Explicit User versus Group Permission
I have a Windows 2000 domain setup.
I have a folder on one of my member servers that two groups have access to,
"Domain Admins" and "FRX Report Runners" They have full control. A user in
the FRX Report Runners group gets access denied when trying to get to the
folder. If I add the user explicitly to the secuity list, she can access
the folder.
What configuration could I be missing that is not allowing the group
permission to be recognized when that user trys to access the folder?
Thanks,
Jason Catlett
FES
# 1 Re: Explicit User versus Group Permission
best bet is to enable auditing for file/object fail/success and place an audit
ace on the file in question. then have the user access the resource, and
look at the entry in the audit log - it'll tell you which access control
request failed.
"Jason Catlett" <jcatlett@nospam.fesworld.com> wrote:
>I have a Windows 2000 domain setup.
>I have a folder on one of my member servers that two groups have access
to,
>"Domain Admins" and "FRX Report Runners" They have full control. A user
in
>the FRX Report Runners group gets access denied when trying to get to the
>folder. If I add the user explicitly to the secuity list, she can access
>the folder.
>
>What configuration could I be missing that is not allowing the group
>permission to be recognized when that user trys to access the folder?
>
>Thanks,
>
>Jason Catlett
>FES
>
>
# 2 Re: Explicit User versus Group Permission
Filemon can do the same thing as audit (well for finding the error since its
not meant for logging) and is available at:
http://www.sysinternals.com/ntw2k/source/filemon.shtml
--
Eli Allen
255288
eallen@bcpl.net
"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3ac8a89f$1@news.dev-archive.com...
>
> best bet is to enable auditing for file/object fail/success and place an
audit
> ace on the file in question. then have the user access the resource, and
> look at the entry in the audit log - it'll tell you which access control
> request failed.
>
>
> "Jason Catlett" <jcatlett@nospam.fesworld.com> wrote:
> >I have a Windows 2000 domain setup.
> >I have a folder on one of my member servers that two groups have access
> to,
> >"Domain Admins" and "FRX Report Runners" They have full control. A user
> in
> >the FRX Report Runners group gets access denied when trying to get to the
> >folder. If I add the user explicitly to the secuity list, she can access
> >the folder.
> >
> >What configuration could I be missing that is not allowing the group
> >permission to be recognized when that user trys to access the folder?
> >
> >Thanks,
> >
> >Jason Catlett
> >FES
> >
> >
>
# 3 Re: Explicit User versus Group Permission
regmon and filemon are excellent tools for this - esp if you filter the output
(there's LOTS of output)
i spent time educating the WindowsXP appcompat guys to use these two when
troubleshooting apps which won't run unless you're admin.
"Eli Allen" <eallen@bcpl.net> wrote:
>Filemon can do the same thing as audit (well for finding the error since
its
>not meant for logging) and is available at:
>http://www.sysinternals.com/ntw2k/source/filemon.shtml
>
>--
>Eli Allen
>255288
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3ac8a89f$1@news.dev-archive.com...
>>
>> best bet is to enable auditing for file/object fail/success and place
an
>audit
>> ace on the file in question. then have the user access the resource, and
>> look at the entry in the audit log - it'll tell you which access control
>> request failed.
>>
>>
>> "Jason Catlett" <jcatlett@nospam.fesworld.com> wrote:
>> >I have a Windows 2000 domain setup.
>> >I have a folder on one of my member servers that two groups have access
>> to,
>> >"Domain Admins" and "FRX Report Runners" They have full control. A
user
>> in
>> >the FRX Report Runners group gets access denied when trying to get to
the
>> >folder. If I add the user explicitly to the secuity list, she can access
>> >the folder.
>> >
>> >What configuration could I be missing that is not allowing the group
>> >permission to be recognized when that user trys to access the folder?
>> >
>> >Thanks,
>> >
>> >Jason Catlett
>> >FES
>> >
>> >
>>
>
>
