Re: IIS 6.0 and Integrated Security - restricting logins

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/31/05

• Next message: Ken Schaefer: "Re: IIS Admin Service - changing Logon account"
• Previous message: N Thorell: "Re: Web Application cannot create folder in wwwroot\"
• In reply to: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Next in thread: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Reply: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 31 Mar 2005 09:05:21 +1000

Your user is part of the Users group (as I mentioned). Remove the Users
group from the NTFS ACL (Access Control List) for the file or folder you are
attempting to restrict access to.

Cheers
Ken

-- 
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Sandy Wood" <sandy.wood@nospam.com> wrote in message 
news:C44681B5-BAC5-4010-8FD7-FF62115352A4@microsoft.com...
:I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me
: the following Access Token info:
:
: SERVER01\testuser
: SERVER01\None
: \Everyone
: SERVER01\PROBATION
: BUILTIN\Users
: NT AUTHORITY\NETWORK
: NT AUTHORITY\Authenticated Users
: NT AUTHORITY\This Organization
: NT AUTHORITY\NTLM Authentication
:
: If I check the user Member properties, he's not a member of any group at
: all, however, this shows something a bit different.
:
: We do have a local group called PROBATION, but inspecting it's membership
: shows testuser is not a member of it.
:
: Perhaps the BUILTIN\Users could give permissions?
:
: "Ken Schaefer" wrote:
:
: > Check the membership of the "Users" group. I suspect that your test user 
is
: > in that group.
: >
: > Cheers
: > Ken
: >
: > -- 
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
: > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com...
: > :I checked the IIS logs and the test user I created, without any group
: > : membership was shown as logging in. The only users/groups I have on 
the
: > data
: > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.
: > :
: > : Could there be some other place that permissions are set? I'm only 
using
: > : Integrated Security, nothing Anonymous.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > a) Use the IIS Logs to verify that which user account is being used 
(you
: > : > should see the user account in the log file)
: > : >
: > : > b) Verify that this user account does not have NTFS permissions to 
the
: > : > file/folder in question. I suspect that they must via some kind of
: > group.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > -- 
: > : > Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
: > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
: > : > :I want to restrict user access to certain parts of my web site by
: > creating
: > : > : local groups and adding those groups to the data folders that have 
the
: > web
: > : > : content. Right now, when I create a new local user, and not add 
them
: > to
: > : > any
: > : > : group, he can access the web site which is configured to use 
Integrate
: > : > : Security only. How can this happen if the new user is not part of 
any
: > : > groups
: > : > : with access to the folders?
: > : > : -- 
: > : > : Sandy Wood
: > : > : Orange County District Attorney
: > : >
: > : >
: > : >
: >
: >
: > 

---

• Next message: Ken Schaefer: "Re: IIS Admin Service - changing Logon account"
• Previous message: N Thorell: "Re: Web Application cannot create folder in wwwroot\"
• In reply to: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Next in thread: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Reply: Sandy Wood: "Re: IIS 6.0 and Integrated Security - restricting logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Changing groups ... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ... (Debian-User) Re: Outside Users RDP into WS2008??? ... Name it DL-Consultants ... Assign permissions on a resource to domain local group '. ... add any user account belonging to your consultants to become member of G-Consultants group. ... End disconnected session: ... (microsoft.public.windows.server.general) Re: How to remove a user from a mail group (Tried to search...) ... If you're using Distribution Groups, these cannot show up in any ACLs ... If it is a Security Group, you'll need to figure out the what different ... resources the group could have permissions on. ... I go to "member of" tab. ... (microsoft.public.exchange.admin) Re: How to use a Group Distribution list inorder to send and received messages ... In the Permissions list, locate Send As, and then click to select the ... permission of the user account that is a member of one of administrative ... groups will be reset to match the ACL of the AdminSDHolder thread. ... Directory domain controller that holds the primary domain controller ... (microsoft.public.exchange.admin) Re: How to use a Group Distribution list inorder to send and received messages ... In the Permissions list, locate Send As, and then click to select the ... permission of the user account that is a member of one of administrative ... groups will be reset to match the ACL of the AdminSDHolder thread. ... Directory domain controller that holds the primary domain controller ... (microsoft.public.exchange.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2005-03