RE: [ActiveDir] OT: riddle me this
it was share permissions. he had full control on the ntfs level, but only read on the share. my question is- i thought ntfs permissions beat out share permissions when there is a conflict? -Original Message- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: riddle me this
No, permissions are cumulative so when there is a conflict the most restrictive permission will apply. Remember that to even get to the NTFS permission you have to get past the share first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 05 May 2004 15:35 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this it was share permissions. he had full control on the ntfs level, but only read on the share. my question is- i thought ntfs permissions beat out share permissions when there is a conflict? -Original Message- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: riddle me this
Nope. With combined share and NTFS, most restrictive applies. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this it was share permissions. he had full control on the ntfs level, but only read on the share. my question is- i thought ntfs permissions beat out share permissions when there is a conflict? -Original Message- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: riddle me this
If you make a network connection to a box, both share and local NTFS permissions are enforced and your effective permissions will be the LESSER of the two. If you are logged on locally to a server, then the share permissions will be ignored and your effective permissions will be the NTFS permissions. One side point, if you are logged on locally to the server and use a shared drive that points back to the same box, then share permissions will be applied. That's an easy way to check them without needing a second box. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 7:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this it was share permissions. he had full control on the ntfs level, but only read on the share. my question is- i thought ntfs permissions beat out share permissions when there is a conflict? -Original Message- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: riddle me this Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: riddle me this
Sounds like you've got NTFS permissions covered, but have you checked the share permissions? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: riddle me this
Tom, Our Developers run VSS. The data is on a NT4 BDC that is the only NT4 BDC in a single Domain AD W2K Forest. The FSMO is W2K SP3. The domain is mixed mode. I have a two Global Groups for VSS. VSS-FC (Members have Full Control - Share and NTFS permissions) and VSS-CH (Members have Change Control - Share and NTFS permissions). The groups Domain Admins and System also have Full Control to the VSS shareset (Share and NTFS). Then I just populate the groups (VSS-FC and VSS-CH). It all works easier this way. Make sure Share permissions are not biting you. Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Tuesday, May 04, 2004 3:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: riddle me this I have a devloper who is running visual source safe and has had issues since day one logging in(to VSS). The app just uses its own internal db of users for auth, not AD. However the files reside on an ntfs share. Here's my confusion- I put this devloper into the domainadmins group as a test. he cannot change the attributes of files from read-only to read. He gets an access denied error. He cannot create files in a dir he has been given explicit access(full control). still gets an access denied. I've tried from different machines from win2k sp4 to winxp sp1 and still the same issue. The files and dirs reside on a AD win2k dc. We are a win2k mixed mode domain. could an account have gotten corrupted or screwed? and how could i tell? running ethereal when he connects only gives me what I know- smb nt file access denied. what the heck is going on here? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/