Odd inheritance problem on a directory

Discussion in 'Server Security' started by frankm, Apr 27, 2009.

  1. frankm

    frankm Guest

    Windows2003 server sp2.......

    It seems that there were at least 3 migrations of a directory from server to
    server.
    This appears to have left the directory structure permissions inconsistent.

    I have some logins on various directory level, with no permissions higher in
    the tree, telling me that I can't remove the login due to inheritance.

    This is a production system, I don't really want to remove all permissions
    and start over, I don't know what will break.
    Is there a way to override the inheritance (there isn't any anyway for the
    logins I need to remove.) for an individual login?

    Any ideas? There are oh so many other issues I need to fix, but can't until
    I fix this one.
     
    frankm, Apr 27, 2009
    #1
    1. Advertisements

  2. I am not sure what you are saying? If the permissions are incorrect, some
    with Change Permissions permissions can, well, change them.

    Paul
     
    Paul Baker [MVP, Windows Desktop Experience], Apr 27, 2009
    #2
    1. Advertisements

  3. frankm

    Al Dunbar Guest

    I don't understand what it is you are referring to as an "individual logon".
    To me, a logon is an action, like when one logs on to a machine. Or are you
    referring to user accounts as logons?

    In either case, I don't know what it means to have "some logons on various
    directory level", unless perhaps you are talking about permissions to users
    on various folders.

    Anyway, given permissions structure that is no longer organized in a
    manageable way, I'd suggest that that almost any permissions change you make
    has the potential of breaking *something*. That said, have you tried using
    the advanced button from the security tab and then clearing the inherit from
    parent checkbox?

    /Al
     
    Al Dunbar, Apr 28, 2009
    #3
  4. frankm

    frankm Guest

    There are domain logins that have permissions at certain levels of the
    directory tree, they do dot have any apparent parent entry. I cannot remove
    them due to inheritance.




    "Paul Baker [MVP, Windows Desktop Experience]"
     
    frankm, Apr 28, 2009
    #4
  5. frankm

    frankm Guest

    There are domain logins that have permissions at certain levels of the
    directory tree, they do dot have any apparent parent entry. I cannot remove
    them due to inheritance.
     
    frankm, Apr 28, 2009
    #5
  6. frankm

    frankm Guest

    There are domain logins (translated: user accounts) that have permissions at
    certain levels of the directory tree, they do dot have any apparent parent
    entry. I cannot remove them due to inheritance.
     
    frankm, Apr 28, 2009
    #6
  7. I still don't follow, but does it help to know that you do not HAVE to
    inherit inheritable permissions?

    Choose Advanced
    Uncheck "Inherit from the parent..."
    Click Copy.

    Paul
     
    Paul Baker [MVP, Windows Desktop Experience], Apr 28, 2009
    #7
  8. frankm

    frankm Guest

    When I do that it removes ALL entries from the permissions and copied the
    higher level.
    I know this is normal.

    My problem is that I want to "dis-inherit" so-to -speak, for just one of the
    domain objects.
    In this case it is a an individual user account.


    "Paul Baker [MVP, Windows Desktop Experience]"
     
    frankm, Apr 28, 2009
    #8
  9. Frank,

    We will have to try to use proper terminology to avoid confusion.

    "When I do that it removes ALL entries from the permissions and copied the
    higher level" - I take this to mean that when you do this, it no longer
    inherits (or copies) ALL Access Control Entries (ACEs) from the
    Discretionary Access Control List (DACL) of a parent.

    "My problem is that I want to "dis-inherit" so-to -speak, for just one of
    the domain objects. In this case it is a an individual user account" - I
    tahe this to mean that there is just one inheritable ACE that you do not
    wish to inherit, and that the Security Identifier (SID) associated with it
    is that of a user.

    This is certainly not possible in the user interface. I am not certain, but
    my research of the documentation would suggest that this "disinheriting"
    behaviour is specified using the PROTECTED_DACL_SECURITY_INFORMATION flag
    which is specific to the object and therefore cannot be done at the ACE
    level.

    SECURITY_INFORMATION Data Type:
    http://msdn.microsoft.com/en-us/library/aa379573(VS.85).aspx

    Paul

     
    Paul Baker [MVP, Windows Desktop Experience], Apr 28, 2009
    #9
  10. frankm

    frankm Guest

    I apologize for not using proper terminology.
    As I am not an AD admin, I don't have that direct and experienced frame of
    reference.
    In trying to research the issue on my own, it was difficult to find exactly
    what I needed,
    In part due to the terminology issue (text searches are only as good as the
    text you enter).
    So, I went to the experts to help me translate.

    Thank you for you answer. It looks like I will just have to go through a
    couple of hundred folders, see what ther perms are and break inheritance and
    copy from the higher levels. Then go back an apply the necessary
    permissions.




    "Paul Baker [MVP, Windows Desktop Experience]"
     
    frankm, Apr 29, 2009
    #10
  11. frankm

    FlyDye Guest

    I’ve seen this happen in data migrations when using applications like
    SecureCopy. What happens is the ACL, including the inheritance flag, is
    copied to a different server under a different parent folder. So, when you
    look at the permissions you’ll see ACLs that appear to be inherited from the
    parent (because the inheritance flag), but are not actually inherited.

    You could try to use XCACLS
    (http://support.microsoft.com/default.aspx/kb/825751) to change the
    permission, or simply unchecked inheritance, removed everybody and rechecked
    inheritance. A better approach would be to replace the permissions on child
    objects from the parent directory (be careful though!).


     
    FlyDye, May 7, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.