New folder has insufficient permissions (Mac OS X Server) - macos

I have configured the workgroup manager on Mac OS X Server (10.5.8) with 5 network users in 2 groups. Now I notice that when a network user makes a new folder, the folder is created with read & write permissions for that user, but the group to which the user belongs (as well as "everyone") has only read permissions and other network users are not able to add files or change things in the folder.
I found something about changing the umask by adding a launchd-users.conf file configuring the umask default setting. I did that on the server but that doesn't change anything.
It's a very annoying issue and I hope it's easy to fix. I'm not an expert, so I'm not sure if you know enough with the details above. If necessary I can provide further details.
Thanks a lot!

The basic problem is that the standard unix (/posix) permissions have no good way to control inheritance. Fortunately, there is a solution: grant access to the group via access control list (ACL) extended permissions, which do allow inheritance.
I don't have a 10.5 server handy, but I think the interface is pretty similar to 10.6: in Server Admin -> server name in the sidebar -> File Sharing icon in the top bar -> navigate to the folder/share point you want to grant group access to. If necessary, select the Permissions tab under the file navigator. Click the "+" button uder the permissions list to open the users & groups floating window, select Groups in the window, then drag the group you want to grant access to into the ACL (not POSIX) part of the permissions list. Change the Permission for the new ACL entry to "Read & Write", then click Save.
Note that the new ACL entry should have "Applies To" set to "This folder, Child folders, Child files, All descendants", which is what you want; but that only actually applies to new files/folders as they're created. To apply to the current contents, pull down the "action" (gear icon) popup menu under the permissions list, select "Propagate permissions", and propagate the ACL permissions to the current contents of the folder.

I made a new testfolder and ran the ls -le command on the higher level folder and got this as a result:
drwxr-xr-x+ 2 stein ACCOUNTING 68 Nov 14 09:18 Testfolder
0: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
1: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
2: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
3: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
4: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
5: group:ACCOUNTING inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
6: group:ADMINISTRATION inherited allow list ,add_file ,search ,delete,add_subdirectory ,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
I think these are the ACL permissions right? I'm not sure how to get the POSIX permissions via command line? If this is not what you need to know, can you let me know how to get the information you need, as I'm not an expert obviously.
When I told you before what the group and user permissions were, I just right mouseclicked the folder and checked "get info". I don't know if these are the POSIX permissions or not. If I check the info: I see "spotlight" about 4 times, the group "ACCOUNTING" once with custom rights and once with "Read" rights, the user "John" that created the folder with "Read & write" rights, "everyone" with "Read" rights...

Related

windows permission on folder to let a specific user create modify and read file but nobody can delete any file (file shared via an ad)

I would like to set the permission on the folder C:\Share\Project\Project1 (and the previous one if needed) to let a specific user "Bob" create modify and read files but I don't want anybody to be able to delete files. Those folder are shared via an ad and Bob acces them following this path \WIN-SRV1\Share\Project\Project 1. I have all the permission on those deviceS both Bob and the hosting server are on windows.
I think i tried every advanced security permission settings for david and everyone etc, and advanced shared setting
Thank you in advance:)

Windows Share Permissions for Domain Admins not working

I'm setting up a new share that I've enabled enumerated access on. I'm looking to limit people access to files on a certain folder. I've setup other folders that restrict access unless your in a security group. This folder thats giving me trouble was copied over from another network share. When I create a folder from scratch everything works fine so I'm curious if thats whats giving me issues.
The folder I'm trying to access is
x:/Limerock/Projects/"Project Name"
If I go into the security tab and check my effective access it says that I have full control:
The user I'm signed into is joe.jankowiak which is part of the Domain Admins security group. Domain Admins owns all the folders in above this and has full control.
When trying to enter the folder it tells me I need to request permission. I'm an admin so it goes through and adds "joe.jankowiak" to the full control list in the security permissions.
Why is it not taking my domain admin credentials to enter this folder? I'm seeing other weird behavior such as it saying "Unable to display current owner." and "You must have read permissions to view the properties of this object". Clicking continue lets me see it.
Everything looks right, I've setup 6 other new folders in the exact same manner and they work fine. I've signed in and out many times but it hasn't fixed it. Weird enough, another computer I signed into lets me access the folder just fine. Is there a way to reload file permissions since logging in/out doesn't seem to do it. Is there a command like gpupdate that I should run?
I have seen this before andyou might need to do the following operations in order:
-Replace Ownership on the folder and replace all child object ownership too=>apply or OK
-Close the security properties and re-open it again
-Add Domain Admins as full control and Replace all child object permissions... =>apply/OK
That should do it

How to deny read access to a file for all users except a group in Team Foundation Server?

I want to protect a file in TFS (not even read access).
Do we have an option in Team Foundation Server to hide a file from all except for a particular group?
If you edit the permissions for that single file you can change the reader and contributor groups from "inherit" to "not inherit". You can then change all of the permissions for all of the groups to "not configured" to remove permission without denying. Then add your special group and set "allow"
Yes you can deny all permissions of a particular group for a specific with TFS 2013.
Use the Source Control Explorer to find the file of interest. Right click on that file and select "Advanced - Security...". A "Properties for " window will be displayed with the "Security" tab selected. Select the group of interest from those listed [or create it if it does not yet exist]. Then in the "Permissions section, select the "Deny" checkbox for all permissions starting with the "Read" permission.
The "Deny" permission has precedence over the "Allow" permission, so this should enable you to obtain the desired end result.

Remove owner rights

I have a write-restricted folder which may only be written in if the user is in a specific group or has been explicitly given the rights to do so. I have successfully implemented that with C++ using SetNamedSecurityInfo on the folder with the specified groups and users. However, the following scenario gives me trouble:
Admin gives write-rights to user
User creates a file
Admin removes write-rights from user
User keeps writing in the file
The last point is the problem. Since the user is the owner of the file he can write in it, even though the admin removed the right (by removing group membership for example).
I want to accomplish that the ownership of a file does not grant any rights to the owner in that restricted folder.
You need to remove the CREATOR OWNER SID from the folder, and push that down to the files.

Windows / Active Directory - User / Groups

I'm looking for a way to find a the windows login associated with a specific group. I'm trying to add permissions to a tool that only allows names formatted like:
DOMAIN\USER
DOMAIN\GROUP
I have a list of users in active directory format that I need to add:
ou=group1;ou=group2;ou=group3
I have tried adding DOMAIN\Group1, but I get a 'user not found' error.
P.S. should also be noted that I'm not a Lan admin
Programatically or Manually?
Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.
Programatically, it depends on your language of couse. On .net, the System.DirectoryServices Namespace is your friend. (I don't have any code examples here unfortunately)
For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
http://en.wikipedia.org/wiki/Active_Directory (General stuff about the Structure of AD)
You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:
Go to start --> run and type in mmc.
In the MMC console go to File -->
Add/Remove Snap-In Click Add Select
Active Directory Users and Computers and select Add.
Hit Close and then hit OK.
From here you can expand the domain tree and search (by right-clicking on the domain name).
You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.
When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.
You do not need domain admin rights to look at the active directory. By default, any (authenticated?) user can read the information that you need from the directory.
If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.
You only need admin rights to change the contents of the directory.
I think it is possible to set more restricted permissions, but that's not likely the case.
OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.
You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.
Edit: For groups, the CN (Common Name) could also work.
The full string from Active Directory normally looks like this:
cn=Username,cn=Users,dc=DomainName,dc=com
(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.
Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.
Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi
This gives you a couple of additional tools to "get at" AD:
LDP.EXE - good for reading information in AD, but the UI kinda stinks.
ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.
You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.
Thanks adeel825 & Michael Stum.
My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.

Resources