NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Windows 7 + ADS permissions problems
ReadyNAS Pro 4, joined to domain first thing out of the box. Create a share "projects" following the Active Directory video in this forum. In order to copy our files/folders into the share while prese...
Apologies for taking so long to get back to you. I've been out with the flu for a few days. I just got around to testing this today. I'm using a Windows Vista computer to do the testing. I logged into a domain controller, connected to the NAS Pro Frontview, created a new share using default settings except unchecking the Public Access box when first creating the share. The CIFS settings are default: Defaul Access == Read/Write, Allow Guest Access == unchecked, everything else default ... Automatically Set Permissions ... == unchecked, Opslocks == enabled. On the Vista computer I logged in with a standard user account "Guest" (no domain admin privs, etc.). I created a new folder in the new share then created a new Excel spreadsheet in the share. I opened the spreadsheet, made a modification, saved it. I then logged out of the Vista computer, logged back into the Vista computer as a separate standard user "Guest2", opened the spreadsheet, made a modification and tried to save it. No dice. "test-spreadsheet.xls is read-only. To save a copy, click OK, then give the workbook a new name in the Save As dialog box". Considering default access on the share is Read/Write I would expect everyone to have permission to edit the file, so I tried from a Windows XP computer. No dice, same error message. Checking security on the file, it shows Guest as the owner of the file. Security on the file shows:
Domain Users: Read & Execute, Read
Everyone: Read & Execute, Read
Guest: Full Control
I created another test share, "Test-Share-2", this time keeping the Public Access box checked. I repeated the steps above from the Vista computer. Same exact outcome, file is read-only to everyone except the user who created the file. I re-ran the steps from an XP computer. Same outcome, only the file creator has write access.
This is not how I would expect a share with Public Access enabled and default access as Read/Write to behave. With those settings, files should be able to be edited by any user from any computer.
Back on the first test share I created, I used FrontView from the DC to browse to the CIFS settings. I checkmarked the "Allow guest access" box and clicked Apply. I logged into the Vista computer as the second test user account "Guest2". I browsed to the test spreadsheet that the user Guest created and tried a modification. Same error, read-only. Through FrontView from the DC, I browsed back to the CIFS settings, checkmarked the "Automatically set permissions..." option, clicked Apply. Repeated the test steps from the Vista computer. Still no dice, read-only. I checked the Advanced Options on the share, they show "Share folder owner: administrator", "Share folder group: domain users" and then Read/Write for all of the "...rights" settings. The "Set ownership and permission..." option was unchecked, "Grant rename and delete..." was checked. I checked the "Set ownership..." option and clicked Apply. Repeated the test steps and ... success, was able to modify the file created by the Guest account using the Guest2 account on Vista.
At this point I have applied no Active Directory permissions to the first test share that successfully allowed Guest2 to modify the file created by Guest1. So now I am going to browse to the root share directory from the DC (logged in as the domain Administrator account used to join the NAS Pro to the domain) and setup the AD permission structure. I am going to follow the instructions for setting up AD permissions shown on the Netgear website (remove Everyone access through Advanced Security Settings then apply the permissions I desire for the AD users group). Made those changes, clicked Apply, click OK, closed the share Properties dialog box. Right-clicked the share directory, chose Properties, browsed to Security and the Everyone group no longer shows up. Looking good so far. Clicked Advanced, it shows the NAS Pro Administrator and "domain\Domain Users" group have Full Control of "This folder only". I would expect that to read "This folder, subfolders and files". I changed that setting to "This folder, subfolder and files", added the "Domain Users" group from a trusted domain, domainB, with the same settings, clicked Apply, then OK, then OK again to close the share Properties dialog box. I then repeated the steps above to test from Vista with standard domain user accounts and was able to create a folder and spreadsheet with the Guest user and then access and modify the spreadsheet with the Guest2 user.
At this point, I am believing that Active Directory permissions are working fine on the test share. One odd thing is that when I check the Security settings on the test share, the only accounts that show up are "Administrator" which is the NAS Pro admin account, and the "Domain Users" groups from both domains, domainA (local) and domainB (2-way trusted remote domain). When I check the Security settings back on the share that we're having problems with, it shows those same accounts plus "CREATOR GROUP" (Full Control), "CREATOR OWNER" (Full Control) and "Everyone" (Full Control).
I am still perplexed as to what is going on with the share with which we are having problems. I want the CREATOR and Everyone permissons to be removed completely and I want its Security settings to match the test share 100%. How do I get there from here?
TIA
Domain Users: Read & Execute, Read
Everyone: Read & Execute, Read
Guest: Full Control
I created another test share, "Test-Share-2", this time keeping the Public Access box checked. I repeated the steps above from the Vista computer. Same exact outcome, file is read-only to everyone except the user who created the file. I re-ran the steps from an XP computer. Same outcome, only the file creator has write access.
This is not how I would expect a share with Public Access enabled and default access as Read/Write to behave. With those settings, files should be able to be edited by any user from any computer.
Back on the first test share I created, I used FrontView from the DC to browse to the CIFS settings. I checkmarked the "Allow guest access" box and clicked Apply. I logged into the Vista computer as the second test user account "Guest2". I browsed to the test spreadsheet that the user Guest created and tried a modification. Same error, read-only. Through FrontView from the DC, I browsed back to the CIFS settings, checkmarked the "Automatically set permissions..." option, clicked Apply. Repeated the test steps from the Vista computer. Still no dice, read-only. I checked the Advanced Options on the share, they show "Share folder owner: administrator", "Share folder group: domain users" and then Read/Write for all of the "...rights" settings. The "Set ownership and permission..." option was unchecked, "Grant rename and delete..." was checked. I checked the "Set ownership..." option and clicked Apply. Repeated the test steps and ... success, was able to modify the file created by the Guest account using the Guest2 account on Vista.
At this point I have applied no Active Directory permissions to the first test share that successfully allowed Guest2 to modify the file created by Guest1. So now I am going to browse to the root share directory from the DC (logged in as the domain Administrator account used to join the NAS Pro to the domain) and setup the AD permission structure. I am going to follow the instructions for setting up AD permissions shown on the Netgear website (remove Everyone access through Advanced Security Settings then apply the permissions I desire for the AD users group). Made those changes, clicked Apply, click OK, closed the share Properties dialog box. Right-clicked the share directory, chose Properties, browsed to Security and the Everyone group no longer shows up. Looking good so far. Clicked Advanced, it shows the NAS Pro Administrator and "domain\Domain Users" group have Full Control of "This folder only". I would expect that to read "This folder, subfolders and files". I changed that setting to "This folder, subfolder and files", added the "Domain Users" group from a trusted domain, domainB, with the same settings, clicked Apply, then OK, then OK again to close the share Properties dialog box. I then repeated the steps above to test from Vista with standard domain user accounts and was able to create a folder and spreadsheet with the Guest user and then access and modify the spreadsheet with the Guest2 user.
At this point, I am believing that Active Directory permissions are working fine on the test share. One odd thing is that when I check the Security settings on the test share, the only accounts that show up are "Administrator" which is the NAS Pro admin account, and the "Domain Users" groups from both domains, domainA (local) and domainB (2-way trusted remote domain). When I check the Security settings back on the share that we're having problems with, it shows those same accounts plus "CREATOR GROUP" (Full Control), "CREATOR OWNER" (Full Control) and "Everyone" (Full Control).
I am still perplexed as to what is going on with the share with which we are having problems. I want the CREATOR and Everyone permissons to be removed completely and I want its Security settings to match the test share 100%. How do I get there from here?
TIA
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
