Re: NTFS Deny not Working STRANGE
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/30/05
- Previous message: Phil B: "Re: NTFS Deny not Working STRANGE"
- Maybe in reply to: Phil B: "Re: NTFS Deny not Working STRANGE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 09:15:46 -0500
Out of curiosity try using a local group instead of a domain local group to
see if that changes anything. Also keep in mind that an explicit allow will
override an inherited deny for ntfs permissions so you may want to check
that possibility. It would also seem that the users that are remoting in are
a member of a group that has allow permissions to the folder such as users,
everyone, or domain users maybe. Even though deny permissions should work,
if that is the case you may want to configure permissions so that is not the
case as in remove users/everyone/domain users and create a global group with
only the users that should have access and probably give administrators and
system full control. When doing your testing and you change group
memberships be sure to logoff and logon again to refresh the token for the
test user. --- Steve
"Elizabeth Strachan" <ElizabethStrachan@discussions.microsoft.com> wrote in
message news:FFF115A9-0B0E-47BB-B615-666EF49932DF@microsoft.com...
> To anyone who can help,
>
> I am having the strangest problem with a Windows 2003 Server.
> Long story short we have to let some software developers TS into one of
> our
> servers but the server also has company data on it that we don't want them
> to
> access. The data is on a separate partition from anything else. My
> answer
> was thus:
> 1. Create Domain Local Security Group
> 2. Deny Full Access at the root of the partition to the Group
> 3. Add users to the group.
>
> Normally I would expect this to work but it does not. The deny is
> supposed
> to override everything else but for some reason it is not working.
>
> Here the strangeness continues:
> If I Logon as the user and double click on the partition it says "No
> Access"
> as expected but I can then do a D:\Some Folder on it and it all works
> fine.
> They can then open documents and explore as they like.
>
> I have gone into Advanced and reset permissions on files and folders. I
> have gone into effective permissions and when I choose the group it says
> no
> permission, when I choose one of the users it says Full Control. I have
> removed and re-added the group to the user. The user has no special user
> rights - we made a special group that had TS access but no ability to
> shutdown/restart etc. so they are not system administrators.
>
> The server is Windows 2003 SP1 and the only thing special about it is that
> we have loaded the patch to hide folders via shares that users have no
> permissions to.
>
> I can't seem to find anyone else with the same problem so I am at a loss
> to
> fix it? I can specifically deny it for that specific user and it works
> but
> this will create us a lot of maintenance in the long run.
>
> Does anyone have any ideas?
>
> Sincerely,
> Elizabeth
- Previous message: Phil B: "Re: NTFS Deny not Working STRANGE"
- Maybe in reply to: Phil B: "Re: NTFS Deny not Working STRANGE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
