File Permissions

I'm trying to setup file permissions on a single file shared on the server,
whereby the Admisitrator has full control, but certain users have 'Read' only
permsision.
I want users to be able to access the file and read the contents, but no be
able to modify or change the contents.
Simple enough, but within the file's Security tab I have the Administrator,
and Users group added (nothing else), and permissions are set to Full control
for Administrator, and Read & Execute, and Read for the Users.
However, the users are unable to open the file (Access Denied), unless I
enable either Full Control or Write to their group permissions.
Why woudl the Write permission enable access, and allowing them to change
data obviously, but when unchecking the Write permission all access is
denied, even though Read and Read & Execute is checked.
There are no Deny boxes checked within the directory structure.
There seems to be too many variables.
Even if I just add each user to the Security list and enable Read only
permissions, they can't access the file, unless Write permission is also
checked.
Confused!!

Any help would be appreciated , Thanks

Thanks Brian for your help.
The file is actually a from a Calendar software (.ecf) program

I'm not sure about the 'write access'

I shall investigate

Thanks again

"Brian Cryer" wrote:

> "Nick" <> wrote in message
> news:0CE3239F-9C47-49E0-9872-...
> > I'm trying to setup file permissions on a single file shared on the
> > server,
> > whereby the Admisitrator has full control, but certain users have 'Read'
> > only
> > permsision.
> > I want users to be able to access the file and read the contents, but no
> > be
> > able to modify or change the contents.
> > Simple enough, but within the file's Security tab I have the
> > Administrator,
> > and Users group added (nothing else), and permissions are set to Full
> > control
> > for Administrator, and Read & Execute, and Read for the Users.
> > However, the users are unable to open the file (Access Denied), unless I
> > enable either Full Control or Write to their group permissions.
> > Why woudl the Write permission enable access, and allowing them to change
> > data obviously, but when unchecking the Write permission all access is
> > denied, even though Read and Read & Execute is checked.
> > There are no Deny boxes checked within the directory structure.
> > There seems to be too many variables.
> > Even if I just add each user to the Security list and enable Read only
> > permissions, they can't access the file, unless Write permission is also
> > checked.
> > Confused!!
> >
> > Any help would be appreciated , Thanks
>
> What type of file is it? Some files do require write access - for example an
> Access database will want to save a file to indicate that it has been opened
> by someone. This may apply to some other types of file too.
>
> In general though your approach is sound, to grant users read-only and the
> administrator full control.
> --
> Brian Cryer
> http://www.cryer.co.uk/brian
>
>
> .
>

Adding to Brian's comments, try giving users write-access to the
folder but read access to the file - just in case it is the Access
scenario and the calendar program is trying to create a .tmp file etc.


Jim

On Fri, 20 Aug 2010 04:26:03 -0700, Nick
<> wrote:

>Thanks Brian for your help.
>The file is actually a from a Calendar software (.ecf) program
>
>I'm not sure about the 'write access'
>
>I shall investigate
>
>Thanks again
>
>"Brian Cryer" wrote:
>
>> "Nick" <> wrote in message
>> news:0CE3239F-9C47-49E0-9872-...
>> > I'm trying to setup file permissions on a single file shared on the
>> > server,
>> > whereby the Admisitrator has full control, but certain users have 'Read'
>> > only
>> > permsision.
>> > I want users to be able to access the file and read the contents, but no
>> > be
>> > able to modify or change the contents.
>> > Simple enough, but within the file's Security tab I have the
>> > Administrator,
>> > and Users group added (nothing else), and permissions are set to Full
>> > control
>> > for Administrator, and Read & Execute, and Read for the Users.
>> > However, the users are unable to open the file (Access Denied), unless I
>> > enable either Full Control or Write to their group permissions.
>> > Why woudl the Write permission enable access, and allowing them to change
>> > data obviously, but when unchecking the Write permission all access is
>> > denied, even though Read and Read & Execute is checked.
>> > There are no Deny boxes checked within the directory structure.
>> > There seems to be too many variables.
>> > Even if I just add each user to the Security list and enable Read only
>> > permissions, they can't access the file, unless Write permission is also
>> > checked.
>> > Confused!!
>> >
>> > Any help would be appreciated , Thanks
>>
>> What type of file is it? Some files do require write access - for example an
>> Access database will want to save a file to indicate that it has been opened
>> by someone. This may apply to some other types of file too.
>>
>> In general though your approach is sound, to grant users read-only and the
>> administrator full control.
>> --
>> Brian Cryer
>> http://www.cryer.co.uk/brian
>>
>>
>> .
>>

No, I'm not using the Outlook Calendar, I'm using a program called "Efficient
Calendar" , which happens to look a lot like Outlook's calendar.

With regards Jim's comment, the folder's permissions are set to Write. (In
fact they are set to Full Control for all Entries)

Thanks

"Brian Cryer" wrote:

> Just to be sure, this isn't a plug-in for Outlook that you are talking
> about? If it is then its probably better to find a way to push it down to
> the individual pcs/laptops as otherwise your users will get an error if they
> try to start outlook but can't connect to the server - which will probably
> only be an issue for people with laptops who might be out and about.
>
> If its not for Outlook then I'd be interested in know what program this is
> for - but this is more for personal interest.
> --
> Brian Cryer
> http://www.cryer.co.uk/brian
>
> "Nick" <> wrote in message
> news:A0127E28-580F-4AC7-BC8D-...
> > Thanks Brian for your help.
> > The file is actually a from a Calendar software (.ecf) program
> >
> > I'm not sure about the 'write access'
> >
> > I shall investigate
> >
> > Thanks again
> >
> > "Brian Cryer" wrote:
> >
> >> "Nick" <> wrote in message
> >> news:0CE3239F-9C47-49E0-9872-...
> >> > I'm trying to setup file permissions on a single file shared on the
> >> > server,
> >> > whereby the Admisitrator has full control, but certain users have
> >> > 'Read'
> >> > only
> >> > permsision.
> >> > I want users to be able to access the file and read the contents, but
> >> > no
> >> > be
> >> > able to modify or change the contents.
> >> > Simple enough, but within the file's Security tab I have the
> >> > Administrator,
> >> > and Users group added (nothing else), and permissions are set to Full
> >> > control
> >> > for Administrator, and Read & Execute, and Read for the Users.
> >> > However, the users are unable to open the file (Access Denied), unless
> >> > I
> >> > enable either Full Control or Write to their group permissions.
> >> > Why woudl the Write permission enable access, and allowing them to
> >> > change
> >> > data obviously, but when unchecking the Write permission all access is
> >> > denied, even though Read and Read & Execute is checked.
> >> > There are no Deny boxes checked within the directory structure.
> >> > There seems to be too many variables.
> >> > Even if I just add each user to the Security list and enable Read only
> >> > permissions, they can't access the file, unless Write permission is
> >> > also
> >> > checked.
> >> > Confused!!
> >> >
> >> > Any help would be appreciated , Thanks
> >>
> >> What type of file is it? Some files do require write access - for example
> >> an
> >> Access database will want to save a file to indicate that it has been
> >> opened
> >> by someone. This may apply to some other types of file too.
> >>
> >> In general though your approach is sound, to grant users read-only and
> >> the
> >> administrator full control.
> >> --
> >> Brian Cryer
> >> http://www.cryer.co.uk/brian
> >>
> >>
> >> .
> >>
>
> .
>

In article <0CE3239F-9C47-49E0-9872->,
says...
>
> I'm trying to setup file permissions on a single file shared on the server,
> whereby the Admisitrator has full control, but certain users have 'Read' only
> permsision.
> I want users to be able to access the file and read the contents, but no be
> able to modify or change the contents.
> Simple enough, but within the file's Security tab I have the Administrator,
> and Users group added (nothing else), and permissions are set to Full control
> for Administrator, and Read & Execute, and Read for the Users.
> However, the users are unable to open the file (Access Denied), unless I
> enable either Full Control or Write to their group permissions.
> Why woudl the Write permission enable access, and allowing them to change
> data obviously, but when unchecking the Write permission all access is
> denied, even though Read and Read & Execute is checked.
> There are no Deny boxes checked within the directory structure.
> There seems to be too many variables.
> Even if I just add each user to the Security list and enable Read only
> permissions, they can't access the file, unless Write permission is also
> checked.
> Confused!!
>
> Any help would be appreciated , Thanks

On the SHARE - set all users to FULL CONTROL
On the FOLDER, Administrators, Sec Permissions, FULL CONTROL
Don't change SYSTEM account permissions on Security

Create a security group, lets call it SG_FOLDERNAME_RO (RO is read only,
to make it easy to identify).

On the FOLDER, remove EVERYONE, remove AUTHENTICATED USERS, ADD
SG_FOLDERNAME_RO

In the Security Group, add the user accounts needed (not "DOMAIN USERS"
and not "AUTHENTICATED USERS" to the group.

On the FOLDER, SECURITY, SG_FOLDERNAME_RO selected, remove all
permissions, don't set ANY deny, now add the permissions "read &
execute", "List folder contents" "READ" - actually, when you select
"read & execute" it will apply the other two.

Now, this will make the FOLDER FULL ACCESS for Administrators

The change will only apply after they've logged out and back into the
system 1 time, if they are already logged in and have already accessed
the share.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

Thanks very much for your detailed help!
I follwed your instructions, and created a SG with only the users I want
listed.
Unfortunately this still isn't working for me.
Just so I haven't got the wrong ene of the stick:

Before I followed your instructions, I had a shared folder called "Calendar"
The "Calendar" share Permissions has the EVERYONE group only in there, and
set to Full Control
The "Calendar" Security Permissions, has Administrators, Creater Owner,
System, and Users (domain\users)
Adminstrators is set to FC
Users is set to Read & Ex, List Folder Contents
System is set to FC
Creator Owner has only Special Permissions selected

The saved calendar data file within "Calendar" folder. In the Security
Permissions, there is Administrators (set to FC)
System (set to FC)
Users (domain\users) (set to Read & Execute, and Read)

With these settings, the Administrator can have full access, but users have
"Access Denied" presented to them when opening the data file.
Only way they can see the data file, is to enable WRITE in the file's
security Users permissions.

I have tried various methods, like not inheriting permissions, and adding
the unique users to the security permissions with explicit permissions, but
all to no avail.



"Leythos" wrote:

> In article <0CE3239F-9C47-49E0-9872->,
> says...
> >
> > I'm trying to setup file permissions on a single file shared on the server,
> > whereby the Admisitrator has full control, but certain users have 'Read' only
> > permsision.
> > I want users to be able to access the file and read the contents, but no be
> > able to modify or change the contents.
> > Simple enough, but within the file's Security tab I have the Administrator,
> > and Users group added (nothing else), and permissions are set to Full control
> > for Administrator, and Read & Execute, and Read for the Users.
> > However, the users are unable to open the file (Access Denied), unless I
> > enable either Full Control or Write to their group permissions.
> > Why woudl the Write permission enable access, and allowing them to change
> > data obviously, but when unchecking the Write permission all access is
> > denied, even though Read and Read & Execute is checked.
> > There are no Deny boxes checked within the directory structure.
> > There seems to be too many variables.
> > Even if I just add each user to the Security list and enable Read only
> > permissions, they can't access the file, unless Write permission is also
> > checked.
> > Confused!!
> >
> > Any help would be appreciated , Thanks
>
> On the SHARE - set all users to FULL CONTROL
> On the FOLDER, Administrators, Sec Permissions, FULL CONTROL
> Don't change SYSTEM account permissions on Security
>
> Create a security group, lets call it SG_FOLDERNAME_RO (RO is read only,
> to make it easy to identify).
>
> On the FOLDER, remove EVERYONE, remove AUTHENTICATED USERS, ADD
> SG_FOLDERNAME_RO
>
> In the Security Group, add the user accounts needed (not "DOMAIN USERS"
> and not "AUTHENTICATED USERS" to the group.
>
> On the FOLDER, SECURITY, SG_FOLDERNAME_RO selected, remove all
> permissions, don't set ANY deny, now add the permissions "read &
> execute", "List folder contents" "READ" - actually, when you select
> "read & execute" it will apply the other two.
>
> Now, this will make the FOLDER FULL ACCESS for Administrators
>
> The change will only apply after they've logged out and back into the
> system 1 time, if they are already logged in and have already accessed
> the share.
>
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> (remove 999 for proper email address)
> .
>

In article <D0E6980C-1BBC-465A-B54C->,
says...
> With these settings, the Administrator can have full access, but users have
> "Access Denied" presented to them when opening the data file.
> Only way they can see the data file, is to enable WRITE in the file's
> security Users permissions.
>

Remove Creator/owner.

Click on the folder, security, advanced, apply permissions down the
folder to the file.

You may not have applied the permissions to the FILE itself, or the
OWNER of the file may be incorrect.

Open the share from one of the workstations, as the user in question,
browse to the file, right click, properties, select security, look at
the permissions as the user.

If you're getting DENIED when you open the folder then you've got
something else overriding the permissions. If the folder opens, do the
same on the file, if denied on the file then you've got to find the
incorrectly set permission.

You should also remove "Inherents from parent" setting.

Always apply permissions using GROUPS, never individual users, for
shares - it's a LOT easier to manage.

So, make sure that the permissions replicated to the FILE, go to a
workstation, test and let us know.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

Thanks again for your help.

I will have to think of another approach to this.

Still no joy with access to the file.

My Shared Folder, and also the file have only Administrator, and SG Group in
the Security permissions. Administrator set to FC on both, and SG set to,
Read & Execute, List Folder Contents, and Read, again on both folder and file.
No Inheritance on either.

At the Workstation, when checking the file's permissions, they are the same
as the Server's permissions.

Not sure if this in fact a program\software issue, as I notice if I make a
change to the file, and then delete\undo the change, it doesn't prompt me to
save the file when exiting the program..

Back to the drawing board.....

Thanks

"Leythos" wrote:

> In article <D0E6980C-1BBC-465A-B54C->,
> says...
> > With these settings, the Administrator can have full access, but users have
> > "Access Denied" presented to them when opening the data file.
> > Only way they can see the data file, is to enable WRITE in the file's
> > security Users permissions.
> >
>
> Remove Creator/owner.
>
> Click on the folder, security, advanced, apply permissions down the
> folder to the file.
>
> You may not have applied the permissions to the FILE itself, or the
> OWNER of the file may be incorrect.
>
> Open the share from one of the workstations, as the user in question,
> browse to the file, right click, properties, select security, look at
> the permissions as the user.
>
> If you're getting DENIED when you open the folder then you've got
> something else overriding the permissions. If the folder opens, do the
> same on the file, if denied on the file then you've got to find the
> incorrectly set permission.
>
> You should also remove "Inherents from parent" setting.
>
> Always apply permissions using GROUPS, never individual users, for
> shares - it's a LOT easier to manage.
>
> So, make sure that the permissions replicated to the FILE, go to a
> workstation, test and let us know.
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> (remove 999 for proper email address)
> .
>

In article <898B1B40-AB00-4A8F-BAA2->,
says...
> Not sure if this in fact a program\software issue, as I notice if I make a
> change to the file, and then delete\undo the change, it doesn't prompt me to
> save the file when exiting the program..
>
> Back to the drawing board.....
>

If the program allows updates to the file then it's opening it in R/W
mode.

Why not setup a special permissions security that denies DELETE, Change
Ownership, and give them RW permission?

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

I will try the changes you suggest, and let you know the outcome

Thanks


"Leythos" wrote:

> In article <898B1B40-AB00-4A8F-BAA2->,
> says...
> > Not sure if this in fact a program\software issue, as I notice if I make a
> > change to the file, and then delete\undo the change, it doesn't prompt me to
> > save the file when exiting the program..
> >
> > Back to the drawing board.....
> >
>
> If the program allows updates to the file then it's opening it in R/W
> mode.
>
> Why not setup a special permissions security that denies DELETE, Change
> Ownership, and give them RW permission?
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> (remove 999 for proper email address)
> .
>