I have created a special folder with sensitive information that only certain users are allowed access to. It is not shared, and in the security I have just individually listed every user who needs access. Everyone can access the folder except one user who is in the list can't. Access is always denied. I am not allowing permissions to propagate from parent objects because that would give everyone full control (the folder is in a users' directory). I have tried creating other folders in the same folder for this user (to test access) and access is always denied. I can't figure it out - any ideas?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
user cannot access folder
- Thread starter edwtaylor
- Start date
webmaster999
IS-IT--Management
Have you traced permissions back to ensure that somewhere along the line there isn't a deny for that user? If you aren't sharing out that folder, then the users have to navigate through parent folders to get to it, and there could be a deny stuck in there somewhere. And you know, DENY takes precedence over ANYTHING ELSE.
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
- Thread starter
- #3
Thanks Matt - there doesn't seem to be anywhere in the folder structure where there could be any deny. The drive the folder is in is shared with everyone having full control. The folder is in the users directory which is shared with everyone having full control. The next layer down is the folder itself which is giving us the problem. Everyone else who is specified can access it - is it possible that a user's profile can become corrupted so that access is denied? Is there anywhere else where this user might be being denied?
webmaster999
IS-IT--Management
Ed,
Is this user of the same type as everyone else? Also, is this user a member of any other groups that the rest of them are not? Group membership plays a role too.
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
Is this user of the same type as everyone else? Also, is this user a member of any other groups that the rest of them are not? Group membership plays a role too.
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
- Thread starter
- #5
donnie4564
IS-IT--Management
Try clicking the advanced button from the security tab of the properties sheet of the object. Then view/edit advanced permissions for each group/user in the list. Do this for every folder in the tree. Next, I would try coping the folder to another server which would reset the permissions. Then start all over adding permissions. Also, I would add all users, that need access to the folder, to a security group then add that group to the folder. Then grant permissions. If users can access files they are to be restricted from then I would deny those users read permission until I work out this problem.
- Thread starter
- #7
Thanks for the suggestions, Donnie. I looked at the advanced permissions like you said - all users, including the problem one, have full control. I then looked at the advanced permissions on the users folder, which is the top one (besides the drive itself), and everyone has full control of that folder (all boxes ticked). I then copied the folder to another server & reassigned permissions - access was still denied - I could only give this user access if I gave everyone access. I then made a copy of the folder on the 2nd server again & added a group I had created with all the users in it (inc. the problem one) - still he cannot get access!Aaaagh!
webmaster999
IS-IT--Management
Edward,
Is the user in question located across a domain trust?
Also, have you tried deleting his username and profile and recreating it? This would reset all ACLs/SACLs/DACLs and this might help in creating a 'new user' for him.
Keep us posted...
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
Is the user in question located across a domain trust?
Also, have you tried deleting his username and profile and recreating it? This would reset all ACLs/SACLs/DACLs and this might help in creating a 'new user' for him.
Keep us posted...
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
donnie4564
IS-IT--Management
I think that Webmaster is on the right track.
When a user logs on a ticket is given which grants access to resources
This ticket confirms the user's permission to the requested service.
The Key Distribution Center or the KDC runs on each domain controller as part of Active Directory, which stores all client passwords and other account information.
The KDC issues a special ticket granting ticket to the client. The client uses this TGT to access the ticket granting service which is part of the Kerberos V5 authentication mechanism on the domain controller.
The TGS then issues a service ticket to the client.
The client presents this service ticket to the requested object. The service ticket proves the user's permission to access the object.
I’m not sure how all this can solve your problem. I know there is a Kerberos Key Distribution service that must be running on dc’s.
You could try recreating the user account, you would then have to recreate all permissions associated with that user.
Check the event log for any errors related to Kerberos or KDC.
Let us know how this turns out.
When a user logs on a ticket is given which grants access to resources
This ticket confirms the user's permission to the requested service.
The Key Distribution Center or the KDC runs on each domain controller as part of Active Directory, which stores all client passwords and other account information.
The KDC issues a special ticket granting ticket to the client. The client uses this TGT to access the ticket granting service which is part of the Kerberos V5 authentication mechanism on the domain controller.
The TGS then issues a service ticket to the client.
The client presents this service ticket to the requested object. The service ticket proves the user's permission to access the object.
I’m not sure how all this can solve your problem. I know there is a Kerberos Key Distribution service that must be running on dc’s.
You could try recreating the user account, you would then have to recreate all permissions associated with that user.
Check the event log for any errors related to Kerberos or KDC.
Let us know how this turns out.
- Thread starter
- #10
Thanks for all the help, guys...I think I have got to the bottom of it. The user in question always dials in. The RAS server is an NT workstation. For some reason (which I don't understand) the user is authenticating through an old NT account from before we upgraded to W2K. Therefore, whenever I added his username to the DACL I was adding the user's W2K account, not his NT account. He has an account on User Manager for Domains on the NT Workstation. Although I still don't understand it, the answer is to get him to only use his W2K account, then everything works as it should. Thanks again to everyone for being so helpful,
Edward
Edward
webmaster999
IS-IT--Management
Ed,
Seems to me that maybe your RAS machine (NT Workstation, maybe) was set to using NT-compatible authentication instead of W2K-compatible. Could be - just an idea.
Glad you got it working!
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
Seems to me that maybe your RAS machine (NT Workstation, maybe) was set to using NT-compatible authentication instead of W2K-compatible. Could be - just an idea.
Glad you got it working!
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
- Thread starter
- #12
webmaster999
IS-IT--Management
Edward,
I think I have heard of it being done before. Let me check into my archives and call some friends to see if I can find it. I think it actually had something to do with changing the user account on the W2K Server to be NT-compatible and then changing the RAS workstation to forward login requests to the W2K machine using RADIUS. Not sure of that, but I'll check into it for you.
Have a great day!
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
I think I have heard of it being done before. Let me check into my archives and call some friends to see if I can find it. I think it actually had something to do with changing the user account on the W2K Server to be NT-compatible and then changing the RAS workstation to forward login requests to the W2K machine using RADIUS. Not sure of that, but I'll check into it for you.
Have a great day!
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Achiever with Security Emphasis
- Status
Similar threads
- Locked
- Question
- Locked
- Question