W2K permissions and auditing
#1
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
Our users currently have full control permissions to a drive on my server. This has, up to, now been fine, they're pretty well behaved. It has been convenient to let them move and delete files.
However this morning a couple of dozen subfolders and files in the root, Jobs, suddenly vanished. Huge flap from admin. Turns out these folders and files had been moved into a recently created subfolder called Jobs elsewhere on the drive.
So I was wondering...
Is this some kind of bizarre NTFS f*ck up? Seems a bit unlikely
Has someone been arsing around? More likely
Anyway, does anyone have any thoughts on this? I think its time to revoke a few rights. Would it be too draconian to remove delete rights from all but the office administrator? Is there a better way? Is there a way of auditing file movements ie if its been moved from folder to folder or an attempted deletion? Auditing is not something I'm too familiar with but I reckon I want to keep an eye on the bu66ers for a bit.
Ta muchly
Mark
However this morning a couple of dozen subfolders and files in the root, Jobs, suddenly vanished. Huge flap from admin. Turns out these folders and files had been moved into a recently created subfolder called Jobs elsewhere on the drive.
So I was wondering...
Is this some kind of bizarre NTFS f*ck up? Seems a bit unlikely
Has someone been arsing around? More likely
Anyway, does anyone have any thoughts on this? I think its time to revoke a few rights. Would it be too draconian to remove delete rights from all but the office administrator? Is there a better way? Is there a way of auditing file movements ie if its been moved from folder to folder or an attempted deletion? Auditing is not something I'm too familiar with but I reckon I want to keep an eye on the bu66ers for a bit.
Ta muchly
Mark
#2
Yes you can set up auditing of sucesfull attempts and unsucessfull attemps at deleting or moving files.
(presuming you havent got Group Policy snap in enabled)
Run mmc from the Run box
Click Add snap in
Add group policy snap in
You now need to enable auditing.
From the goup policy snap in click
Computer config/Windows settings/Security settings/Local policies/
You have some options in there.
For folder auditing....
Right click on the folder you want
choose properties
select security tab
select auditing tab
From here you can click the add button and choose what groups you want to audit
Then select what events you want to audit.
To view the events being audited, use the event viewer in the mmc or in the Admin tools in control pannel.
Scoty
(presuming you havent got Group Policy snap in enabled)
Run mmc from the Run box
Click Add snap in
Add group policy snap in
You now need to enable auditing.
From the goup policy snap in click
Computer config/Windows settings/Security settings/Local policies/
You have some options in there.
For folder auditing....
Right click on the folder you want
choose properties
select security tab
select auditing tab
From here you can click the add button and choose what groups you want to audit
Then select what events you want to audit.
To view the events being audited, use the event viewer in the mmc or in the Admin tools in control pannel.
Scoty
#4
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
Cheers guys
Am I right in saying that when there's share permissions and NTFS permissions the most restrictive permission wins? So change on the share would over-rule full access in the NTFS?
I appear to have left my 'how to administer win2k' module unplugged today
Am I right in saying that when there's share permissions and NTFS permissions the most restrictive permission wins? So change on the share would over-rule full access in the NTFS?
I appear to have left my 'how to administer win2k' module unplugged today
#7
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
Houston, we have a problem
Trying to load the local security policy via MMC snap-in and get the following error...
Windows cannot open the local policy database.
An unknown error occured when attempting to open the database
Any clues as to what this means? How do I fix it?
Once more, ta muchly
Mark
Trying to load the local security policy via MMC snap-in and get the following error...
Windows cannot open the local policy database.
An unknown error occured when attempting to open the database
Any clues as to what this means? How do I fix it?
Once more, ta muchly
Mark
Trending Topics
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
When you navigate in Local Computer Policy and try to open Account Policies or Local Policies
(Local Computer Policy / Computer Configuration / Windows Settings / Security Settings), you receive
Windows cannot open the local policy database. An unknown error occurred when attempting to open the database..
Your Local Group Policy log files may be corrupt.
To fix the problem, delete or rename the following:
%SystemRoot%\Security\Edb.*
%SystemRoot%\Security\Res*.*
(Local Computer Policy / Computer Configuration / Windows Settings / Security Settings), you receive
Windows cannot open the local policy database. An unknown error occurred when attempting to open the database..
Your Local Group Policy log files may be corrupt.
To fix the problem, delete or rename the following:
%SystemRoot%\Security\Edb.*
%SystemRoot%\Security\Res*.*
#9
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
dunno.. just did a google on the error msg.
check permissions on the system32 folder and ensure everyone has full control.
check permissions on the system32 folder and ensure everyone has full control.
#11
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
%systemroot%edb.log
%systemroot%tmp.edb
are in use and can't be renamed or deleted.
Is there a service that can be shut down to allow these files to be zapped?
Incidentally, just managed to crash the server (no one noticed ) and edb.* and res*.* seem to have been recreated.
Local Security Policy still won't load though
[Edited by markr1963 - 3/5/2003 5:00:04 PM]
%systemroot%tmp.edb
are in use and can't be renamed or deleted.
Is there a service that can be shut down to allow these files to be zapped?
Incidentally, just managed to crash the server (no one noticed ) and edb.* and res*.* seem to have been recreated.
Local Security Policy still won't load though
[Edited by markr1963 - 3/5/2003 5:00:04 PM]
Thread
Thread Starter
Forum
Replies
Last Post
Puff The Magic Wagon!
Computer & Technology Related
6
30 January 2002 10:22 PM