I want to restrict user access to certain parts of my web site by creating
local groups and adding those groups to the data folders that have the web
content. Right now, when I create a new local user, and not add them to any
group, he can access the web site which is configured to use Integrate
Security only. How can this happen if the new user is not part of any groups
with access to the folders?
--
Sandy Wood
Orange County District Attorney

[ Post a follow-up to this message ]

a) Use the IIS Logs to verify that which user account is being used (you
should see the user account in the log file)

b) Verify that this user account does not have NTFS permissions to the
file/folder in question. I suspect that they must via some kind of group.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Sandy Wood" <sandy.wood@nospam.com> wrote in message
news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
:I want to restrict user access to certain parts of my web site by creating
: local groups and adding those groups to the data folders that have the web
: content. Right now, when I create a new local user, and not add them to
any
: group, he can access the web site which is configured to use Integrate
: Security only. How can this happen if the new user is not part of any
groups
: with access to the folders?
: --
: Sandy Wood
: Orange County District Attorney

[ Post a follow-up to this message ]

I checked the IIS logs and the test user I created, without any group
membership was shown as logging in. The only users/groups I have on the data
directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.

Could there be some other place that permissions are set? I'm only using
Integrated Security, nothing Anonymous.

"Ken Schaefer" wrote:

> a) Use the IIS Logs to verify that which user account is being used (you
> should see the user account in the log file)
>
> b) Verify that this user account does not have NTFS permissions to the
> file/folder in question. I suspect that they must via some kind of group.
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
> :I want to restrict user access to certain parts of my web site by creatin
g
> : local groups and adding those groups to the data folders that have the w
eb
> : content. Right now, when I create a new local user, and not add them to
> any
> : group, he can access the web site which is configured to use Integrate
> : Security only. How can this happen if the new user is not part of any
> groups
> : with access to the folders?
> : --
> : Sandy Wood
> : Orange County District Attorney
>
>
>

[ Post a follow-up to this message ]

"Ken Schaefer" wrote:

> a) Use the IIS Logs to verify that which user account is being used (you
> should see the user account in the log file)
>
> b) Verify that this user account does not have NTFS permissions to the
> file/folder in question. I suspect that they must via some kind of group.
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
> :I want to restrict user access to certain parts of my web site by creatin
g
> : local groups and adding those groups to the data folders that have the w
eb
> : content. Right now, when I create a new local user, and not add them to
> any
> : group, he can access the web site which is configured to use Integrate
> : Security only. How can this happen if the new user is not part of any
> groups
> : with access to the folders?
> : --
> : Sandy Wood
> : Orange County District Attorney
>
>
>

[ Post a follow-up to this message ]

Check the membership of the "Users" group. I suspect that your test user is
in that group.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"Sandy Wood" <sandy.wood@nospam.com> wrote in message
news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com...
:I checked the IIS logs and the test user I created, without any group
: membership was shown as logging in. The only users/groups I have on the
data
: directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.
:
: Could there be some other place that permissions are set? I'm only using
: Integrated Security, nothing Anonymous.
:
: "Ken Schaefer" wrote:
:
: > a) Use the IIS Logs to verify that which user account is being used (you
: > should see the user account in the log file)
: >
: > b) Verify that this user account does not have NTFS permissions to the
: > file/folder in question. I suspect that they must via some kind of
group.
: >
: > Cheers
: > Ken
: >
: > --
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
: > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
: > :I want to restrict user access to certain parts of my web site by
creating
: > : local groups and adding those groups to the data folders that have the
web
: > : content. Right now, when I create a new local user, and not add them
to
: > any
: > : group, he can access the web site which is configured to use Integrate
: > : Security only. How can this happen if the new user is not part of any
: > groups
: > : with access to the folders?
: > : --
: > : Sandy Wood
: > : Orange County District Attorney
: >
: >
: >

[ Post a follow-up to this message ]

I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me
the following Access Token info:

SERVER01\testuser
SERVER01\None
\Everyone
SERVER01\PROBATION
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\NTLM Authentication

If I check the user Member properties, he's not a member of any group at
all, however, this shows something a bit different.

We do have a local group called PROBATION, but inspecting it's membership
shows testuser is not a member of it.

Perhaps the BUILTIN\Users could give permissions?

"Ken Schaefer" wrote:

> Check the membership of the "Users" group. I suspect that your test user i
s
> in that group.
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
> "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com...
> :I checked the IIS logs and the test user I created, without any group
> : membership was shown as logging in. The only users/groups I have on the
> data
> : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.
> :
> : Could there be some other place that permissions are set? I'm only using
> : Integrated Security, nothing Anonymous.
> :
> : "Ken Schaefer" wrote:
> :
> : > a) Use the IIS Logs to verify that which user account is being used (y
ou
> : > should see the user account in the log file)
> : >
> : > b) Verify that this user account does not have NTFS permissions to the
> : > file/folder in question. I suspect that they must via some kind of
> group.
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : >
> : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
> : > :I want to restrict user access to certain parts of my web site by
> creating
> : > : local groups and adding those groups to the data folders that have t
he
> web
> : > : content. Right now, when I create a new local user, and not add them
> to
> : > any
> : > : group, he can access the web site which is configured to use Integra
te
> : > : Security only. How can this happen if the new user is not part of an
y
> : > groups
> : > : with access to the folders?
> : > : --
> : > : Sandy Wood
> : > : Orange County District Attorney
> : >
> : >
> : >
>
>
>

[ Post a follow-up to this message ]

Your user is part of the Users group (as I mentioned). Remove the Users
group from the NTFS ACL (Access Control List) for the file or folder you are
attempting to restrict access to.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"Sandy Wood" <sandy.wood@nospam.com> wrote in message
news:C44681B5-BAC5-4010-8FD7-FF62115352A4@microsoft.com...
:I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me
: the following Access Token info:
:
: SERVER01\testuser
: SERVER01\None
: \Everyone
: SERVER01\PROBATION
: BUILTIN\Users
: NT AUTHORITY\NETWORK
: NT AUTHORITY\Authenticated Users
: NT AUTHORITY\This Organization
: NT AUTHORITY\NTLM Authentication
:
: If I check the user Member properties, he's not a member of any group at
: all, however, this shows something a bit different.
:
: We do have a local group called PROBATION, but inspecting it's membership
: shows testuser is not a member of it.
:
: Perhaps the BUILTIN\Users could give permissions?
:
: "Ken Schaefer" wrote:
:
: > Check the membership of the "Users" group. I suspect that your test user
is
: > in that group.
: >
: > Cheers
: > Ken
: >
: > --
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
: > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com...
: > :I checked the IIS logs and the test user I created, without any group
: > : membership was shown as logging in. The only users/groups I have on
the
: > data
: > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.
: > :
: > : Could there be some other place that permissions are set? I'm only
using
: > : Integrated Security, nothing Anonymous.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > a) Use the IIS Logs to verify that which user account is being used
(you
: > : > should see the user account in the log file)
: > : >
: > : > b) Verify that this user account does not have NTFS permissions to
the
: > : > file/folder in question. I suspect that they must via some kind of
: > group.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > --
: > : > Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
: > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
: > : > :I want to restrict user access to certain parts of my web site by
: > creating
: > : > : local groups and adding those groups to the data folders that have
the
: > web
: > : > : content. Right now, when I create a new local user, and not add
them
: > to
: > : > any
: > : > : group, he can access the web site which is configured to use
Integrate
: > : > : Security only. How can this happen if the new user is not part of
any
: > : > groups
: > : > : with access to the folders?
: > : > : --
: > : > : Sandy Wood
: > : > : Orange County District Attorney
: > : >
: > : >
: > : >
: >
: >
: >

[ Post a follow-up to this message ]

Ken,

I took another closer look at my configuration and I had taken all the users
out of the Users folder, except I noticed that I left 'Authenticated Users'
still in there. Boy am I stupid. You're right, thanks for the tip. I also
noticed that someone had put \Everyone into the Probation group which
explains the other issue. The System was just doing what it was told.

Duh.


thanks again for your help.

"Ken Schaefer" wrote:

> Your user is part of the Users group (as I mentioned). Remove the Users
> group from the NTFS ACL (Access Control List) for the file or folder you a
re
> attempting to restrict access to.
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
> "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> news:C44681B5-BAC5-4010-8FD7-FF62115352A4@microsoft.com...
> :I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave 
me
> : the following Access Token info:
> :
> : SERVER01\testuser
> : SERVER01\None
> : \Everyone
> : SERVER01\PROBATION
> : BUILTIN\Users
> : NT AUTHORITY\NETWORK
> : NT AUTHORITY\Authenticated Users
> : NT AUTHORITY\This Organization
> : NT AUTHORITY\NTLM Authentication
> :
> : If I check the user Member properties, he's not a member of any group at
> : all, however, this shows something a bit different.
> :
> : We do have a local group called PROBATION, but inspecting it's membershi
p
> : shows testuser is not a member of it.
> :
> : Perhaps the BUILTIN\Users could give permissions?
> :
> : "Ken Schaefer" wrote:
> :
> : > Check the membership of the "Users" group. I suspect that your test us
er
> is
> : > in that group.
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> : > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com...
> : > :I checked the IIS logs and the test user I created, without any group
> : > : membership was shown as logging in. The only users/groups I have on
> the
> : > data
> : > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS.
> : > :
> : > : Could there be some other place that permissions are set? I'm only
> using
> : > : Integrated Security, nothing Anonymous.
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > a) Use the IIS Logs to verify that which user account is being use
d
> (you
> : > : > should see the user account in the log file)
> : > : >
> : > : > b) Verify that this user account does not have NTFS permissions to
> the
> : > : > file/folder in question. I suspect that they must via some kind of
> : > group.
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : > --
> : > : > Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > Web: www.adopenstatic.com
> : > : >
> : > : >
> : > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message
> : > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com...
> : > : > :I want to restrict user access to certain parts of my web site by
> : > creating
> : > : > : local groups and adding those groups to the data folders that ha
ve
> the
> : > web
> : > : > : content. Right now, when I create a new local user, and not add
> them
> : > to
> : > : > any
> : > : > : group, he can access the web site which is configured to use
> Integrate
> : > : > : Security only. How can this happen if the new user is not part o
f
> any
> : > : > groups
> : > : > : with access to the folders?
> : > : > : --
> : > : > : Sandy Wood
> : > : > : Orange County District Attorney
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
>
>
>

[ Post a follow-up to this message ]