Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Permissions not setup correctly? 3

Status
Not open for further replies.
trojanman

trojanman

IS-IT--Management
Jun 14, 2006
280
US
Unless Im missing something [or just plain stupid], I cant figure out why I keep getting access denied errors for what Im trying to do.

Heres the scenario...

User1 is a member of notourdomain.com but has been setup with a vpn client that connects to our internal server called \\Fileserver under the account Fileserver\User1.

1. User1 wants to use folder "B" which is a subfolder of folder "A".

2. Folder "A" contains subfolders that we do not want User1 to view or access.

3. In the Security tab of folder "A", I have denied the following permissions for User1:

Modify
Read & Execute
List folder contents
Read
Write

4. In the security tab of folder "B", I have allowed the following permissions for User1:

Modify
Read & Execute
List folder contents
Read
Write

5. I have also unchecked the "Allow inheritable from the parent to propogate this object and all child objects" options.

So, from User1's workstation, I have mapped a network drive to \\Fileserver\A\B using the "connect as a different user" option with the credentials Fileserver\User1. When User1 tries to add a new item to the "B" folder, they get an "Access is denied error". I have viewed the effective permissions tab for folder "B" and it says that "User1" has write permissions. What am I missing?
 
Sort by date Sort by votes
What do you have configured in your share permissions?
 
Upvote 0 Downvote
Share permissions:

For folder "A", User1 is not added to the list.

For folder "B", User1 has full control.
 
Upvote 0 Downvote
If folder B is inheriting permissions, that deny overrides everything. When you unchecked the box for inheriting permissions, did you get the box about copy/remove? If so, how did you answer it?

If the user can't read the parent folder, he won't be able to get to the child folder.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Give user1 change share permissions to folder A, since they must have share permissions to connect to B via A.

 
Upvote 0 Downvote
58sniper, I answered "copy".

Although we have mapped the appropriate folder, we are concerned that the user might browse the other folders, which is why I denied everything in "A" except "B".
 
Upvote 0 Downvote
basst,

Will try as soon as they are awake :) Thanks!
 
Upvote 0 Downvote
You secure the folders using NTFS permissions so setting share permissions only complicates things. User1 will also need the special NTFS permission traverse folder rights on folder A
 
Upvote 0 Downvote
Not trying to steal basst's glory, but to confirm what he is saying:

Folder A: He'll need the traverse folder right for just that one folder. (Should not be inhereted to other folders)

Folder B: Read, Write or Full control (depending on your access requirements)

Share - leave it alone. Give all authenticated users full control and protect by NTFS.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Ive given the user the allow "traverse folder" right for folder "A" but access is still denied. folder "B" is full control and I didnt touch the share permissions.
 
Upvote 0 Downvote
>58sniper, I answered "copy".

If you answered "copy" and you had deny permissions set on folder A then these deny permissions would be set now on folder B. Deny permissions always override Allow permissions as the most restrictive permissions take precedence. Remove these now explicit deny permissions from the ACL on folder B.


 
Upvote 0 Downvote
This is how I would set this up:

Folder structure: Server\FolderA\FolderB

Share FolderA with Everyone Full Control - share name FolderA

Uncheck allow inherited permissions from FolderA
Set NTFS permissions for users who should have permissions.

On FolderB grant User1 NTFS Modify permissions

Instruct User1 to connect to share using \\server\FolderA\FolderB as UNC path.

If User1 needs to browse through My Network Places etc to the folder then on FolderA

Add User1 with special permission

List Folder / Read Data

Then User1 can browse to FolderB but will not have any permissions on FolderA

Do not deny User1 Full Conrol on FolderA. If you do not give them any permissions to this folder then this is not necessary and will prevent them accessing FolderB unless you also uncheck allow inheritence on FolderB.

If you follow as above your problem should be solved.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
220
microsGuy16
microsGuy16
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
424
mangentle
mangentle
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
144
technome
technome
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
103
DrB0b
DrB0b
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
110
on3mansh0w
on3mansh0w

Part and Inventory Search

Sponsor

Back
Top