Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K Security 3

Status
Not open for further replies.
GlenJohnson

GlenJohnson

MIS
Aug 2, 2001
5,203
US
Because of a problem a user had saving info on an Excel spreadsheet yesterday, I had to go on a hunt to truly understand the W2K security issues and where the security rites come from. I use johnsong for testing securiy issues.

1)Create folder on Server ITEST
2)Create Group ITEST in Active Directory.
3)Place in group Administrator and dummy account johnsong
4)johnsong is only a domain user and has Read Only rites in ITEST Group in Active Directory.
5)Place test.txt document in folder ITEST using gjohnson who is a member of admin.
6)In the folder for ITEST, give the Share Permissions for the ITEST group Change and Read.
7)In the folder for ITEST, give the Security = Modify, Read & Execute, List Folder Contents, Read and Write.
8)johnsong accesses the test.txt and adds a line to it. Try to save it and is told he can't.
9)gjohnson accesses the test.txt and adds a line to it. Saves it with no problem, (Expected, he's a member of admin.)
10)In the Share permissions, change ITEST Group to Full Control, Change and Read.
11)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!
12)Remove full contol from Share Properties on Folder ITEST, gives full control to Group ITEST.
13)johnsong accesses the test.txt and adds a line to it. SAVE WORKS!!!!!!!!


This means the Share properties on the folders is equal to the permissions given in Active Directory Groups. If I give full control to a group or member under the Share properties of a folder, they will have just that, no matter what security is set in Active Directory. So I would never give Full Control to any folder in the share except to admin. If a person has problems accessing it, I would address it in AD or Security, not the Share tab. Am I wrong in this? Thanks.

Glen A. Johnson
Microsoft Certified Professional
glen.johnson@insightbb.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Sort by date Sort by votes
Test results from ITEST test.
Group ITEST
Members
Admin = Full Control
johnsong = read only
gjohnson = full control
glen = nothing, not even read

Security tab of ITEST folder WASN'T changed at all.

Security tab ITEST
Administrators = Full Control
ITEST Group = Everything except Full Control

Sign on as johnsong, could read but not write.
Sign on as gjohnson, could read and write.
Sign on as glen, could read. (Probably because he's a member of the ITEST group.)
Sign on as GAJ, recieved access denied whenever he clicked on the ITEST folder. Wasn't even given the option to open, immeadiately recieved the access denied message.

ALL security was set up in the groups only. Again, did not change the security options on the folder at all. What I don't understand about the difference of opinions here, if we set up security using groups in NT, why would it be different in W2K? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Test results from ITEST test.
Group ITEST
Members
Admin = Full Control
johnsong = read only
gjohnson = full control
glen = nothing, not even read

Security tab of ITEST folder WASN'T changed at all.

Security tab ITEST
Administrators = Full Control
ITEST Group = Everything except Full Control

Sign on as johnsong, could read but not write.
Sign on as gjohnson, could read and write.
Sign on as glen, could read. (Probably because he's a member of the ITEST group.)
Sign on as GAJ, recieved access denied whenever he clicked on the ITEST folder. Wasn't even given the option to open, immeadiately recieved the access denied message.

ALL security was set up in the groups only. Again, did not change the security options on the folder at all. What I don't understand about the difference of opinions here, if we set up security using groups in NT, why would it be different in W2K? Has anybody tried to do this and prove me right or wrong? W2K is new, gang, I doubt anybody is a real pro at it. We're going to have to try and help teach each other. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Sorry for asking but where did you set security by users? I mean Admin = Full Control, johnsong=read only...
 
Upvote 0 Downvote
That was in the Active Directory/Group = ITEST group. Did not change anything on the security tab of the ITEST folder, only changed the security settings in the group. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
OK, first off I need to correct my mis-statement several posts back about permissions. When there are conflicting permissions on a directory/file, it's actually the least restrictive that wins. For example, say I am a member of Domain Admins which has Full Control on a directory. Then I insert my username into the permission set separately with just Read rights. The Full Control will win. That said, Glen, I have to say that either you're not explaining exactly what you're doing, or something is escaping your eye as far as what your permissioning is on these folders. Did you try what I suggested earlier as a test....?
 
Upvote 0 Downvote
I'm truly sorry if this isn't clear. I right click on the folder, and on the security tab, I give ITEST ALL the rites except Full Control. In Active Directory, I select the user I want to set security for, and give them the rites I want them to have there. If I tell Active Directory to give this user read only rites, and the user tries to save something in that folder, they get an error message that says they have read only rites. If I don't even make a person a member of the group, they can't even see what's in the folder. If I give a member read/write permission in AD, when they access the folder they can do just that. Read the folders contents, and change files that are in the folder. I'm not trying to be funny, I just truly want to understand. What isn't clear. Try it yourself. (I don't remember what test you are talking about.) Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
" In Active Directory, I select the user I want to set security for, and give them the rites I want them to have there. If I tell Active Directory to give this user read only rites "

Where?
 
Upvote 0 Downvote
Sorry, it's in Active Directory, I select the group, and from within the group I select the user I want to set security for, and give them the rites I want them to have there. If I tell Active Directory to give this user read only rites "
Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I'm sorry but I don't see any place to set a right to a user in a group in AD, the only thing you can do in a group is add users.

you're confusing me.
 
Upvote 0 Downvote
Once a group is created, you right click on the group and the tab on the far right says security. It's in there. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Forgot, when you right click the group, select proporties. The last tab there is what I meant. I've got a user problem I'm trying to deal with at the same time here, bear with me. Thanks. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I've just figured it out... you have to have Advanced Setting checked to see the Security tab...!!!&&&???

[bigsmile]
here we go!!!
 
Upvote 0 Downvote
I don't know where that's at even, it's just always worked for me. I had a person helping me that may have checked that. Where did you find advanced settings check? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I agree... where is this Advanced Setings check box? I have seen it beofre, and even set it on a job I did last year, installing Exchange, AD Integrated, but have since forgotten. I just had a quick look, and can't remember where it is... I also remember searching for ages when I used it last!! :)
So... where is it?

Will
 
Upvote 0 Downvote
AD users and computers - View - Advance Features, it also activate some hidden containers like the lost and Found.

Anyway, I never gave any permissions directly to groups or users, always by folder... maybe going to do some tests.

 
Upvote 0 Downvote
I'm not sure but I think that the rights you're giving at AD level are just for the AD object itself. Unless someone tells me I'm wrong but the permissions you give there doesn't have an effect on folder permissions. The AD rights tells the object who can modify this object.

?
 
Upvote 0 Downvote
The gentleman that taught the W2K Pro and Server classes that I took worked on one of the teams that wrote the W2K system. I sent him an e-mail asking him what his opinion is. The following is his response. This makes perfect sense, except in my case, I work for such a small company with only one domain, and I'm the only person in IT that understands W2K, (Boss is old Novell person, I have to keep this setup simple), the method I'm using still makes the most sense for me. Looks like we were all correct. Here's his response.



The mantra from Microsoft is:
1)put users into global groups (create one in
each domain from which you need to add users and place the users from each
domain in the global group you created for their domain) , 2)create a domain
local group in the domain where access to a particular resource is needed,
3)add the global group (or groups) to the domain local group in the domain
where the resources are located. Assign permissions one time only to the
domain local group. You will go nuts trying set permissions for individual
users if you ever get into a situation where some group (obviously at some
other company) has 60,000 members. Lots easier to set permissions once for
the domain local group!
Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
A G DL P, that's what he's talking about and that's what I'm trying to say here. You give only permissions to folders and not to users (or groups). AGDLP is what Ms recommends and that's the easiest way to achieve users and group management. That's why, like Brontosaurus said earlier, you have to create more than one group of users. On folder ITEST, Group A has Full Control, Group B has Read, that's it.

[smile]
 
Upvote 0 Downvote
I understand now what everybody has been talking about, but like I told the gent from MS, the majority of our groups have under 6 members. The whole reason I started this thread was because we're migrating from Novell 4.0 to W2K domain, and my boss, (An old Novell person who knows nothing about W2K and does'nt care to learn) is having me set up these groups so that they look and act like the old server so as not to confuse the users, (And himself, I suspect.) I have a grand total of 250 users, and most of them are members of only 2 to 3 groups. The way I'm doing the security isn't really wrong, it's just that I have no need, and never will, to do it the way MS suggests. Guess we were all right. (Gent from MS agrees with me in my case, we're just to small to worry about it). Thanks everybody, it's been a real blast. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
I'd like to thank Niavlys for stepping in. I was beginning to think the Alzheimer's arrived a bit early...:).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
270
amanua
amanua
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
222
Bigbadjoe
Bigbadjoe
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2008
Replies
1
Views
203
wtotten
wtotten
intel233
  • Locked
  • Question
Export Security Group Info
Replies
1
Views
372
intel233
intel233
ls62
  • Locked
  • Question
W2K3 Server can not browse the internet
Replies
7
Views
307
ls62
ls62

Part and Inventory Search

Sponsor

Back
Top