XP Pro. Group Member permission question.

  • Thread starter Thread starter Charlie Chong
  • Start date Start date
C

Charlie Chong

I created a group. Installed 2 members in the group.

Assigned full permissions on directory tree for an
application, and assigned the owner of the directory tree
to this new group.

But only one of the groups members can execute and read
the application that resides in this directory tree.


Why?
 
somewhere there are obviously more restrictive permissions. did you assign permissions to a shared folder perhaps? even if you give full access on a share, the actual directory will still restrict access.

----- Charlie Chong wrote: -----

I created a group. Installed 2 members in the group.

Assigned full permissions on directory tree for an
application, and assigned the owner of the directory tree
to this new group.

But only one of the groups members can execute and read
the application that resides in this directory tree.


Why?
 
Maybe I did not explain the scenareo clear.

Here is what I tried to do:

I wanted to create a group for every application on the
system. For example:

take notepad.exe for example:

So I create a group called notepad, and add all of the
users to this group, who are allowed to access the
program called notepad.exe.

Then, I change the ownership of this program to the group
called notepad. (assuming that all users in this group
will be able to execute/read etc....)

However, I find that when I do this, only one user in the
group can execute the program, and it is the user I
logged in as when I created the group.

It is very strange, as the whole priniple behind groups,
is to group users and associate permissions to the group.

Anyway, I must be missing something.



-----Original Message-----
somewhere there are obviously more restrictive
Click to expand...
permissions. did you assign permissions to a shared
folder perhaps? even if you give full access on a share,
the actual directory will still restrict access.
 
You seem to understand the idea behind custom groups,
but you are not catching the distinction between ownership
and permissions in NTFS. The Owner does not automatically
get any permissions except for the permission to change the
permission grants. The custom group must still be granted
NTFS permissions, such as read/execute in your notepad
group example. Also, a member in the custom group must
not be denied (as compared to a grant permission) read/execute
(or any grant that includes read/execute, such as full control)
whether the denial is directly for that account or for any group
in which the account is a member.
 
Well I believe I have granted NTFS persmissions (FULL) to
the custom group. I performed this using the security
tab dialog, when one looks at the properties of an object
in explorer.

Am I missing something here?
 
Let us assume that there are no Deny ACEs in the
NTFS security, or if so, they do not affect the account.

By chance is the account where access is not being
effective the same as the one you are using to define
the custom group and grant the access ?

For new group memberships to be seen and used,
the account must be cycled through logoff/login.

Otherwise, all that should be involved for local (not
network share) access is:
account in custom group
custom group grants NTFS access
account, and no group of which it is member, is
not denied in the NTFS grants
 
Your right!!!

I found using cacls that there was a problem with the
NTFS grants.

Thanks a million!!!!!!!!!!!

Now I can really secure this system!!!!
 
glad it sorted

Your right!!!

I found using cacls that there was a problem with the
NTFS grants.

Thanks a million!!!!!!!!!!!

Now I can really secure this system!!!!
Click to expand...
 
Back
Top