Announcement

Collapse
No announcement yet.

Windows 2000 GPO

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Windows 2000 GPO

    Hello,

    Sorry if this is old, I have looked for answers for some time now, and still haven't found anything.

    While on a Windows 2000 network at my school, I was working in Excel and noticed the hyperlink to the next page went through the server, and back to me instead of just to the file in my folder. I edited the hyperlink (which looked something like this: \\servername\home\grpstudnets\myname\myfolder) and changed my name, to that of another students. Their folder popped up on my screen. I talked this over with the Administrator and apparently by making a hyperlink to the folder allowed you to by pass the GPO. For example, you could not browse to \\servername and click on "home" (access denied) but making a hyperlink past home and into the next folder \\servername\home\nextfolder allowed you access. The problem was solved by putting individual access rights on every single folder. I could not find an answer anywhere (maybe I wasn't looking hard enough) and would really like to know why this was possible. I would very much appreciate it if someone could point me in the direction of perhaps a book or a paper that would help me find an answer to this.

    Regards,

    Murriandious.
    Tags: None
  • #2
    Originally posted by murriandious
    The problem was solved by putting individual access rights on every single folder. I could not find an answer anywhere (maybe I wasn't looking hard enough) and would really like to know why this was possible.
    I can think of two possibilities:

    - The way the policy was written, it didn't/couldn't apply to those objects

    - There was a second policy applying to them that overrode the first

    It sounds like someone most likely missed or misconfigured something during the administrative process - but as for what that may be, without being able to fire up GPO on that box and start checking policies it's hard to say. Sorry if this is a bit vague, but it's kinda difficult to give an absolute answer in this case. Besides, it's entirely possible that there's some other explanation for all of this - but those two seem to be the most likely culprits to me.

    Comment

    • #3
      GPOs are fun that way. The domain controller can say "no access to this file" then your user group can have access to all of it, then your user account can have acces to some of it. Sort of like turning switches off and on and wondering where you land. I do it all the time. Sort of like saying "No one has Internet access, except folks in Maryland offices, but not the secretaries, unless the secretaries work on the bottom floor, except for the two by the water cooler." Yup, that's how weird it is. Hard to keep track of!

      Comment

      • #4
        Thank you for taking the time to reply.
        I dont suppose it could have anything to do with the routers could it? A friend told me that they thought the reason for this being possible was because they were using windows routers.

        Regards,

        Murriandious.

        Comment

        • #5
          Windows routers? At best he means windows servers acting as routers because they have two network cards. At worst he is blowing smoke you know where.

          The routers are most likely Cisco. The routers technically can block routes. If you to take exit #4 to get to the Internet and the router only makes mention of exit #1, 2, and 3, you are hosed. Most routers keep trying until they route out.

          My guess is that permissions let you into that file only but no where else. Just a guess without being there you understand. Can you view permissions on the file?

          Comment

          • #6
            Come to think of it, I am pretty sure they are using cisco. I knew something funny was up when she claimed it was "the routers fault" (along with there being such a thing as a windows router). You can view the permissions on the folders, and I should not be able to access it, but if you use a hyperlink to go to a folder within the folder you are banned from for example:
            \\server click on home - access denied
            \\server\home\next folder - allowed.
            I do not have permissions to get into the next folder either but it still lets you in.

            Thank you for your replies.


            - Murriandious.

            Comment

            • #7
              Some privileges are inhereted form the parent folder. And I can let you have access to one file that is ten folders deep and deny access to everything else. Technically you do not have to go through the other layers to get to your file, like going to a room in a house.

              You can also set routers to limit access from certain IPs or MAC addresses.

              There is a program out there that reads permissions on all the files and folders and spits them out for you. Easy to see what went wrong where.

              Comment

              • #8
                i'm going to have to disagree with any networking concept being the culprit in this situation. strictly software side.

                Comment

                • #9
                  Originally posted by astcell
                  Some privileges are inhereted form the parent folder.
                  I would also lean towards inhereted rights.
                  Man is least himself when he talks in his own person. Give him a mask, and he will tell you the truth

                  Comment

                  • #10
                    Apparently the folders I was going into were never meant to be seen by me. The GPO was set so that I could not get in, but I still could until the permissions on each folder (everyone one, it took them a long time :p ) were manually set. So I guess I will assume that this was a problem with the configuration of the GPO and nothing to do with so-called 'windows routers'.

                    Thank you for all your help and posts.

                    Regards,

                    Murriandious.

                    Comment

                    • #11
                      Windows 2000 in native AD mode allows for groups to have "traverse" rights across folders so that you can drill down to your proper folder but not have view/read access to the above one.
                      Aut disce aut discede

                      Comment

                      Previous template Next
                      Working...
                      X