General discussion

Locked

Windows 2000 Permissions, Rights, Etc.

By mrs_doctor_jones ·
Does anyone have any good, concise resources for Windows 2000 rights, permissions, ownership, etc.

Right now we're kind of winging it and keep running into problems with people being locked out of files and folders.

I need info on "what to do if x happens."

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Try taking a look at these sites

by James Goerke In reply to Windows 2000 Permissions, ...

http://www.wown.com/j_helmig/w2kpolic.htm

http://windows.about.com/library/weekly/aa010211a.htm

http://www.heysoft.de/nt/reg/doc/RegDACL_er2.htm

I am not sure if this is what you are looking for but they may help, enjoy!

James Goerke
TheGeex Technologies
http://www.thegeex.com
Get TheGeex IT CD V1.1 Today!

Collapse -

Close, but not Quite Right

by mrs_doctor_jones In reply to Try taking a look at thes ...

Thanks, the first two were informative and will help me educate those who need to know about the subject but know even less than I do at this point.

However I am more concerned about what to do when someone loses rights due to a system problem. I've encountered a problem lately where the admin has lost rights to folders created by other users on the network and was able to see the files inside that folder but not open them. That's how I learned about the "take ownership" option.
It's things like that which I need to know more about.

Collapse -

Tim has a point

by LordInfidel In reply to Close, but not Quite Righ ...

There really is not a "what if this happens" type of doc.

It's basically, you learn the proper way to assign rights and don't deviate from it.

The hard and fast rules are:

Admins (domain and local) and System are the only ones who are granted full control over any files (no matter what!)

Users (any one other then the admin group) are granted nothing higher then change. Never Full.

Domain admins/Local admins are the only group that can take ownership of files.

Never control access thru share permissions, share permissions should always be everyone=full.

Never give NTFS permissions everyone=full.

An example would be a users home directory:
Admins = Full
System = Full
User = Change

Another tip- Only assign groups to folders never individual users. With the exception of the users home folder.

Why? 2 reasons. 1, it makes it easier to add more people to the resource by just adding them to the resources group. And 2, If I the hacker, enumerated the rights on a resource and found usernames, I then have a valid username to use/try out.

Also, I always prefer to use the Local Administrators group when doing permissions rather then Domain Admins. As long as a machine is joined to the domain, then thedomain admin group is automatically in the local admin group.

With these basic concepts you should be able to administer your permissions.

Collapse -

Two Specific What Ifs...

by mrs_doctor_jones In reply to Tim has a point

1. Win 98 and 95 users connecting to Win2K Pro "server." Can connect one day, can't connect the next. Getting message that device doesn't exist on network. Passwords didn't expire. Permissions still in place. Only thing that works is creating new user name and pw on server and on client.

2. Users and admin have permissions for different folders and can view file contents. Can access some files within the folder but can't access others.

Collapse -

Not really server

by LordInfidel In reply to Two Specific What Ifs...

Ok now we have some clarification.

You are not in a domain setting.

So any user name and password that your users log in with on the 95/98 machine has to match what ever you create on the 2k pro machine. If they mistype their password they will still be allowed in to the 95/98 machine but not the 2K machine.

If they press cancel, same thing. It is the pwd on the 98/95 machine that is getting messed up, not on the 2k pro machines.

You are not in a true domain model where they need to log into the domain.

Also, if the 95/98 machines can not find the 2k pro machine, then make sure that you can ping the 2k pro machine by IP, then ping it by host name, then try to browse to it thru netwk neighbourhood(msp?)

2. This has to do with cascading permissions.

If when the top level folder permission was set and you did not cascade the permsisions down, then whatever the original permissions were on the file level will not be changed.

When you change the top level folder permissions, click on advanced and apply the changes to all subfolders, and files. (will be 2 check boxes on the bottom)

Collapse -

The joys of winging it...

by mrs_doctor_jones In reply to Not really server

I understand what you are saying about the 95/98 machines. That was kind of a given.

However, I'm pretty sure that it wasn't an issue of mistyping the password. I tried it myself to make sure that wasn't the issue.

During one of the incidents I actually had someone in the office who claims to know a bit more about this stuff than I do. He said it was a problem with the 98 machine changing its IP address.

Is there any way to tell if this was actually the problem? And if so, would it be better to assign an IP address to each machine rather than letting the system automatically do it?

Collapse -

Sorry i've been busy....

by LordInfidel In reply to The joys of winging it...

I've been re architecting our network.

When you say the system chooses the IP, are you saying that you are using DHCP?, or is the OS automatically assigning a 169.x.x.x address to itself.

That is not a routable address, that is a 'apipa' address that the os/nic assigns to itself when it can not get a dhcp address and does not have an address assigned to it.

That would be a very big problem in terms of communication.

Collapse -

Automatic Assignment

by mrs_doctor_jones In reply to The joys of winging it...

The system automatically assigns a 160 #.

Collapse -

And Another

by mrs_doctor_jones In reply to Two Specific What Ifs...

Trying to copy a directory but keep getting an error that the file is in use and can't be copied. I know for certain that it is no longer in use.

Collapse -

Do a threadFAQ for whatif scenarios

by grannybear In reply to Tim has a point

HI!

Since TechRepublic keeps these threads alive for a time, we could post as-we-learn-it scenarios for security problem/solution sets.

Just a thought from a mid-life career-changling IT network security newbie...

Grannybear
"Take the Shoes Off Your Mind!"

Back to Security Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Forums