Permission Denied 1

[Mighty]

Guys,

I have a problem - obviously seeing as I am posting a question here. I have set up a company intranet. As part of this intranet, our Sales Team has a database where they can record all communications with potential customers. What they would like to be able to do is take a copy of this database and any associated files with them when they go to visit a client.

I have written an ASP program which first prompts them for the name of the company whose data they want. Once this has been supplied, the program then makes a copy of the database on the server, deletes all records in the copy that don't relate to the selected customer. This is where the problem begins. I then want to copy that database to a shared drive on the users PC using the UNC path. So my code has the following:

fso.CopyFile "C:\SalesLeads.mdb", "\\" & Request.ServerVariables("REMOTE_ADDR&quot & "\SalesLeads\SalesLeadsRO.mdb", True

However, I get a permission denied error. I have set up the shared directory giving everybody full access to the directory. Has anyone got any ideas?? Mise Le Meas,

Mighty

 

[link9]

Mighty,

I had this same problem. The best I could figure out was that fso just can't do anything with a UNC path.

My workaround was to create another shared directory on the same machine where the script runs, so that you don't have to use UNC to refer to it with FSO, and then map that drive on the users' PCs. They can then go and grab the file, just as if it were on their own PC. They still have to copy it to the proper directory on their own pc. You might must write a little vb module that could handle that for them if you're worried about their where-with-all to handle this task.

Basically, you're creating another network drive, and then giving users access to that drive on their PC to grab the database, and put it where it belongs on their pc.

Optimal? No. But it was the best I could come up with.

hope that helps.

paul

 

[Mighty]

When I'm developing stiff, I usually write it and test it on my own machine before putting it on the live server. The code works fine when I run it locally (

http://localhost).

It will delete, copy and create files all using the UNC path. It just so happens that the PC is my own. However, when I try to run the same code from another machine, that's when I get the problems.

I suppose if there is no other way around it then I will try and so something similar to what you did. Is there any way that I can create a link on the web page to a client side VBScript program that they can run to copy over the files from the mapped server drive. Mise Le Meas,

Mighty

 

[link9]

YES! I remember that now. It's all coming back to me. This was nearly two years ago I had this issue. I developed everything on my machine, and it worked perfectly. Then, when I moved it to the server, it had no idea where to find the folder in question unless it was on its own physical storage. Like I said, though, I never got it resolved, and wound up moving the site to the server where the files needed to be created, and just calling it fixed.

That won't work in your case, though, since you're copying files to user machines.

As far as client side vbScript... I just couldn't provide any useful info on that, since I never use it.

Now when you say you set up a shared directory, giving everybody full permissions, do you mean you set up shared directories on everyone's machines, and "Everyone" has full permissions on every one of those, and you're getting "permission denied"?

Actually, this is sounding more like a twist on my problem, rather than the same problem. Sounds like you're able to find the path in question, but then get kicked due to permissions.

Could you clarify a little about what I've asked?

ps. don't you just love permissions? ;-)

 

[Mighty]

Paul,

Permissions are just brilliant. I have tried testing this on two other machines. I set up a folder on a pc and shared it giving "Everyone" full access and tried to run the asp program and got a permission denied error. I then added IUSR_MYSERVER to the permissions list for the directory and gave it full access. But I still get a permission denied error. It won't let me delete from or copy to the remote users shared directory using the UNC path.

Does this give you any other ideas?? Mise Le Meas,

Mighty

 

[Mighty]

Paul,

I just tried a couple of other things. The share name of the clients directory was more than 7 characters and I thought that it might have been causing a problem so I changed it but with no success. Also, I created a mapped drive on the server pointing to the clients PC and tried to copy something into it but also got a permission denied error even though "Everyone" had full access to that drive.

I'm still baffled. Mise Le Meas,

Mighty

 

[link9]

heading out for a sec. just sent this to our network guy.

in the meantime, try adding "Network" to the permissions list and see if that works.

i'll let you know what he says.

paul

 

[Mighty]

Paul,

No joy with that. Maybe it's not possible.
I might just have to write a script and get them to run it - not really what I wanted to do. Let me know if you think of anything else. I'll be heading home in about 15 minutes but I'll check again in the morning.

Thanks for the help. Mise Le Meas,

Mighty

 

[Mighty]

Paul,

Just a quick point - it does seem to be connecting to the client PC OK. The last time I ran the program I had a type in the code and it was basically trying to access a drive that didn't exist on the client - it knew that it didn't exist as it gave me a bad path error.

However, when I corrected the code, i was back to the old "Permission Denied." It's just a question of figuring out how to grant access. Mise Le Meas,

Mighty

 

[link9]

Network admin's response:
-----------------
It probably is the network user. What he can do to test it (and no
guarantees this is the same way his program would copy it) is to go into
Scheduled Tasks on the server and schedule a cmd.exe to run in
Interactive Mode (important). When it launches, it will allow him to be
the "system" as opposed to the user he is logged in as. He can then try
to copy and see that he doesn't have permissions. To make it work, the
receiving machine would need to allow him and I guess that would be
"Network", but I'm not sure. If he has a way of authenticating with the
remote machine through Windows Auth, that should do it. I don't know
what his interface is like (HTML, GUI, ETC), but if it's HTML, can't he
have the file written to a dropoff place on the server and redirect the
user's browser to that page and file and have it prompt the user to
download it?
----------------

I asked him about "Everyone", and he said that "Everyone" is only people, and does not necessarily include the account that your ASP is trying to work under.

Also, using auditing is a great way to find out what account has tried to gain access. Turn on auditing for the directory (It'll have to be on an NT or Win2K machine with NTFS), and after getting the error, go check the logs on the machine, and see what account it's trying.

One thing is definitely for sure. It IS a permissions issue. You're script is able to find the path, and it knows what and where you are trying to work. It's just denying you permissions to do your work. Trial and error with granting permissions will solve this problem.

lemme know the status.

paul

 

[Mighty]

Paul,

I give up. I have tried loads of things at this stage and I'm convinced that it's just not possible. I use Anonymous access on my webserver and I even set up the website to use the domain administrator account for anonymous access and even then I couldn't write to the shared directory. I set up auditing but I coulnd't figure out what account was trying to access the drive. On my own PC it seemed to be using my own NT login as the account when creating and deleting files - when I ran the ASP page using IIS on my local PC. Mise Le Meas,

Mighty

 

[Mighty]

Paul,

Are you still out there - it's me again. I have another development. The problem only occurs if the client PC is running either NT or 2000. I just tried to run the ASP program from client PC's running W98 and W95 and it worked without any problems.

Have you any idea how I get around the problem in NT/2k?? Mise Le Meas,

Mighty

 

[link9]

Yep. Still here.

Now then. What's that tell us? NTFS... that's what.

If it were me, I'd have to take the non-technical approach to things, and go open up any and all permissions on the directory in question.

First of all, go check the event viewer on the machine (Start-->Run-->"eventvwr&quot and check out the security log... you may want to first raise the error so the entry will be near the top. If your auditing log doesn't tell you anything, then that should.



If you still see nothing, then:

Keep in mind that "Everyone" is ONLY people (i.e. users on your domain), and accounts such as Network, System, etc... are not included under that designation. (I didn't know this until yesterday)

Now, when you go in under the set permissions dialog, there's a group of ALL UPPERCASE users. Add every single one of those with full permissions and try it then.

Additionally, down below, you should find a user called "_Web Applications" & "_Web Anonymous Users". These are separate from your "IUSR_" account. I would add those, too... along with anything else I saw on that list that looked remotely like it might work.

At this point, I would really be surprised if it wasn't working. So, assuming it does, start taking them off one by one until you find the culprit.

You might also just throw a post in the Win2k forum describing the basic situation, and that an ASP script is trying to modify a file on a user's machine... blah blah... keep down on particulars so as not to bog them down. What account would it use coming from a server on the network? That's the key.

Please lemme know how it works out. I would really like to know what account that thing is working under.

paul

 

[Mighty]

Paul,

Welcome back to the continuing saga.
I can't get anything to show up in the security log in the event viewer. I have never done anything with auditing before so maybe I haven't set it up correctly. Basically in the properties of the folder, I have set up auditing for all users that I have given access to. I then turned on auditing for Object Access. But I get nothing in the log. I can see entries for me changing the permissions on folders,etc - but nothing for when the webserver tries to access it.

As regards users, I added all the UPPERCASE accounts and the IUSR and IWAM accounts. I didn't have any of those _Web users that you mentioned.

In my case, the webserver is also the DNS server and domain controller for our network. So basically, I have given every "odd" user full access to the directory - by odd, I mean not an antual user. This still hasn't done me any good. I am at the end of my tether now.

I'll post a queston on the Win 2K/NT forum and see if I get anything.

Thanks for all your help Paul.
I appreciate it. Mise Le Meas,

Mighty

 

[Mighty]

Paul,

I have it working - I think. I'll have to check out the security aspects of it later when my Network Administrator returns from vacation. To test out things, I changed the account that the webserver used for anonymous access to my own account and then ran the ASP page from my PC i.e. I was the client and the webserver was the server. This worked fine. So I changed the account back to IUSR_WEBSERVER but I know that a password was not specified before so I specified the domain password for IUSR_WEBSERVER. I had a shared folder on my PC with IUSR_WEBSERVER having full access. IT WORKED!!!

Now for some reason, IUSR_WEBSERVER is in the Administrator group on the webserver. I don't know if this is normal. So I took it out and ran it again and it still worked. I don't know if the permission change comes into effect straight away though.

So barring any negative comments from my Network administrator, I think that I am sorted. Thanks for all the help and advice. Mise Le Meas,

Mighty

 

[link9]

That's great. Thanks for the info.

So to sum it up then... on each machine, the local IUSR account was given permissions, but not the domain IUSR, which is what the server was logging under? Is that right?



Oh, and no, IUSR account definitely should NOT be in the administrator group. Don't want your anonymous account to have enough power to change your hardware configurations (or worse). ;-)

 

[Mighty]

Paul,

I must not have explained it very well. My intranet resides on machine WEBSERVER. On each client PC that will be running this program, I created a shared directory and gave IUSR_WEBSERVER full access. However, I found out later that I didn't even need to do that - giving "Everyone" full access still allowed it to work fine.

I'll have to talk to my network admin later. If I take IUSR_WEBSERVER out of the administator group, how do I ensure that it was permission to write to databases, etc. Mise Le Meas,

Mighty