Permissions Question

[rodentcentre]

I'm not really sure where to start so I'll just go...

We have a Windows 2000 Server as a Domain Controller and have Active Directory set up. Another of our servers is Windows Server 2003 and this server houses our document management system (DMS, it is made up of an ASP.Net front end with SQL Server 2000 backend). The DMS was put in place to take our firm from a paper based one to an all (95%) digital office and allow employees to electronically store any and all documents from clients and other correspondence. In this DMS we admins have to manually enter each person's user id within the organization so that they can access it...these user id's are the exact same ones entered in AD. The problem is that people are still able to go through the "back door" so to speak and add and remove documents directly from Windows Explorer as opposed to using the DMS. The question is, how do I lock everyone out from being able to "back door" the system but allow them to still add/remove/edit documents from within the DMS?? I hope I have explained myself

 

[martyh]

I am going to guess that your DMS accesses the server via a specific service account and therefore does not use normal share permissions.

If that is true, you should be able to remove the everyone group (or domain users) from the permissions on the shares so that only the DMS (and not the users directly) can access them.

Of course it may not work like that but it would seem logical. Failing that, ask the DMS vendor, they should know.

Marty
Network Admin
Hilliard Schools

 

[rodentcentre]

Thanks for that...another question...looking at the permissions on the drive, we have Domain Users(BHZ\Domain Users) that have Modify, Read & Execute, List Folder Contents, Read, Write permissions and then we have Users(SIAN\Users) that have Read & Execute, List Folder Contents, Read permissions...if I remove the Domain Users account that will in effect not allow people to do any "back dooring" correct??