Re: Assigning Security Permissions Failing

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 05/31/04 

Date: Mon, 31 May 2004 13:02:47 -0400

TheSingingCat wrote:
> Hi Lanwench,
>
> Thanks for you comments and suggestions. While I do agree with you
> that security should be done from the admin side of things, I do like
> to allow users to setup/maintain this to some degree.

OK; to each his own. I wouldn't like this as you'll have no idea who has
rights to what, off the bat. This sounds like an admin headache to me. Why
not set up a shared folder for all users, or a shared folder for another
group of users? If Joe and Bob constantly need to share files, but nobody
else should have access to them, set up a folder that only Joe and Bob (and
administrators) have rights to. When users have full control they can do all
sorts of bad things.
>
> Having said that, I'll elaborate on this issue somewhat with this
> problem. A user has a home directory on the server (drive w:) the
> user has a file he wants to give Bob write access to. When he clicks
> the file and then goes to ADD Bob from the picker, those error
> messages pop up. I can't peg what's causing the issue, everything
> *seems* to check out fine.
>
> Same thing occurs when I log in as an Admin to a workstation and try
> to set file level access on *any* resource on that server. Yet it
> works fine from that box, AND from NT 4.0 DCs and member servers.

As I said, I've never tried doing things this way - I'm a control freak and
want to manage everything on the server, so I don't think I can provide more
help. Sorry. Perhaps someone else will post? Did you look for event log
messages on the workstation?
>
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message news:OpAiJTyREHA.3220@TK2MSFTNGP10.phx.gbl...
>> TheSingingCat wrote:
>>> I've just recently stumbled into a strange problem on our Windows
>>> 2003 Server. For some reason, when I (or any other user) tries to
>>> assign permissions to folders/shares (i.e home directories) which
>>> are housed on that server, the error message:
>>>
>>> "Unable to display the user selection dialog."
>>> "The parameter is incorrect."
>>
>>
>>> Pops up on the client workstation right after I hit the 'Add'
>>> button.
>>
>> I don't see how you could really do this from the workstation, but
>> I've never tried it, to be honest. Security on network
>> shares/folders should be set/managed from server itself - log in as
>> administrator, make sure you have ownership, and then make sure your
>> security settings are correct for both share & NTFS. For the share
>> permissions give everyone full control (this is not set by default
>> as such in W2003). Set the NTFS permissions as you wish.
>>>
>>> Last week this was working fine. Over the weekend I restored from
>>> tape user directories from a different NT4.0 based server to this
>>> 2003 server. From my workstation, I can setup and assign domain
>>> user permissions on local resources and even on other servers, just
>>> on the 2003 one does this message come up.
>>>
>>> I *can* assign permissions correctly directly from the server, so at
>>> least I'm able to get around like that, however, I'd like users to
>>> be able to grant/deny permissions of their own home directories.
>>
>> I wouldn't do that if I were you....I never give users anything but
>> Modify permissions on *any* folders. Controlling security should be
>> left to the administrators. Leave the home directory permissions so
>> that administrators & system= full control, individual user=modify.
>> If there's a need for more shares, set them up as needed & control
>> access with groups.
>>
>>> Of
>>> course, I'd also love to know what caused this error.
>>>
>>> Our network is a single domain. We've recently upgraded our PDC to
>>> a 2003 via in place upgrade and all ran smooth for the last two
>>> weeks. We still have 3 other NT 4.0 BDCs. Setting security on all
>>> other server resources works, just the 2003 one from a client does
>>> not work.
>>>
>>> No errors in the event log on the 2003 server or the NT4.0 BDCs.
>>> Domain synchronization continues. Users are logging on fine, I can
>>> manage users/groups properly fromt he 2003 machine still.
>>>
>>> Any help greatly appreciated!
>>>
>>> Thank you in advance.

Relevant Pages

  • RE: Any way to remove ADMIN$ only?
    ... partition to allow you to set local permissions. ... Network Security Specialist ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
    (Focus-Microsoft)
  • RE: Any way to remove ADMIN$ only?
    ... The different recommendations or best practices are pretty much just ... the time in the basics of setting up security. ... NTFS permissions are where you do the real work, ... Any way to remove ADMIN$ only? ...
    (Focus-Microsoft)
  • Re: Locked Out of DB object
    ... I have not been able to locate the MDW file for this DB. ... >> I inherited an Access 2002 DB with security applied. ... For more information on Permissions and who can set ... >> idea what the Admin password was. ...
    (microsoft.public.access.security)
  • Re: What server hardening are you doing these days?
    ... admin" not doing their job and testing the changes they made. ... >MS-published security guidelines. ... >>an NT box by denying LocalSystem permissions to certain files. ...
    (Focus-Microsoft)
  • Sorting out security
    ... MS Access security. ... created a new workgroup, added a password for the Admin role, added groups, ... user IDs and passwords for users and allocated permissions on the ... remote logins to a secured database. ...
    (microsoft.public.access.security)