ACL Permissions

Discussion in 'Windows Server' started by John Pugh, Dec 15, 2004.

  1. John Pugh

    John Pugh Guest


    I am having problem that I thought some of you might be able to help,

    The problem is that we have created a directory on a 2k3 standard box that
    can only be accessed using a set username and password (used for accessing
    web stats over the internet) I have done this many times before without a
    hitch but on one of our boxes it does want to work at all!

    I have given the SYSTEM full control, Administrators full control and
    stats-viewer (the user who needs access) read and read & execute. This is
    the standard setup I have on all our boxes. I have also tried recreating all
    the permissions the wwwroot directory has and putting it in the wwwroot
    directory to no avail.

    With the IUSR user in place it works, allowing anonymous access, therefore
    IIS is pointing to the right place and serving up the pages so that is
    working, but when IUSR access is taken away it throws back a "HTTP Error
    401.3 - Unauthorized: Access is denied due to an ACL set on the requested
    resource." error when trying to login as stats-viewer. I have tried using
    Integrated and basic authentication, changing the user, changing the
    directory, creating a new web site in IIS, using Authdiag (which doesn't
    seem to shed light on the problem) all without success.

    Can anyone help, its doing my head in!!!

    Many thanks,

    John Pugh
    John Pugh, Dec 15, 2004
    1. Advertisements

  2. John Pugh

    Andra Guest

    Policies? Especially concerning the way the password is sent over the

    John Pugh wrote
    Andra, Dec 15, 2004
    1. Advertisements

  3. John Pugh

    John Pugh Guest

    Thanks for the reply, I have compared the permissions between the two boxes
    (one that works and this one) and I can see very little differences, none in
    sections that I think might affect this problem is there anything specific
    that I should be looking for?
    John Pugh, Dec 15, 2004
  4. Enable auditing on logon events for success and failure and privilege use
    and object access for failure [probably only temporally]. Enable auditing on
    that folder for that user. Then look in the security logs and Event Viewer
    in general for any possible helpful messages. I would also look in Local
    Security Policy on each computer and look for any differences under local
    policies for security options or user rights. Any differences found between
    the two boxes could be suspect. Also check any deny permissions to the
    folder which you user could be affected by group membership. If this is a
    domain computer, run the netdiag support tool on it looking for any
    pertinent errors. -- Steve;en-us;301640 -- needs
    object access enable first.
    Steven L Umbach, Dec 15, 2004
  5. John Pugh

    John Pugh Guest

    Hi Steve & Everyone else,

    I have looked through the local policy and everything seems the same between
    the boxes, I setup auditing, but again I get no failures and the box that is
    not working produces the same results as the others yet it still won't let
    me view the web pages, grrr.

    If it was a office computer I would be reinstalling windows at this point!
    but as it is in a data centre 100 miles away, thats not an option. By the
    way it is a stand alone server and not part of a domain

    Thanks for all your help, anymore suggestions ?


    John Pugh, Dec 16, 2004
  6. Hmm. I can't think of much else other than also checking the special
    permissions for that folder in security/advanced to make sure that there is
    no group with deny permissions and also viewing the "effective permissions"
    tab for your user. Another thing to try is temporally add that user to the
    local administrators group or use the built in administrator account as the
    access account temporally to see if that works. If that does work then there
    is a lack of permission or privilege for the regular user account. If it
    does not work something else weird is going on. Check the group membership
    of the user accounts that you are using to make sure that they are at least
    members of the local users group. --- Steve

    Steven L Umbach, Dec 16, 2004
  7. John Pugh

    John Pugh Guest

    It works as an Administrator, but not as a User even though the user in
    question is in the right groups, is there anyway to see what permissions
    each of the groups get? so that I can see what is difference between the
    working boxes and this one.



    John Pugh, Dec 20, 2004
  8. You can use the free tool Dumpsec from Somarsoft or the Resource Kit tool
    showacl to see permissions to a folder or folders. Try adding the user that
    is denied access normally to the local administrators group to see what
    happens. If that works then I tend to think the user is lacking a user
    right. If it does not work then I think the user is a member of a group that
    has deny permissions applied somewhere along the line. To check user rights,
    open Local Security Policy [secpol.msc] and look for any user right where
    both administrators and IUSR user are included but the user or group that
    the user is a member of is not. Also keep in mind that any "deny" user right
    will override he same allow user right so take a close look at any deny user
    rights. Verify the user group membership with the " net user username "
    command [using real user name of course]. --- Steve --- Dumpsec.

    Steven L Umbach, Dec 20, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.