also viewing the "effective
permissions" tab for your user. Another thing to try is temporally add
that user to the local administrators group or use the built in
administrator account as the access account temporally to see if that
works. If that does work then there is a lack of permission or privilege
for the regular user account. If it does not work something else weird is
going on. Check the group membership of the user accounts that you are
using to make sure that they are at least members of the local users
group. --- Steve
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:u5Tg2t14EHA.2124@TK2MSFTNGP15.phx.gbl...
Hi Steve & Everyone else,
I have looked through the local policy and everything seems the same
between the boxes, I setup auditing, but again I get no failures and the
box that is not working produces the same results as the others yet it
still won't let me view the web pages, grrr.
If it was a office computer I would be reinstalling windows at this
point! but as it is in a data centre 100 miles away, thats not an
option. By the way it is a stand alone server and not part of a domain
Thanks for all your help, anymore suggestions ?
John
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:egjPCsv4EHA.2604@TK2MSFTNGP10.phx.gbl...
Enable auditing on logon events for success and failure and privilege
use and object access for failure [probably only temporally]. Enable
auditing on that folder for that user. Then look in the security logs
and Event Viewer in general for any possible helpful messages. I would
also look in Local Security Policy on each computer and look for any
differences under local policies for security options or user rights.
Any differences found between the two boxes could be suspect. Also
check any deny permissions to the folder which you user could be
affected by group membership. If this is a domain computer, run the
netdiag support tool on it looking for any pertinent errors. -- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 --
needs object access enable first.
"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
Thanks for the reply, I have compared the permissions between the two
boxes (one that works and this one) and I can see very little
differences, none in sections that I think might affect this problem
is there anything specific that I should be looking for?
"Andra" <andraatlatnetdotlv> wrote in message
news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
Policies? Especially concerning the way the password is sent over the
network.
John Pugh wrote
Hi,
I am having problem that I thought some of you might be able to
help,
The problem is that we have created a directory on a 2k3 standard
box that
can only be accessed using a set username and password (used for
accessing
web stats over the internet) I have done this many times before
without a
hitch but on one of our boxes it does want to work at all!
I have given the SYSTEM full control, Administrators full control
and
stats-viewer (the user who needs access) read and read & execute.
This is
the standard setup I have on all our boxes. I have also tried
recreating
all
the permissions the wwwroot directory has and putting it in the
wwwroot
directory to no avail.
With the IUSR user in place it works, allowing anonymous access,
therefore
IIS is pointing to the right place and serving up the pages so that
is
working, but when IUSR access is taken away it throws back a "HTTP
Error
401.3 - Unauthorized: Access is denied due to an ACL set on the
requested
resource." error when trying to login as stats-viewer. I have tried
using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which
doesn't
seem to shed light on the problem) all without success.
Can anyone help, its doing my head in!!!
Many thanks,
John Pugh
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in