Re: ACL Permissions

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/20/04 

Date: Mon, 20 Dec 2004 14:09:28 -0600

You can use the free tool Dumpsec from Somarsoft or the Resource Kit tool
showacl to see permissions to a folder or folders. Try adding the user that
is denied access normally to the local administrators group to see what
happens. If that works then I tend to think the user is lacking a user
right. If it does not work then I think the user is a member of a group that
has deny permissions applied somewhere along the line. To check user rights,
open Local Security Policy [secpol.msc] and look for any user right where
both administrators and IUSR user are included but the user or group that
the user is a member of is not. Also keep in mind that any "deny" user right
will override he same allow user right so take a close look at any deny user
rights. Verify the user group membership with the " net user username "
command [using real user name of course]. --- Steve

http://www.somarsoft.com/ --- Dumpsec.

"John Pugh" <john@cyber-media.co.uk> wrote in message
news:OMkOwNo5EHA.2180@TK2MSFTNGP12.phx.gbl...
> It works as an Administrator, but not as a User even though the user in
> question is in the right groups, is there anyway to see what permissions
> each of the groups get? so that I can see what is difference between the
> working boxes and this one.
>
> Cheers
>
> John
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:euvf7544EHA.3616@TK2MSFTNGP11.phx.gbl...
>> Hmm. I can't think of much else other than also checking the special
>> permissions for that folder in security/advanced to make sure that there
>> is no group with deny permissions and also viewing the "effective
>> permissions" tab for your user. Another thing to try is temporally add
>> that user to the local administrators group or use the built in
>> administrator account as the access account temporally to see if that
>> works. If that does work then there is a lack of permission or privilege
>> for the regular user account. If it does not work something else weird is
>> going on. Check the group membership of the user accounts that you are
>> using to make sure that they are at least members of the local users
>> group. --- Steve
>>
>>
>> "John Pugh" <john@cyber-media.co.uk> wrote in message
>> news:u5Tg2t14EHA.2124@TK2MSFTNGP15.phx.gbl...
>>> Hi Steve & Everyone else,
>>>
>>> I have looked through the local policy and everything seems the same
>>> between the boxes, I setup auditing, but again I get no failures and the
>>> box that is not working produces the same results as the others yet it
>>> still won't let me view the web pages, grrr.
>>>
>>> If it was a office computer I would be reinstalling windows at this
>>> point! but as it is in a data centre 100 miles away, thats not an
>>> option. By the way it is a stand alone server and not part of a domain
>>>
>>> Thanks for all your help, anymore suggestions ?
>>>
>>> John
>>>
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:egjPCsv4EHA.2604@TK2MSFTNGP10.phx.gbl...
>>>> Enable auditing on logon events for success and failure and privilege
>>>> use and object access for failure [probably only temporally]. Enable
>>>> auditing on that folder for that user. Then look in the security logs
>>>> and Event Viewer in general for any possible helpful messages. I would
>>>> also look in Local Security Policy on each computer and look for any
>>>> differences under local policies for security options or user rights.
>>>> Any differences found between the two boxes could be suspect. Also
>>>> check any deny permissions to the folder which you user could be
>>>> affected by group membership. If this is a domain computer, run the
>>>> netdiag support tool on it looking for any pertinent errors. -- Steve
>>>>
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 --
>>>> needs object access enable first.
>>>>
>>>> "John Pugh" <john@cyber-media.co.uk> wrote in message
>>>> news:OU6E3$r4EHA.1452@TK2MSFTNGP11.phx.gbl...
>>>>> Thanks for the reply, I have compared the permissions between the two
>>>>> boxes (one that works and this one) and I can see very little
>>>>> differences, none in sections that I think might affect this problem
>>>>> is there anything specific that I should be looking for?
>>>>>
>>>>>
>>>>>
>>>>> "Andra" <andraatlatnetdotlv> wrote in message
>>>>> news:emKIJNr4EHA.1400@TK2MSFTNGP11.phx.gbl...
>>>>>> Policies? Especially concerning the way the password is sent over the
>>>>>> network.
>>>>>>
>>>>>> John Pugh wrote
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am having problem that I thought some of you might be able to
>>>>>>> help,
>>>>>>>
>>>>>>> The problem is that we have created a directory on a 2k3 standard
>>>>>>> box that
>>>>>>> can only be accessed using a set username and password (used for
>>>>>>> accessing
>>>>>>> web stats over the internet) I have done this many times before
>>>>>>> without a
>>>>>>> hitch but on one of our boxes it does want to work at all!
>>>>>>>
>>>>>>> I have given the SYSTEM full control, Administrators full control
>>>>>>> and
>>>>>>> stats-viewer (the user who needs access) read and read & execute.
>>>>>>> This is
>>>>>>> the standard setup I have on all our boxes. I have also tried
>>>>>>> recreating
>>>>>> all
>>>>>>> the permissions the wwwroot directory has and putting it in the
>>>>>>> wwwroot
>>>>>>> directory to no avail.
>>>>>>>
>>>>>>> With the IUSR user in place it works, allowing anonymous access,
>>>>>>> therefore
>>>>>>> IIS is pointing to the right place and serving up the pages so that
>>>>>>> is
>>>>>>> working, but when IUSR access is taken away it throws back a "HTTP
>>>>>>> Error
>>>>>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>>>>>> requested
>>>>>>> resource." error when trying to login as stats-viewer. I have tried
>>>>>>> using
>>>>>>> Integrated and basic authentication, changing the user, changing the
>>>>>>> directory, creating a new web site in IIS, using Authdiag (which
>>>>>>> doesn't
>>>>>>> seem to shed light on the problem) all without success.
>>>>>>>
>>>>>>> Can anyone help, its doing my head in!!!
>>>>>>>
>>>>>>> Many thanks,
>>>>>>>
>>>>>>> John Pugh
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: ACL Permissions
    ... is denied access normally to the local administrators group to see what ... has deny permissions applied somewhere along the line. ... the user is a member of is not. ... >> for the regular user account. ...
    (microsoft.public.windows.server.networking)
  • Re: ACL Permissions
    ... is denied access normally to the local administrators group to see what ... has deny permissions applied somewhere along the line. ... the user is a member of is not. ... >> for the regular user account. ...
    (microsoft.public.windows.server.security)
  • Re: IIS6 + ISAPI Filter + Application Pool Identity problem
    ... It is definitely a member of IIS_WPG. ... to write to Event log, I'm writing to a file and its folder has Everyone ... arrow next to the ISAPI filter when running under User account. ... > And the following article contains the comprehensive permissions ...
    (microsoft.public.inetserver.iis.security)
  • Re: Grant Application Access with a GPO
    ... meaning that the domain user account ... object needing to be a member of the Local Administrators group. ... certain directories during installation. ...
    (microsoft.public.win2000.group_policy)
  • Re: Changing groups
    ... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ...
    (Debian-User)