OMG ntfs permissions suck!

[xyyz]

i have a DFS share that's mirrored on two servers. now, the permissions/security settings are identical on both shares, as well as the DFS share. unfortunately, for some reason, call it MSFT whim, i cannot execute software that resides on the share from my domain admin account.

oddly, i can access the software when i go through the local drive/directory, but when i try accessing either the DFS share or the network name thing (i forget the exact name, but it's something like \\server1\directory) i can't execute the file.

the permissions for the domain admin accounts are set to "full access" so i'm clueless as to why i can't run these files. even more odd is the fact i can execute the file when running it from the share with a non-domain admin account.

 

[stash]

Check the share permissions as well as NTFS permissions. The resultant permission is the least restrictive of the two. As a best practice, you should set share permissions wide open (Everyone: Full) and then control all access through NTFS.

 

[xyyz]

that's exactly how established the permissions. share permissions are set for "full control" for everyone, and then given granularity with the NTFS permissions. still no go.

 

[RebateMonger]

I've seen this exact problem and the cause in that case was improperly set Share permissions. When you access the data from the lcoal drive, the Share permissions don't apply. When you access them from a DFS Share or a Network Share (UNC), the Share permissions chime in.

Have you looked at the "Effective Permissions" for the files or folders? That's usually the easiest way to see what's wrong.

 

[xyyz]

effective permissions? got it. i'll give it a look.

just checked. the administrators have full access under effective permissions, so i don't know why it's refusing execution of the files.

 

[xyyz]

if anyone cares, the brilliant folks and daniel petri's site resolved this problem.

as it happens, the IE enhanced security configuration was causing the problem. apparently that also restricts the ability to run executables on non-included intranets.

 

[RebateMonger]

Originally posted by: xyyz
if anyone cares, the brilliant folks and daniel petri's site resolved this problem.

as it happens, the IE enhanced security configuration was causing the problem. apparently that also restricts the ability to run executables on non-included intranets.

Thanks for the followup.

Here's a link to the thread on Petri's forum.
From the related Help file:
"The enhanced security configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local Intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone."

I'd probably never notice, since I tend to turn off the IE Enhanced Security. So spank me.

 

[xyyz]

msft outta' throw this in the NTFS permissions help file or something. it's pretty worthy to note that the ie enhanced config supersedes any type of ntfs permissions.

 

[Nothinman]

"The enhanced security configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local Intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone."

That is absolutely retarded.

it's pretty worthy to note that the ie enhanced config supersedes any type of ntfs permissions.

It's not that it supersedes it but it's more layered on top of it. You still have the correct permissions and can read the file, so you can copy it locally and execute it, but explorer just won't let you run it directly from there.

 

[silverpig]

chmod 755

 

[RebateMonger]

Originally posted by: xyyz
Topic Title: OMG ntfs permissions suck!
Topic Summary: this thing is overly complex and rarely works.

Glad that you found a solution, and thanks for passing on your findings.

I do think you're a bit overboard on your criticism of NTFS permissions, though. "Rarely works" is a bit extreme. But I can certainly understand your frustration. That "IE Enhanced Security" catch is new to me and an unexpected complication.

Once you eliminate the "Sharing Permissions" variable with an "Everyone/Full control" checkbox, you are left with a rich set of NTFS Security settings. You don't HAVE to use them all, but they are there if you need them.

 

[HannibalX]

<---- Winderz Sys Admin

I don't have any problems with NTFS permissions. If you set them up correctly they work correctly.

 

[stash]

I think installing IE7 would eliminate this problem, since you can't enter file system paths in IE's address window anymore.

 

[nweaver]

who uses IE for browsing network shares anyway? I only use explorer, and have never had this issue.

 

[stash]

With IE6 I used to do this all the time, at least from a workstation. I would logon to the workstation with a standard account, then do a runas with my privileged account to open IE. Then I can browse to local or remote files using my elevated account. This is great since you can't open Explorer under another user context.

With IE7, you can't do this anymore.

 

[Agamar]

Hmm. I have never used IE to browse files on the domain. If I didn't have the share already mapped to a local drive letter, then I just go to the UNC path from Windows Explorer or do the "Start/Run" route.

 

[Nothinman]

I don't have any problems with NTFS permissions. If you set them up correctly they work correctly.

Of course if you know what you're doing and set them up right they're going to work fine, but that doesn't mean they're not overly complicated.

 

[nweaver]

Originally posted by: Nothinman

I don't have any problems with NTFS permissions. If you set them up correctly they work correctly.

Of course if you know what you're doing and set them up right they're going to work fine, but that doesn't mean they're not overly complicated.

permissions are complex...that is why we get the big bucks. Especially when you are managing FS permissions AND SMB permissions. NTFS (imho) is a bit more complex then linux FS permissions, but that's because I use the linux stuff more.

 

[Nothinman]

NTFS (imho) is a bit more complex then linux FS permissions, but that's because I use the linux stuff more.

There's a few corner cases on the Linux side to take care of special situations (like the sticky bit on a directory) but NTFS permissions are much more complicated, the very fact that an "effective permissions" button is needed should tell you something.

 

[Smilin]

Robust.

 

[Nothinman]

When used to describe software robust usually means something along the lines of handles and recovers from errors well and that's obviously not the case here.

 

[pcgeek11]

Robust.

It isn't complicated; It's ROBUST!

That is good! I love it! :laugh:

pcgeek11

 

[pcgeek11]

OOOPs...

 

[Smilin]

Originally posted by: pcgeek11
Robust.

It isn't complicated; It's ROBUST!

That is good! I love it! :laugh:

pcgeek11

In the world of IT knowledge NTFS permissions can hardly be called complicated IMHO. They take like what 5 minutes or less to explain?

 

[Nothinman]

In the world of IT knowledge NTFS permissions can hardly be called complicated IMHO.

Only because you work with them everyday. As someone who uses simple unix permissions everyday they're a lot more complicated and that added complexity comes with very little, if any, benefit.