Newbie User Security Problem

[resoremix]

Any help with this would be very much appreciated.

Win 2000 Adv Server with a single domain structure and Win 2000 Professional / XP Pro clients.

I have installed a client application on the Pro/XP machines that requires access to folders (read and write) on a volume which I have shared on the server which is a domain controller.

When I start the client app using a standard Domain User account I get an error stating that certain files within the folders cannot be read. When I fire up the app using an account with administrative privileges it works fine.

Clearly this is a case of needing to provide the basic account with more privileges (which I have achieved by simply making the account a 'Member Of Administrators' but this is obviously not satisfactory) but this is not my area of expertise and I can't seem to crack it.

I have delved into group policies etc but need someone to point me in the right direction. In short, how can I give the basic user access to the shared folders without taking the overkill route of making him an administrator?

Thanks in advance.

 

[rickytran]

You probably have done this already, but just thought if you might have forgotten about it.

1.create a security group
2. add all users you will be using this apps to security group
3. Grant security group with modify permission to the folder.

 

[resoremix]

Thanks ricky but I tried that.

Even went as far as giving the security group 'Full Control' but it still wont let me access the folder.

I have tried browsing to the folder using its UNC path in Explorer and again this only works with an administrative user account. The domain user account results in the incorrect user name / password prompt and asks for a different login.

What else am I missing? I am sure that this is just me rather than some horrible corrupt file / reinstall everything type mess ;-)

 

[resoremix]

Also

When doing a test scenario of creating a folder with a simple text file in it and attempting to read it from a client, a network drive can be mapped and modifying user specific permissions produces the expected results in terms of read write etc.

However, when I create a new security group the client inherits permissions from it without even being added! In other words my security group New Group has an empty Members tab yet adding it to the Security tab of a folder gives my standard users whatever rights are set for New Group.

I am sure there is no inheritance taking place on the folder so why is my standard user account affected by New Group's folder permissions?

Any good links to how the Sharing & Security tabs interact might be useful as I think I've exhausted MSDN and support@MS...

Thanks

 

[wbg34]

You have mentioned working with the security tab on the folder. Have you checked the share permissions? Going through the sharing tab and clicking on the permissions button. Is there anything other than everyone full access there? Win2k will always apply to the most restrictive security rights on a share.

 

[resoremix]

Thanks for replying wbg

Yes I checked the folder Share tab permissions and they are on the default 'Everyone Full Access'

I figured that the strategy should be to leave the sharing permissions on this default and only use the Security tab's permissions to add the required users and their permissions.

Is this correct?

Can folders and files be accessed from network clients who are not administrators without folders being explicitly shared?

Thanks

 

[wbg34]

Yes that is the way it should be done if using ntfs because ntfs permissions are more complete. On the security tab have you checked out what is listed in the advanced security (click on advanced).

 

[kameleon80]

I have to agree with wbg34 it is something in the advanced properties on a folder. This is a process of elimination, but gets the job done. In the newly installed application folder go to each folder and be sure that the inherit permissions from parent folder is checked...if you find one that isn't checked then that is probably the culpurt. I don't recommend checking this box unless you can't figure out what else I'm fixing to tell you.

Once you find that check box unchecked compare the NTFS permissions with the parent folder just to find out what NTFS are given to parent folder and not this newly "found" folder. Give the security users group read and write on this folder.

You might be able to eliminate the process faster if you can find out what file is being accessed by the application. Then do a search for it, and it is probably the parent folder of this file that is the culpurt.


Good luck let me know how this goes....

 

[resoremix]

Thanks guys

I still can't get there though even after spending ages checking all of the permissions as you describe. To summarise again and attempt to clarify, the two problems are:

Problem 1
1) Unless I make a standard user a member of the Administrators group, they get the following error message when attempting to launch Zetafax:

Cannot read from file: \\MyServer\D$\Program~1\SYSTEM\Z-DB\USER.INI

This is in spite of giving them Full Control over the relevant folders and ensuring that the permission is propagated.

Could it be because the folder resides on a Domain Controller that holds the global catalogue? The fact that making the user an administrator resolves the problem must be a clue but I don't want to do this for obvious security reasons.

Problem 2
This is not directly related to problem 1 as explicitly adding the relevant user to the above's folders does not cure problem 1...
If I create a security group, add a user to it and then assign the group to a folder's security tab it refuses to work. Removing the group and adding the same user explicitly works. Any ideas why?


Thanks a lot for any suggestions.

 

[kameleon80]

It may be a program that requires admin priveleges My work around for this isnt probably the best but it works for me with my family and friends. Create a user named somethine like "apps" then add it to the admin group. Just don't tell your users that this is a admin. Create a shortcut on the users desktop to the program that runs as a different user credentials (right click shortcut then check box that says run as different user on the general tab). Give out the "apps" user/admin to the users in your company that need access to the program. I won't give it to all my users unless they all have to us the application.

I know this isn't the best way to do things but I really don't know how to make an application that needs admin priveleges work with regular users

You might even try denying the "apps" user log on locally to your other computers. This way you have a little security in ther

Good luck let me know how it goes

 

[msuguy71]

Not sure if you tried this or not but I was having similar problems with my server. I found a site that suggested using the following command to add domain users to the local power user status:

net localgroup "Power Users" "Domain Users" /add

This took care of my problem.


Hope this helps.

Rick