NTFS Security - Quick Question

First off, if your not MCSA or higher, dont attempt to answer this question ^_^ im sure i would have already tried all your stupid answers ^_^

on the other hand, i have a file server im implementing into a 2k3 network infrastructure running windows server 2003 r2 enterprise.

i have a share named File Library and it is setup acordingly with the correct NTFS permissions (im 100% positive this is correct) ive been working with ntfs permissions for over 5 years and can do them in my sleep.

for the tough part, when mapped to the share, under a standard user with modify permissions to a given server full UNC;
\\ukcph-fsv01\file library\netusers\john

the user john has all permissions but change permission and take ownership.

when trying to upload a file while logged on oh john, i get access denied. (im sure ya thinkin its security and nope its not, the user effectively has the correct permissions to the dir), no acl icd is denied period nor is the ntfs acls inherited. The only way i can place a file in the dir period is with admin rights. The server uses the new File Magement that applys soft/hard quota's. each dir is given 2GB space hard quota.

has any one had this problem yet? is their any setting in security conf that would prevent any users other then admins to store files on shares? (i dont recall a setting like this) but if its somthing new in R2 then i'd love to be enlightened. its driving me nuts.

if no one can give me an answer that works, then ill contact ms ^_^

Find more posts tagged with

Comments

seuss_ssues

mgeorge27 wrote:

First off, if your not MCSA or higher, dont attempt to answer this question ^_^ im sure i would have already tried all your stupid answers ^_^

Well your arrogance is keeping me from answering your question. I know more people without ANY certs that are Admins, engineers, etc than i do with them.

So my stupid answer is probably the solution but i probably shouldnt attempt something this hard yet....i dont have MCSA or MCSE next to my name.

I hate people like you.

Webmaster

Yes, why not be rude, it's only the Internet.

if no one can give me an answer that works, then ill contact ms ^_^

You should, it must be a problem with their software.

mgeorge

somthing gives me an ideal that its somthing to do with the new file management, new quota crap etc... because i setup the same situation on 2003 Server Ent (non r2) same security etc... on virtual pc (a tech mans best solution to every issue *laughs*) and works perf on 2003 srv ent (not r2) but with r2 it does it and only admins can manage files.

I've talked to a few other MCSE's with years experince in a 50,000+ node enterprise enviroment and they have no ideal either >.< I was wondering if any one had the same issue with r2.

Webmaster

I guess I should have added @mgeorge27 in my previous reply...

agustinchernitsky

Hi,

Well here a MCSA 2003, in messaging and security. Hope that's fine with you. Regarding your post: cool down... As you say, it might me a MS bug.

Now... Without seeing your NTFS or Share ACLs, if your admin user can write to the share, and knowing that you have disk quotas enabled, there are two possible problems:

1.- Incorrect ACL somewhere. To create files you need Write perms
2.- Your user John is over quota... remember that Admin files are not enforced, explaining why you can write as admin.

Again, this is just a shot in the dark... Giveme more info and I'll help you out... or at least confirm its a MS bug. Give me share ACL and NTFS ACL on the folder (advanced view). Also give me the quota settings on the user. Maybe with this we can work it out.

PS: I haven't tried R2...

mgeorge

On a persoanl note, reason im cocky a bout certs is because if your smart enough to pass the exam, then dont be lazy, take it and get the cert. Me and lazyness dont get along to well and i have my reasons why.

agustinchernitsky wrote:

Hi,

Well here a MCSA 2003, in messaging and security. Hope that's fine with you. Regarding your post: cool down... As you say, it might me a MS bug.

Now... Without seeing your NTFS or Share ACLs, if your admin user can write to the share, and knowing that you have disk quotas enabled, there are two possible problems:

1.- Incorrect ACL somewhere. To create files you need Write perms
2.- Your user John is over quota... remember that Admin files are not enforced, explaining why you can write as admin.

Again, this is just a shot in the dark... Giveme more info and I'll help you out... or at least confirm its a MS bug. Give me share ACL and NTFS ACL on the folder (advanced view). Also give me the quota settings on the user. Maybe with this we can work it out.

PS: I haven't tried R2...

the NTFS security on johns folder is pretty simple, server name is UKCPH-FSV01 so this will help you understand AD Naming convention we use also, this is being done at the university of kentucky (where i work)

our server admins are members of UKCPH_SrvAdmins set by this group being a member group of local admin group on the server.

The NTFS ACL on the Folder is;
UKCPH-FSV01\Administrators - Full Control (Inherited)
MC.UKY.EDU\UKCPH_SrvAdmins - Full Controll (Inherited)
MC.UKY.EDU\JWS - Modify, Adv/del sub dir&files

Thats all thats on the NTFS ACL's, setup simple and sweet. Also they are alotted 2GB per a user (Hard Quota)

sprkymrk

mgeorge27 wrote:

On a persoanl note, reason im cocky a bout certs is because if your smart enough to pass the exam, then dont be lazy, take it and get the cert. Me and lazyness dont get along to well and i have my reasons why.

One reason I don't answer your question, oh Mighty 5 Years Experience mgeorge27

, aka "He Who Dreams NTFS"

; is because your Eminent Cockiness mentioned you probably already tried my stupid answer. Not to mention me and cockiness don't get along too well. I am also SOOO impressed that you know a few other MCSE's with years experince in a 50,000+ node enterprise enviroment. By golly, why the h311 are you asking idots like us for?

seuss_ssues

Hey sprkymrk,

I dont know if you realized it or not but this isnt the first time we both responded to his amazing MCSE knowledge.

Just the other day he was the guy with this quote:

"I don’t believe Techexams.net would support the discussion of WEP Cracking, considering it is in violation of several US Laws, and can be considered a Class B Felony in some states.

I suggest a forum mod lock this thread for example."

Apparently he is just another idiot that wants respect over the internet for certs that he probably doesnt have, or worse braindumped to get.

mgeorge

Never mind folks, a guy i teach with at a local technical institute answered the q for me. He had the same issue when doing a contract for a law firm. Thanks agustinchernitsky, I actually give you credit for attempting and keeping a professional attitute - we need more people like you around ^_^

seuss_ssues

Well atleast enlighten us.

What was the solution?

MCSACCNAwannabe

mgeorge27 wrote:

On a persoanl note, reason im cocky a bout certs is because if your smart enough to pass the exam, then dont be lazy, take it and get the cert. Me and lazyness dont get along to well and i have my reasons why.

I guess if you have nothing better to do with your time and money, you can spend lots of time taking exams. Don't get me wrong, I have a few basic certs and I am hoping to have my MCSA by the end of the summer, but I would much rather spend my time actually making a network that works than worrying about the correct answers to test questions. I think that the exams have gotten more realistic and I do learn valuable tips by studying for certs, but I know a few MCSEs that couldn't design a practical Windows network to save their lives, never mind have the people skills to effectively work with users, or God forbid, management.

TeKniques

mgeorge27 wrote:

First off, if your not MCSA or higher, dont attempt to answer this question ^_^ im sure i would have already tried all your stupid answers

Pound sand.

mgeorge27 wrote:

Never mind folks, a guy i teach with at a local technical institute answered the q for me. He had the same issue when doing a contract for a law firm. Thanks agustinchernitsky, I actually give you credit for attempting and keeping a professional attitute - we need more people like you around ^_^

Sure, you probably had a wrong permission assignment somewhere and had to cover your tracks.

agustinchernitsky

Hi! Good to know you have a solution... This surely looks like a test question

If you can, please post the solution, since it's quite interesting... your ACLs are fine.

Hope I could be more helpful next time!

Cheers!

mgeorge

First off if your not familar with 2003 Server R2, then i suggest you start trying to get experince on it, with file resource manager, print manger etc.. They do very nice features like file screening, quota's enforced by folder/share and even email services to email the user when they are nearing their quota max limit, which is a pretty nice feature, instead of having users call you up saying im getting "access denied" when they try to save this file to the network drive. It gives them head up.

I wouldn't expect to see this kind of content on the 290 any time soon, unless they decide to update it to include R2.

Apparently the issue i had was with FSRM, when i orginally created a share and quota's and what not, i deleted the shared folder and recreated it, security and so on, i never bothered to check with FSRM first, and apparently it was making it seem like the whole share was full and giving me access denied, full or write protected.

A guy i work with where i teach apparently had an issue simular, he just told me to reinstall fsrm, delete and recreate share, security etc... after i did, all worked as planned. i dunno if this is a bug or if its suppose to do this or what not. dont care now, i feel better now, this file server deployment deadline is this friday, i was about to freak out.

agustinchernitsky

Interesting... FSRM... New in R2... Possible bug? This is why I don't like the "new releases" versions...

I will check out R2 once I finish my exams... thanks for the suggestion!

sprkymrk

mgeorge27 wrote:

Never mind folks, a guy i teach with at a local technical institute answered the q for me. He had the same issue when doing a contract for a law firm. Thanks agustinchernitsky, I actually give you credit for attempting and keeping a professional attitute - we need more people like you around ^_^

I think the post started off very ^_^ UNPROFESSIONALLY ^_^ to begin with. You can't expect friendly replies when you start off by ^_^ insulting ^_^ half the people on the forum. I agree we need more people like agustinchernitsky around, and ^_^ less people ^_^ that start off posts with insulting and belittling remarks.

^_^ ^_^ ^_^ ^_^ ^_^ ^_^

mgeorge

Personally i find nothing wrong with ^_^ - it's a very nice unicode smiley used on IRC alot.
On the other hand, saying ^_^ has nothing to do with the professionalism of my question.

I'm done posting on this thread. If I insulted you, go tell your mommy, or be a man and get over it.

jpeezy55

Darn, he's done..I was just about to jump in.

Oh well, at least I can go back and read his rude comments over and over again...

I hate to be nit-picky and kick a guy when he's down, but mgeorge27 is just ripe for the kickin'! He said that he teaches somewhere, hopefully it is nothing to do with networking (or english...how hard is it to know the difference between "your" and "you're"?)

But, he's gone now and will never seek the advice of lowly non-MCSAs or higher, but his quote was something like this: "On a persoanl note, reason im cocky a bout certs is because if your smart enough to pass the exam, then dont be lazy, take it and get the cert. Me and lazyness dont get along to well and i have my reasons why. "
(English teachers all over the country are jumping off of buildings after reading that one!) And I know this is not an English forum, but if you expect to be taken seriously, then look intelligent...there is a spell-checker right below where you are typing...USE IT!

Whew, I feel better now...

sprkymrk

mgeorge27 wrote:

Personally i find nothing wrong with ^_^ - it's a very nice unicode smiley used on IRC alot.
On the other hand, saying ^_^ has nothing to do with the professionalism of my question.

I'm done posting on this thread. If I insulted you, go tell your mommy, or be a man and get over it.

If you think it was the ^_^ that was what I was referring to as unprofessional about your post, then you are actually, as hard as it may be to believe, dummer than I originally assumed.

Now go tell your mommy I called you dumb. And arrogant. Oh, and don't forget you also mentioned cocky yourself.

See, you get stupid replies even when you try and avoid them with comments like

"First off, if your not MCSA or higher, dont attempt to answer this question ^_^ im sure i would have already tried all your stupid answers"

RTmarc

TeKniques wrote:

Sure, you probably had a wrong permission assignment somewhere and had to cover your tracks.

It sounds like share permissions to me. In dude's initial post he said:

the user john has all permissions but change permission and take ownership

Now because Share + NTFS = most restrictive and the "Change" permission is relating to share then by that logic it would not matter if he did have Full Control; as long as he is coming in across the network Share permissions rule the day and he would get an AD message when trying to write something to the folder. But what do I know, right?

Of course let's not even bring up that MS recommends granting Full Control on Share permissions to everyone and then tightening down via NTFS. That's a completely different discussion.

Danman32

Yup, he never recapped the share permissions, he only detailed the NTFS permissions.

Usually the way I try an isolate a share permission problem versus an NTFS permission problem is eliminate the share as a problem by temporarily allowing the user account to log on locally, log on locally as the user, then see if you can get to the folder and do the required tasks. If not, it isn't the share, or the share is not the only problem.

Checking event logs might shed some light if it was an OS problem unrelated to ACL security. Enabling security audits could check if there was an ACL security problem.

Denies hidden by a group membership can also be troublesome to spot.