ACL Permissions

Hi,

I am having problem that I thought some of you might be able to help,

The problem is that we have created a directory on a 2k3 standard box that
can only be accessed using a set username and password (used for accessing
web stats over the internet) I have done this many times before without a
hitch but on one of our boxes it does want to work at all!

I have given the SYSTEM full control, Administrators full control and
stats-viewer (the user who needs access) read and read & execute. This is
the standard setup I have on all our boxes. I have also tried recreating all
the permissions the wwwroot directory has and putting it in the wwwroot
directory to no avail.

With the IUSR user in place it works, allowing anonymous access, therefore
IIS is pointing to the right place and serving up the pages so that is
working, but when IUSR access is taken away it throws back a "HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the requested
resource." error when trying to login as stats-viewer. I have tried using
Integrated and basic authentication, changing the user, changing the
directory, creating a new web site in IIS, using Authdiag (which doesn't
seem to shed light on the problem) all without success.

Can anyone help, its doing my head in!!!

Many thanks,

John Pugh

Policies? Especially concerning the way the password is sent over the
network.

John Pugh wrote
> Hi,
>
> I am having problem that I thought some of you might be able to help,
>
> The problem is that we have created a directory on a 2k3 standard box that
> can only be accessed using a set username and password (used for accessing
> web stats over the internet) I have done this many times before without a
> hitch but on one of our boxes it does want to work at all!
>
> I have given the SYSTEM full control, Administrators full control and
> stats-viewer (the user who needs access) read and read & execute. This is
> the standard setup I have on all our boxes. I have also tried recreating
all
> the permissions the wwwroot directory has and putting it in the wwwroot
> directory to no avail.
>
> With the IUSR user in place it works, allowing anonymous access, therefore
> IIS is pointing to the right place and serving up the pages so that is
> working, but when IUSR access is taken away it throws back a "HTTP Error
> 401.3 - Unauthorized: Access is denied due to an ACL set on the requested
> resource." error when trying to login as stats-viewer. I have tried using
> Integrated and basic authentication, changing the user, changing the
> directory, creating a new web site in IIS, using Authdiag (which doesn't
> seem to shed light on the problem) all without success.
>
> Can anyone help, its doing my head in!!!
>
> Many thanks,
>
> John Pugh

Thanks for the reply, I have compared the permissions between the two boxes
(one that works and this one) and I can see very little differences, none in
sections that I think might affect this problem is there anything specific
that I should be looking for?



"Andra" <andraatlatnetdotlv> wrote in message
news:(E-Mail Removed)...
> Policies? Especially concerning the way the password is sent over the
> network.
>
> John Pugh wrote
>> Hi,
>>
>> I am having problem that I thought some of you might be able to help,
>>
>> The problem is that we have created a directory on a 2k3 standard box
>> that
>> can only be accessed using a set username and password (used for
>> accessing
>> web stats over the internet) I have done this many times before without a
>> hitch but on one of our boxes it does want to work at all!
>>
>> I have given the SYSTEM full control, Administrators full control and
>> stats-viewer (the user who needs access) read and read & execute. This is
>> the standard setup I have on all our boxes. I have also tried recreating
> all
>> the permissions the wwwroot directory has and putting it in the wwwroot
>> directory to no avail.
>>
>> With the IUSR user in place it works, allowing anonymous access,
>> therefore
>> IIS is pointing to the right place and serving up the pages so that is
>> working, but when IUSR access is taken away it throws back a "HTTP Error
>> 401.3 - Unauthorized: Access is denied due to an ACL set on the requested
>> resource." error when trying to login as stats-viewer. I have tried using
>> Integrated and basic authentication, changing the user, changing the
>> directory, creating a new web site in IIS, using Authdiag (which doesn't
>> seem to shed light on the problem) all without success.
>>
>> Can anyone help, its doing my head in!!!
>>
>> Many thanks,
>>
>> John Pugh
>
>

Enable auditing on logon events for success and failure and privilege use
and object access for failure [probably only temporally]. Enable auditing on
that folder for that user. Then look in the security logs and Event Viewer
in general for any possible helpful messages. I would also look in Local
Security Policy on each computer and look for any differences under local
policies for security options or user rights. Any differences found between
the two boxes could be suspect. Also check any deny permissions to the
folder which you user could be affected by group membership. If this is a
domain computer, run the netdiag support tool on it looking for any
pertinent errors. -- Steve

http://support.microsoft.com/default...b;en-us;301640 -- needs
object access enable first.

"John Pugh" <(E-Mail Removed)> wrote in message
news:OU6E3$(E-Mail Removed)...
> Thanks for the reply, I have compared the permissions between the two
> boxes (one that works and this one) and I can see very little differences,
> none in sections that I think might affect this problem is there anything
> specific that I should be looking for?
>
>
>
> "Andra" <andraatlatnetdotlv> wrote in message
> news:(E-Mail Removed)...
>> Policies? Especially concerning the way the password is sent over the
>> network.
>>
>> John Pugh wrote
>>> Hi,
>>>
>>> I am having problem that I thought some of you might be able to help,
>>>
>>> The problem is that we have created a directory on a 2k3 standard box
>>> that
>>> can only be accessed using a set username and password (used for
>>> accessing
>>> web stats over the internet) I have done this many times before without
>>> a
>>> hitch but on one of our boxes it does want to work at all!
>>>
>>> I have given the SYSTEM full control, Administrators full control and
>>> stats-viewer (the user who needs access) read and read & execute. This
>>> is
>>> the standard setup I have on all our boxes. I have also tried recreating
>> all
>>> the permissions the wwwroot directory has and putting it in the wwwroot
>>> directory to no avail.
>>>
>>> With the IUSR user in place it works, allowing anonymous access,
>>> therefore
>>> IIS is pointing to the right place and serving up the pages so that is
>>> working, but when IUSR access is taken away it throws back a "HTTP Error
>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>> requested
>>> resource." error when trying to login as stats-viewer. I have tried
>>> using
>>> Integrated and basic authentication, changing the user, changing the
>>> directory, creating a new web site in IIS, using Authdiag (which doesn't
>>> seem to shed light on the problem) all without success.
>>>
>>> Can anyone help, its doing my head in!!!
>>>
>>> Many thanks,
>>>
>>> John Pugh
>>
>>
>
>

Hi Steve & Everyone else,

I have looked through the local policy and everything seems the same between
the boxes, I setup auditing, but again I get no failures and the box that is
not working produces the same results as the others yet it still won't let
me view the web pages, grrr.

If it was a office computer I would be reinstalling windows at this point!
but as it is in a data centre 100 miles away, thats not an option. By the
way it is a stand alone server and not part of a domain

Thanks for all your help, anymore suggestions ?

John


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Enable auditing on logon events for success and failure and privilege use
> and object access for failure [probably only temporally]. Enable auditing
> on that folder for that user. Then look in the security logs and Event
> Viewer in general for any possible helpful messages. I would also look in
> Local Security Policy on each computer and look for any differences under
> local policies for security options or user rights. Any differences found
> between the two boxes could be suspect. Also check any deny permissions to
> the folder which you user could be affected by group membership. If this
> is a domain computer, run the netdiag support tool on it looking for any
> pertinent errors. -- Steve
>
> http://support.microsoft.com/default...b;en-us;301640 -- needs
> object access enable first.
>
> "John Pugh" <(E-Mail Removed)> wrote in message
> news:OU6E3$(E-Mail Removed)...
>> Thanks for the reply, I have compared the permissions between the two
>> boxes (one that works and this one) and I can see very little
>> differences, none in sections that I think might affect this problem is
>> there anything specific that I should be looking for?
>>
>>
>>
>> "Andra" <andraatlatnetdotlv> wrote in message
>> news:(E-Mail Removed)...
>>> Policies? Especially concerning the way the password is sent over the
>>> network.
>>>
>>> John Pugh wrote
>>>> Hi,
>>>>
>>>> I am having problem that I thought some of you might be able to help,
>>>>
>>>> The problem is that we have created a directory on a 2k3 standard box
>>>> that
>>>> can only be accessed using a set username and password (used for
>>>> accessing
>>>> web stats over the internet) I have done this many times before without
>>>> a
>>>> hitch but on one of our boxes it does want to work at all!
>>>>
>>>> I have given the SYSTEM full control, Administrators full control and
>>>> stats-viewer (the user who needs access) read and read & execute. This
>>>> is
>>>> the standard setup I have on all our boxes. I have also tried
>>>> recreating
>>> all
>>>> the permissions the wwwroot directory has and putting it in the wwwroot
>>>> directory to no avail.
>>>>
>>>> With the IUSR user in place it works, allowing anonymous access,
>>>> therefore
>>>> IIS is pointing to the right place and serving up the pages so that is
>>>> working, but when IUSR access is taken away it throws back a "HTTP
>>>> Error
>>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>>> requested
>>>> resource." error when trying to login as stats-viewer. I have tried
>>>> using
>>>> Integrated and basic authentication, changing the user, changing the
>>>> directory, creating a new web site in IIS, using Authdiag (which
>>>> doesn't
>>>> seem to shed light on the problem) all without success.
>>>>
>>>> Can anyone help, its doing my head in!!!
>>>>
>>>> Many thanks,
>>>>
>>>> John Pugh
>>>
>>>
>>
>>
>
>

Hmm. I can't think of much else other than also checking the special
permissions for that folder in security/advanced to make sure that there is
no group with deny permissions and also viewing the "effective permissions"
tab for your user. Another thing to try is temporally add that user to the
local administrators group or use the built in administrator account as the
access account temporally to see if that works. If that does work then there
is a lack of permission or privilege for the regular user account. If it
does not work something else weird is going on. Check the group membership
of the user accounts that you are using to make sure that they are at least
members of the local users group. --- Steve


"John Pugh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve & Everyone else,
>
> I have looked through the local policy and everything seems the same
> between the boxes, I setup auditing, but again I get no failures and the
> box that is not working produces the same results as the others yet it
> still won't let me view the web pages, grrr.
>
> If it was a office computer I would be reinstalling windows at this point!
> but as it is in a data centre 100 miles away, thats not an option. By the
> way it is a stand alone server and not part of a domain
>
> Thanks for all your help, anymore suggestions ?
>
> John
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Enable auditing on logon events for success and failure and privilege
>> use and object access for failure [probably only temporally]. Enable
>> auditing on that folder for that user. Then look in the security logs and
>> Event Viewer in general for any possible helpful messages. I would also
>> look in Local Security Policy on each computer and look for any
>> differences under local policies for security options or user rights. Any
>> differences found between the two boxes could be suspect. Also check any
>> deny permissions to the folder which you user could be affected by group
>> membership. If this is a domain computer, run the netdiag support tool on
>> it looking for any pertinent errors. -- Steve
>>
>> http://support.microsoft.com/default...b;en-us;301640 -- needs
>> object access enable first.
>>
>> "John Pugh" <(E-Mail Removed)> wrote in message
>> news:OU6E3$(E-Mail Removed)...
>>> Thanks for the reply, I have compared the permissions between the two
>>> boxes (one that works and this one) and I can see very little
>>> differences, none in sections that I think might affect this problem is
>>> there anything specific that I should be looking for?
>>>
>>>
>>>
>>> "Andra" <andraatlatnetdotlv> wrote in message
>>> news:(E-Mail Removed)...
>>>> Policies? Especially concerning the way the password is sent over the
>>>> network.
>>>>
>>>> John Pugh wrote
>>>>> Hi,
>>>>>
>>>>> I am having problem that I thought some of you might be able to help,
>>>>>
>>>>> The problem is that we have created a directory on a 2k3 standard box
>>>>> that
>>>>> can only be accessed using a set username and password (used for
>>>>> accessing
>>>>> web stats over the internet) I have done this many times before
>>>>> without a
>>>>> hitch but on one of our boxes it does want to work at all!
>>>>>
>>>>> I have given the SYSTEM full control, Administrators full control and
>>>>> stats-viewer (the user who needs access) read and read & execute. This
>>>>> is
>>>>> the standard setup I have on all our boxes. I have also tried
>>>>> recreating
>>>> all
>>>>> the permissions the wwwroot directory has and putting it in the
>>>>> wwwroot
>>>>> directory to no avail.
>>>>>
>>>>> With the IUSR user in place it works, allowing anonymous access,
>>>>> therefore
>>>>> IIS is pointing to the right place and serving up the pages so that is
>>>>> working, but when IUSR access is taken away it throws back a "HTTP
>>>>> Error
>>>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>>>> requested
>>>>> resource." error when trying to login as stats-viewer. I have tried
>>>>> using
>>>>> Integrated and basic authentication, changing the user, changing the
>>>>> directory, creating a new web site in IIS, using Authdiag (which
>>>>> doesn't
>>>>> seem to shed light on the problem) all without success.
>>>>>
>>>>> Can anyone help, its doing my head in!!!
>>>>>
>>>>> Many thanks,
>>>>>
>>>>> John Pugh
>>>>
>>>>
>>>
>>>
>>
>>
>
>

It works as an Administrator, but not as a User even though the user in
question is in the right groups, is there anyway to see what permissions
each of the groups get? so that I can see what is difference between the
working boxes and this one.

Cheers

John

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hmm. I can't think of much else other than also checking the special
> permissions for that folder in security/advanced to make sure that there
> is no group with deny permissions and also viewing the "effective
> permissions" tab for your user. Another thing to try is temporally add
> that user to the local administrators group or use the built in
> administrator account as the access account temporally to see if that
> works. If that does work then there is a lack of permission or privilege
> for the regular user account. If it does not work something else weird is
> going on. Check the group membership of the user accounts that you are
> using to make sure that they are at least members of the local users
> group. --- Steve
>
>
> "John Pugh" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi Steve & Everyone else,
>>
>> I have looked through the local policy and everything seems the same
>> between the boxes, I setup auditing, but again I get no failures and the
>> box that is not working produces the same results as the others yet it
>> still won't let me view the web pages, grrr.
>>
>> If it was a office computer I would be reinstalling windows at this
>> point! but as it is in a data centre 100 miles away, thats not an option.
>> By the way it is a stand alone server and not part of a domain
>>
>> Thanks for all your help, anymore suggestions ?
>>
>> John
>>
>>
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Enable auditing on logon events for success and failure and privilege
>>> use and object access for failure [probably only temporally]. Enable
>>> auditing on that folder for that user. Then look in the security logs
>>> and Event Viewer in general for any possible helpful messages. I would
>>> also look in Local Security Policy on each computer and look for any
>>> differences under local policies for security options or user rights.
>>> Any differences found between the two boxes could be suspect. Also check
>>> any deny permissions to the folder which you user could be affected by
>>> group membership. If this is a domain computer, run the netdiag support
>>> tool on it looking for any pertinent errors. -- Steve
>>>
>>> http://support.microsoft.com/default...b;en-us;301640 -- needs
>>> object access enable first.
>>>
>>> "John Pugh" <(E-Mail Removed)> wrote in message
>>> news:OU6E3$(E-Mail Removed)...
>>>> Thanks for the reply, I have compared the permissions between the two
>>>> boxes (one that works and this one) and I can see very little
>>>> differences, none in sections that I think might affect this problem is
>>>> there anything specific that I should be looking for?
>>>>
>>>>
>>>>
>>>> "Andra" <andraatlatnetdotlv> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Policies? Especially concerning the way the password is sent over the
>>>>> network.
>>>>>
>>>>> John Pugh wrote
>>>>>> Hi,
>>>>>>
>>>>>> I am having problem that I thought some of you might be able to help,
>>>>>>
>>>>>> The problem is that we have created a directory on a 2k3 standard box
>>>>>> that
>>>>>> can only be accessed using a set username and password (used for
>>>>>> accessing
>>>>>> web stats over the internet) I have done this many times before
>>>>>> without a
>>>>>> hitch but on one of our boxes it does want to work at all!
>>>>>>
>>>>>> I have given the SYSTEM full control, Administrators full control
>>>>>> and
>>>>>> stats-viewer (the user who needs access) read and read & execute.
>>>>>> This is
>>>>>> the standard setup I have on all our boxes. I have also tried
>>>>>> recreating
>>>>> all
>>>>>> the permissions the wwwroot directory has and putting it in the
>>>>>> wwwroot
>>>>>> directory to no avail.
>>>>>>
>>>>>> With the IUSR user in place it works, allowing anonymous access,
>>>>>> therefore
>>>>>> IIS is pointing to the right place and serving up the pages so that
>>>>>> is
>>>>>> working, but when IUSR access is taken away it throws back a "HTTP
>>>>>> Error
>>>>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>>>>> requested
>>>>>> resource." error when trying to login as stats-viewer. I have tried
>>>>>> using
>>>>>> Integrated and basic authentication, changing the user, changing the
>>>>>> directory, creating a new web site in IIS, using Authdiag (which
>>>>>> doesn't
>>>>>> seem to shed light on the problem) all without success.
>>>>>>
>>>>>> Can anyone help, its doing my head in!!!
>>>>>>
>>>>>> Many thanks,
>>>>>>
>>>>>> John Pugh
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

You can use the free tool Dumpsec from Somarsoft or the Resource Kit tool
showacl to see permissions to a folder or folders. Try adding the user that
is denied access normally to the local administrators group to see what
happens. If that works then I tend to think the user is lacking a user
right. If it does not work then I think the user is a member of a group that
has deny permissions applied somewhere along the line. To check user rights,
open Local Security Policy [secpol.msc] and look for any user right where
both administrators and IUSR user are included but the user or group that
the user is a member of is not. Also keep in mind that any "deny" user right
will override he same allow user right so take a close look at any deny user
rights. Verify the user group membership with the " net user username "
command [using real user name of course]. --- Steve

http://www.somarsoft.com/ --- Dumpsec.

"John Pugh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> It works as an Administrator, but not as a User even though the user in
> question is in the right groups, is there anyway to see what permissions
> each of the groups get? so that I can see what is difference between the
> working boxes and this one.
>
> Cheers
>
> John
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hmm. I can't think of much else other than also checking the special
>> permissions for that folder in security/advanced to make sure that there
>> is no group with deny permissions and also viewing the "effective
>> permissions" tab for your user. Another thing to try is temporally add
>> that user to the local administrators group or use the built in
>> administrator account as the access account temporally to see if that
>> works. If that does work then there is a lack of permission or privilege
>> for the regular user account. If it does not work something else weird is
>> going on. Check the group membership of the user accounts that you are
>> using to make sure that they are at least members of the local users
>> group. --- Steve
>>
>>
>> "John Pugh" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi Steve & Everyone else,
>>>
>>> I have looked through the local policy and everything seems the same
>>> between the boxes, I setup auditing, but again I get no failures and the
>>> box that is not working produces the same results as the others yet it
>>> still won't let me view the web pages, grrr.
>>>
>>> If it was a office computer I would be reinstalling windows at this
>>> point! but as it is in a data centre 100 miles away, thats not an
>>> option. By the way it is a stand alone server and not part of a domain
>>>
>>> Thanks for all your help, anymore suggestions ?
>>>
>>> John
>>>
>>>
>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Enable auditing on logon events for success and failure and privilege
>>>> use and object access for failure [probably only temporally]. Enable
>>>> auditing on that folder for that user. Then look in the security logs
>>>> and Event Viewer in general for any possible helpful messages. I would
>>>> also look in Local Security Policy on each computer and look for any
>>>> differences under local policies for security options or user rights.
>>>> Any differences found between the two boxes could be suspect. Also
>>>> check any deny permissions to the folder which you user could be
>>>> affected by group membership. If this is a domain computer, run the
>>>> netdiag support tool on it looking for any pertinent errors. -- Steve
>>>>
>>>> http://support.microsoft.com/default...b;en-us;301640 --
>>>> needs object access enable first.
>>>>
>>>> "John Pugh" <(E-Mail Removed)> wrote in message
>>>> news:OU6E3$(E-Mail Removed)...
>>>>> Thanks for the reply, I have compared the permissions between the two
>>>>> boxes (one that works and this one) and I can see very little
>>>>> differences, none in sections that I think might affect this problem
>>>>> is there anything specific that I should be looking for?
>>>>>
>>>>>
>>>>>
>>>>> "Andra" <andraatlatnetdotlv> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> Policies? Especially concerning the way the password is sent over the
>>>>>> network.
>>>>>>
>>>>>> John Pugh wrote
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am having problem that I thought some of you might be able to
>>>>>>> help,
>>>>>>>
>>>>>>> The problem is that we have created a directory on a 2k3 standard
>>>>>>> box that
>>>>>>> can only be accessed using a set username and password (used for
>>>>>>> accessing
>>>>>>> web stats over the internet) I have done this many times before
>>>>>>> without a
>>>>>>> hitch but on one of our boxes it does want to work at all!
>>>>>>>
>>>>>>> I have given the SYSTEM full control, Administrators full control
>>>>>>> and
>>>>>>> stats-viewer (the user who needs access) read and read & execute.
>>>>>>> This is
>>>>>>> the standard setup I have on all our boxes. I have also tried
>>>>>>> recreating
>>>>>> all
>>>>>>> the permissions the wwwroot directory has and putting it in the
>>>>>>> wwwroot
>>>>>>> directory to no avail.
>>>>>>>
>>>>>>> With the IUSR user in place it works, allowing anonymous access,
>>>>>>> therefore
>>>>>>> IIS is pointing to the right place and serving up the pages so that
>>>>>>> is
>>>>>>> working, but when IUSR access is taken away it throws back a "HTTP
>>>>>>> Error
>>>>>>> 401.3 - Unauthorized: Access is denied due to an ACL set on the
>>>>>>> requested
>>>>>>> resource." error when trying to login as stats-viewer. I have tried
>>>>>>> using
>>>>>>> Integrated and basic authentication, changing the user, changing the
>>>>>>> directory, creating a new web site in IIS, using Authdiag (which
>>>>>>> doesn't
>>>>>>> seem to shed light on the problem) all without success.
>>>>>>>
>>>>>>> Can anyone help, its doing my head in!!!
>>>>>>>
>>>>>>> Many thanks,
>>>>>>>
>>>>>>> John Pugh
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>