We have a Windows SBS 2008 domain controller (the only one in our domain) and I'm trying to create a new Group Policy Object to handle printers. Every time I attempt to create a new GPO, either in the Group Policy folder directly or the linked in one of the organizational folders I receive the following message - "This security ID may not be assigned as the owner of this object." I've been looking around but I haven't found anything that works. Most results for this search indicate that people are having trouble with Folder Redirection policies. We have Folder Redirection enabled, but every workstation in the domain is running Windows 7 Professional, and no one is having trouble with the redirection policy. I've double-checked the sysvol directory and both SYSTEM and Administrators have the appropriate rights. I've added the sysadmin account to the Group Policy Creator Owners group (which again, has rights to sysvol) but still nothing. I've been at this all day and I'm coming up completely empty. There's nothing in the Event View logs, and I even created another administrative level user or simply copy/pasting an existing GPO. Same message everytime. This only started happening this week. Does anyone have any idea? I'm starting to get desperate.
Looks like I managed to solve it. Probably not ideal, but I'll share in case anyone else has a similar issue. Looks like the permissions were not correct as I had assumed. I went through again and granted Full Control to the Group Policy Creator Owners group on the following three folders: C:\Windows\sysvol\sysvol, C:\Windows\sysvol\sysvol\ourDomain.local, and C:\Windows\sysvol\sysvol\ourDomain.local\Policies. The last one, I set the rights to extend to subfiles and folders. After a quick logout to reset the permissions, I was able to create a new policy object.
I just encountered this issue. Google finds solutions (such as here) suggesting you verify you or your security group (domain admins, builtin\administrators) have Group Policy permissions in the Default Domain Controllers Policy at Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Restore files and directories.
In my case, I also had to confirm the same permissions in my Default Domain Policy. I'm not sure how they changed, but after adding the group and forcing a Group Policy refresh (gpupdate /force), the problem was resolved.
Related
Question regards Gerrit 2.14
Goal
I want to have projects visible only to Registered Users, and also I would wish that 'owner' of project can set it's visibility, share, hide etc without admin rights, or involving admin to set those rights for him/her per project. For example I want to have projects A, B, C, D, E with B, C owned by p1, and C shared between p1, p2. So user p1 would see B, C, and user p2 would see C.
What I've checked
I believe that there are 3 ways of achieving something described above:
user has admin rights - can set parent of project other than All-projects: I don't want that
admin can set per project ACL for user/group: I don't want that
user becomes Project Owner of projects s/he created
By default "Create Project" is not granted for Registered users and "READ for refs/*"
I have tried
Setting permissions in All-Projects.git that all project inherit
Create Group
Registered Users
Create Project
Registered Users
Reference: refs/*
Allow Administrators
Allow Project Owners
Deny Anonymous Users
/* IF I add ALLOW Registered Users here -> see bottom of question */
and all remaining permissions unchanged, I expected to be able, as registered user:
Be sure that anonymous (not registered/logged on) users cannot view projects
Create project using both GUI and SSH
Be assigned as Project Owner to that project - have full control over this single project
Result
Unfortunately, registered user can create project (if user does not select previously prepared parent All-public-projects - which grants multiple other permissions - default All-projects is assigned as parent) BUT user, who is supposed to be Project Owner cannot access this project.
Ideas what is wrong
I'm aware that Registered Users are members of Anonymous Users group as well, but documentation states
Inherited access rights can be overwritten unless they are defined as BLOCK rule. BLOCK rules are used to limit the possibilities of the project owners on the inheriting projects.
Changing the parent of a project is only allowed for Gerrit administrators. This means you need to contact the administrator of your Gerrit server if you want to reparent your project.
and also
[READ] This category has a special behavior, where the per-project ACL is evaluated before the global all projects ACL. If the per-project ACL has granted Read with 'DENY', and does not otherwise grant Read with 'ALLOW', then a Read in the all projects ACL is ignored. This behavior is useful to hide a handful of projects on an otherwise public server.
For an open source, public Gerrit installation it is common to grant Read to Anonymous Users in the All-Projects ACL, enabling casual browsing of any project’s changes, as well as fetching any project’s repository over SSH or HTTP. New projects can be temporarily hidden from public view by granting Read with 'DENY' to Anonymous Users and granting Read to the project owner’s group within the per-project ACL.
Now since I do not want to set permissions per project basis, am I correct to think that reason for this to fail is
For the All-Projects root project any Owner access right on 'refs/*' is ignored since this permission would allow users to edit the global capabilities, which is the same as being able to administrate the Gerrit server (e.g. the user could assign the Administrate Server capability to the own account).
Questions
If my reasoning is correct, how do I achieve my goal?
Also, granting READ refs/* to Registered User makes project to be accessible, but also all others too. How would I then be able to hide some projects from other Registered users? Or if that is not possible - how do I configure permissions in order to prevent other registered users to commit, and possibly even clone other projects?
Additional question.
How do I quickly see who is set as project's Project Owner?
I'm glad to see not beeing the only one with such a requirement. For me everything would work just fine if the user who creates a project via Gerrit's Web UI would be automatically the project owner (only if the user is not and Admin User). However, as you know the current Web UI does neither pass this information to the Gerrit backend nor does it allow to assign project owners when creating a new project. I see the following options:
Open a feature request for the Gerrit dev team hoping they will consider the idea
Use the create-project REST API and pass the project owner(s) for creating projects, i.e. using an own app
Use the create project CLI and pass the project owner(s) for creating projects
Implement an own Gerrit Plugin - see 2. Plugin Development which would make the current user creating a new project a project owner
For me only option 1 or 4 is viable because the other mean way too much overhead. I'm thinking about writing such a plugin, and I would make it opensource... About 2 months ago I was hoping there's aready something available I could use, but I couldn't find anything.
To your second question: I typically us the Web UI for this by going to the project's Access tab and then checking the who has the permission "Owner" for the branch refs/*.
I have installed Umbraco on my local machine but I have some questions regarding IIS and permissions if someone can help verify that I understand it all correctly. My environment is as follows
• Windows 7 Pro OS
• IIS 7.5 - I have set up a new site in IIS which has the identity Application Pool Identity for the app pool
• Umbraco v7.3.0 – The application files are located in C:\Users[myUsername]\Documents\Visual Studio 2013\Projects\InstallingUmbracoDemo\InstallingUmbracoDemo
Is the following process/understanding correct?
Add a new website in IIS and the application pool name is automatically updated to reflect my sites name.
By default this will use the identity ApplicationPoolIdentity which means that my new sites worker process (w3wp.exe) will run in an application pool that has the same name as my website in IIS
By default when I created my new site it will be added to a user group called IIS_IUSR
If I try to access my application files (that are in a folder that doesn’t not grant permission to the IIS_IUSR user group) it will mean IIS can’t access the resources until I grant the IIS_IUSR user group access
The IUSR user group is used for anonymous access and for anything anonymously requesting my website it will be added to this group
As Umbraco needs to access the internet to install the application I need to a grant permission to IUSR to allow it to do so
Partly because I don’t quite fully understand everything I’m quite concerned about the security of granting permission to IUSR on the root folder where the application files reside. Once Umbraco has installed can this user groups full permission be revoked? Does it require full permission?
I have found the following resource https://our.umbraco.org/wiki/reference/files-and-folders/permissions but if anyone else can provide an overview regarding permissions and the ISUR & IIS_ISUR work and more importantly whether I am understanding this process correctly.
Apologies if I am way of the mark – I’m just trying to learn and ensure i fully understand everything.
Many thanks
Paul
Umbraco will need permission to write files to certain folders on the server as the content/media cache, examine indexes, logs, media, etc are all disk file based.
Have you tried adding the specific AppPool user to the folders and granting permission to it?
Its usually:
IIS AppPool\MyAppPoolNameInIIS
I have had cases where that isn't allowed and I have to use IUSR, but generally this works and seems more specific and contained.
What has me confused is why a directory or part of my Drupal site to suddenly return the message of "Forbidden" - that I, as first use, cannot access various parts of the site in the admin area. I changed the permission on the default/sites/files directory to 777. That probably is giving to too much access to everyone. However, it was only after doing that, that I got a message of Forbidden - that I don't have access to various parts of the admin area. I am the first user.
I changed the permissions on this directory because when I tried to update some modules, I got an error that file could not be created.
I have cpanel/whm on a dedicated vps server. So, one issue is how to find out what the user and group ownership should be on a server that hosts various domains through cpanel. It appears that for other accounts have user:owner permissions that match the account name. I am not sure if the default group:owner should remain as www-data:www-data for example, on Ubuntu or if cpanel/whm says, "make the apache group and user equal to the account name."
Thanks in advance for any help,
Bruce
First of all, I'm going to assume you're talking about Drupal 7, but really, there's little difference in this case.
Try reading about permissions here
Its very simple that the folder should have user:user ownership and correct permissions with folders having 755 permissions respectively. The server might be running on suphp hence you cannot have wrong user with wrong permissions.
I am new to Joomla and have been given the task of supporting a site that was created in Joomla 1.5.25. They keep getting errors that files are not writable. They also can't add or delete anything to and from the media manager even in a Super Administrator account. I was able to override these errors with changing folder permissions from 755 (Joomla's recommended permission set) to 777, but was wondering if there is a better way of going about this (I don't want to leave a security hole on their site with the 777 permission set). From what I have read through my research is Joomla permissions requirements can vary based on your hosting company, so I want to get other peoples input before I give my hosting company a call.
On a side note, is there a way of getting the error messages to display longer then 2 seconds?
Why don't you try changing the permissions only to the folders that are written to temporarily? Another solution is to find out under which user apache is running and make sure that user is the owner or at least in a group that owns your Joomla! directory.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.