Click here to get back home

"access denied" for members of Administrators, stand-alone server
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
"access denied" for members of Administrators, stand-alone server Larry 06-21-2007
Posted by Larry on June 21, 2007, 1:48 pm
Please log in for more thread options
 Hello,

I have a stand-alone Windows Server 2003 server where I get a access denied
even for members of Administrators on a folder the moment I deny "Users"
access to it. This is from the server itself - not via a share.

The directory is c:\data\paydir. The c:\data directory is shared and
"Users" have access to it. For paydir, I deny all access to "Users," but
not for "Administrators." I have a user Larry that is a member of
"Administrators" only (I removed him from Users), but even he gets "access
denied" to that directory.

More info:
C:\data>cacls paydir
C:\data\PAYDIR BUILTIN\Users:(OI)(CI)N
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


When I view group membership for Larry, only Administrators come up. Is
there an implied membership to Builtin\Users that causes this "access
denied" or what am I missing? All I am trying to accomplish is that only
members of Administrators have access to c:\data\paydir.

Thanks,
Larry



Posted by Larry on June 21, 2007, 6:14 pm
Please log in for more thread options
 I got this working: 1) uncheck "Allow inheritable permissions from parent to
propagate to this object." under Advanced and choosing to remove all
permissions from that directory structure, 2) Add Full Control to
Administrators.

But I am still mystified as to why the first approach did not work...

Larry



Posted by Al Dunbar on June 21, 2007, 10:51 pm
Please log in for more thread options

>I got this working: 1) uncheck "Allow inheritable permissions from parent
>to propagate to this object." under Advanced and choosing to remove all
>permissions from that directory structure, 2) Add Full Control to
>Administrators.
>
> But I am still mystified as to why the first approach did not work...

On my XP box, the local "users" group includes "authenticated users", which
would, in turn, include administrators.

Using "deny" access is fraught with surprises - it is usually better to
grant the required access and simply not grant access to those who are not
to have it. Or, in your case, remove the specific accesses previously
granted to "users".

/Al



Posted by Roger Abell [MVP] on June 22, 2007, 3:00 am
Please log in for more thread options
Users group often includes Authenticated Users (which means any user
or computer account that authenticated to gain a login type session) as
Al inidcated, and also often includes INTERACTIVE (which means
any account login session based on the local login user right).
So the account may have been indirectly a member of Administrators.
When you added a grant on the directory for Administrators Full Contol,
if the deny for Users was still in effect (you said you blocked inheritance)
then the explict grant added would have overridden the inherited deny
for Administrators members.

Roger

>I got this working: 1) uncheck "Allow inheritable permissions from parent
>to propagate to this object." under Advanced and choosing to remove all
>permissions from that directory structure, 2) Add Full Control to
>Administrators.
>
> But I am still mystified as to why the first approach did not work...
>
> Larry
>



Posted by Al Dunbar on June 23, 2007, 12:59 pm
Please log in for more thread options

> Users group often includes Authenticated Users (which means any user
> or computer account that authenticated to gain a login type session) as
> Al inidcated, and also often includes INTERACTIVE (which means
> any account login session based on the local login user right).

Yes, that was also the case for me.

> So the account may have been indirectly a member of Administrators.

I think you mean "of users"...

> When you added a grant on the directory for Administrators Full Contol,
> if the deny for Users was still in effect (you said you blocked
> inheritance)
> then the explict grant added would have overridden the inherited deny
> for Administrators members.

Are you sure of that? I had thought that the effective permissions on an
object are there as surely by indirect membership in related security groups
as is the case for direct membership. If user U is in group A that is
allowed access to a resource, and also in group D that is denied, then the
deny wins and user U has no access. If this were not the case then there
would be no point in having a deny access possibility, as the only way to
deny access would be to not grant it in the first place. If the user is
taken out of group D, added to group DD, and group DD is added to group D,
he should still not be able to access the resource.

If, as you say his direct membership in a group that is allowed access were
to override his indirect membership in a group denied access, then we have a
case where group nesting does not work as expected.

And what would happen if he were removed from A, added to AA, with AA being
added as a member of A - indirect membership in an allowed group and a
denied group? Will it then be a case of determining the most direct
membership?

/Al

> Roger
>
>>I got this working: 1) uncheck "Allow inheritable permissions from parent
>>to propagate to this object." under Advanced and choosing to remove all
>>permissions from that directory structure, 2) Add Full Control to
>>Administrators.
>>
>> But I am still mystified as to why the first approach did not work...
>>
>> Larry
>>
>
>



Similar ThreadsPosted
getting IPSec Certificates for VPN access for non domain members January 5, 2007, 11:03 am
DCOM access denied error on Windows 2003 server SP1 January 13, 2006, 10:35 am
Windows domain user is sometimes denied access to server share October 2, 2006, 5:07 am
Deny folder access for administrators January 24, 2006, 4:28 am
Getting Access is Denied March 2, 2006, 6:30 pm
DRA and access denied September 28, 2006, 10:13 am
Everybody denied access to a folder June 19, 2006, 4:52 am
Access XP Permission Denied July 12, 2006, 9:52 pm
CDROM Drive access denied October 31, 2005, 10:40 am
Certificate services Access Denied November 9, 2005, 9:02 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap