markr1963

Our users currently have full control permissions to a drive on my server. This has, up to, now been fine, they're pretty well behaved. It has been convenient to let them move and delete files.

However this morning a couple of dozen subfolders and files in the root, Jobs, suddenly vanished. Huge flap from admin. Turns out these folders and files had been moved into a recently created subfolder called Jobs elsewhere on the drive.

So I was wondering...

Is this some kind of bizarre NTFS f*ck up? Seems a bit unlikely

Has someone been arsing around? More likely

Anyway, does anyone have any thoughts on this? I think its time to revoke a few rights. Would it be too draconian to remove delete rights from all but the office administrator? Is there a better way? Is there a way of auditing file movements ie if its been moved from folder to folder or an attempted deletion? Auditing is not something I'm too familiar with but I reckon I want to keep an eye on the bu66ers for a bit.

Ta muchly

Mark

Scoty

Yes you can set up auditing of sucesfull attempts and unsucessfull attemps at deleting or moving files.

(presuming you havent got Group Policy snap in enabled)

Run mmc from the Run box
Click Add snap in
Add group policy snap in


You now need to enable auditing.
From the goup policy snap in click
Computer config/Windows settings/Security settings/Local policies/
You have some options in there.

For folder auditing....
Right click on the folder you want
choose properties
select security tab
select auditing tab

From here you can click the add button and choose what groups you want to audit
Then select what events you want to audit.

To view the events being audited, use the event viewer in the mmc or in the Admin tools in control pannel.

Scoty

David_Wallis

also dont give them full control.. just give them change rights..

markr1963

Cheers guys

Am I right in saying that when there's share permissions and NTFS permissions the most restrictive permission wins? So change on the share would over-rule full access in the NTFS?

I appear to have left my 'how to administer win2k' module unplugged today

TopBanana

Only let them delete files if they're the owner, or a bigwig

David_Wallis

no share leave at full control.. then tie down with ntfs..

David

markr1963

Houston, we have a problem

Trying to load the local security policy via MMC snap-in and get the following error...

Windows cannot open the local policy database.
An unknown error occured when attempting to open the database

Any clues as to what this means? How do I fix it?

Once more, ta muchly

Mark

David_Wallis

When you navigate in Local Computer Policy and try to open Account Policies or Local Policies
(Local Computer Policy / Computer Configuration / Windows Settings / Security Settings), you receive
Windows cannot open the local policy database. An unknown error occurred when attempting to open the database..

Your Local Group Policy log files may be corrupt.

To fix the problem, delete or rename the following:

%SystemRoot%\Security\Edb.*
%SystemRoot%\Security\Res*.*

David_Wallis

dunno.. just did a google on the error msg.

check permissions on the system32 folder and ensure everyone has full control.

markr1963

Cracked it

Renamed secedit.sdb in %systemroot%security\database

System recreates it after a minute or so

markr1963

%systemroot%edb.log
%systemroot%tmp.edb

are in use and can't be renamed or deleted.

Is there a service that can be shut down to allow these files to be zapped?

Incidentally, just managed to crash the server (no one noticed ) and edb.* and res*.* seem to have been recreated.
Local Security Policy still won't load though

[Edited by markr1963 - 3/5/2003 5:00:04 PM]