RE: Problems with Administrator users
From: Andrew Davis [MS] (adavis_at_online.microsoft.com)
Date: 12/11/03
- Next message: Andrew Davis [MS]: "RE: Error Processing a Renewed Certificate"
- Previous message: Martin Cline: "URLScan Config for Internet Synchronization"
- In reply to: Rane Bowen: "Problems with Administrator users"
- Next in thread: Rane Bowen: "Re: Problems with Administrator users"
- Reply: Rane Bowen: "Re: Problems with Administrator users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 17:31:10 GMT
Rane,
This sounds like a permissions problem. Tried using Regmon or Filemon to
determine where the permissions problem is.
These tools can be downloaded here, http://www.sysinternals.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks!
~Andrew Davis
Microsoft PSS Security
--------------------
| From: "Rane Bowen" <raneb@slingshot.co.nz>
| Newsgroups: microsoft.public.inetserver.iis.security
| Subject: Problems with Administrator users
| Date: Thu, 11 Dec 2003 09:51:11 +1300
| Organization: Ihug Limited
| Lines: 33
| Message-ID: <br80uv$lp3$1@lust.ihug.co.nz>
| NNTP-Posting-Host: 203-109-146-43.ihug.net
| X-Trace: lust.ihug.co.nz 1071089439 22307 203.109.146.43 (10 Dec 2003
20:50:39 GMT)
| X-Complaints-To: abuse@ihug.co.nz
| NNTP-Posting-Date: Wed, 10 Dec 2003 20:50:39 +0000 (UTC)
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!nntp-relay.ihug.net!lust.ihug.co.nz!ihug.co.nz!not
-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.inetserver.iis.security:7763
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| Hi.
|
| I hope that I am posting to the correct group and that someone can provide
| me with some clues with a particular problem we are having.
|
| First some background:
| Our document management system uses iis with a custom isapi filter. The
| user (after authenticating via ntlm) is presented with a list of documents
| that they have security access to. The access to documents is defined by
| the actual access a user has to the document with it's file system
security
| (on the server).
| If a user wishes to access the metadata of a document via the web browser,
| the isapi filter reads the security from the document within the file
| system, and determines whether the user has access to the metadata
| properties of the document. If the user has access to the document, the
| user should have access to it's properties.
|
| The problem we are having is restricted to an active directory
environment.
| If a user is a member of the 'domain admins' or 'administrators' groups,
and
| a document has an acl that does not contain the 'everyone' trustee, but
does
| contain another group that the user is a member of, strange things start
to
| happen.
| Users will be able to fetch the 'object' that contains the document
| properties, but are denied access to the properties themselves (which
should
| never happen). This can be fixed by granting the 'domain admins' group
full
| control over the document, but does not really solve the problem.
|
| I hope this explanation of our problem makes sence, and that someone can
at
| least poke me in the right direction.
|
| Cheers!
|
|
|
- Next message: Andrew Davis [MS]: "RE: Error Processing a Renewed Certificate"
- Previous message: Martin Cline: "URLScan Config for Internet Synchronization"
- In reply to: Rane Bowen: "Problems with Administrator users"
- Next in thread: Rane Bowen: "Re: Problems with Administrator users"
- Reply: Rane Bowen: "Re: Problems with Administrator users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
