Hi,
I recently made a minor change to the "Standard user" through the "Users and
Groups" part of the SBS Console in SBS 2008 Standard.

Since I did that users have started complaining about being denied access to
shared folders??

I can put them back in the relevant security groups and all is well then it
changes again a few days later?

Have I got someone tinkering with the settings who has somehow got Admin
rihts who shouldn't or is it something to do with me having changed the
"Standard User" that Group Policy keeps messing with or something.

I can't see what the issue is and there appears to be nothing untoward in
the event logs, but how I would see that I don't know?

Is there a way I can monitor when and who is changing it, if it is not
something SBS is doing itself?

Any help appreciated, I am getting sick of users ringing me claiming they
are being denied access.

Siv
--
Martley, Near Worcester, UK

Siv wrote:

> Hi,
> I recently made a minor change to the "Standard user" through the
> "Users and Groups" part of the SBS Console in SBS 2008 Standard.
>
> Since I did that users have started complaining about being denied
> access to shared folders??
>
> I can put them back in the relevant security groups and all is well
> then it changes again a few days later?
>
> Have I got someone tinkering with the settings who has somehow got
> Admin rihts who shouldn't or is it something to do with me having
> changed the "Standard User" that Group Policy keeps messing with or
> something.
>
> I can't see what the issue is and there appears to be nothing
> untoward in the event logs, but how I would see that I don't know?
>
> Is there a way I can monitor when and who is changing it, if it is not
> something SBS is doing itself?
>
> Any help appreciated, I am getting sick of users ringing me claiming
> they are being denied access.
>
> Siv

What "relevant security groups" are you changing that makes them work OK and
that they later loose membership in?


--
/kj

and just what 'minor change' did you make tothe standard user template?

Seems that change may not be _as minor_ as expected.

"kj [SBS MVP]" <KevinJ.SBS@newsgroup> wrote in message
news:ueEvoasyKHA.2552@newsgroup

> Siv wrote:

>> Hi,
>> I recently made a minor change to the "Standard user" through the
>> "Users and Groups" part of the SBS Console in SBS 2008 Standard.
>>
>> Since I did that users have started complaining about being denied
>> access to shared folders??
>>
>> I can put them back in the relevant security groups and all is well
>> then it changes again a few days later?
>>
>> Have I got someone tinkering with the settings who has somehow got
>> Admin rihts who shouldn't or is it something to do with me having
>> changed the "Standard User" that Group Policy keeps messing with or
>> something.
>>
>> I can't see what the issue is and there appears to be nothing
>> untoward in the event logs, but how I would see that I don't know?
>>
>> Is there a way I can monitor when and who is changing it, if it is not
>> something SBS is doing itself?
>>
>> Any help appreciated, I am getting sick of users ringing me claiming
>> they are being denied access.
>>
>> Siv

>
> What "relevant security groups" are you changing that makes them work OK
> and that they later loose membership in?
>
>
> --
> /kj
>

kj,
I have created folders for storage on the server used by each of a number of
office teams such as "sales", "accounts", "warehouse" and the like. I have
also created corresponding security groups that match those folders.

I set permissions on the folder so that only members of the specified
security group can gain access to each folder. Giving access to the folder is
just a case of making the user a member of that group. Likewise removing
access is just a case of removing their membership of the group. Standard
stuff I imagine for most admins.

So the "Relevant Security Groups" are "Sales" if you want access to the
"Sales" share, "Warehouse" if you want access to the Warehouse share and so
on.

Siv
--
Martley, Near Worcester, UK


"kj [SBS MVP]" wrote:

> Siv wrote:

> > Hi,
> > I recently made a minor change to the "Standard user" through the
> > "Users and Groups" part of the SBS Console in SBS 2008 Standard.
> >
> > Since I did that users have started complaining about being denied
> > access to shared folders??
> >
> > I can put them back in the relevant security groups and all is well
> > then it changes again a few days later?
> >
> > Have I got someone tinkering with the settings who has somehow got
> > Admin rihts who shouldn't or is it something to do with me having
> > changed the "Standard User" that Group Policy keeps messing with or
> > something.
> >
> > I can't see what the issue is and there appears to be nothing
> > untoward in the event logs, but how I would see that I don't know?
> >
> > Is there a way I can monitor when and who is changing it, if it is not
> > something SBS is doing itself?
> >
> > Any help appreciated, I am getting sick of users ringing me claiming
> > they are being denied access.
> >
> > Siv

>
> What "relevant security groups" are you changing that makes them work OK and
> that they later loose membership in?
>
>
> --
> /kj
>
>
> .
>

SuperGumby,
I just turned off the "Enforce shared folder quota" setting so that quotas
are not turned on for users shared folders.

Siv
--
Martley, Near Worcester, UK


"SuperGumby [SBS MVP]" wrote:

> and just what 'minor change' did you make tothe standard user template?
>
> Seems that change may not be _as minor_ as expected.
>
> "kj [SBS MVP]" <KevinJ.SBS@newsgroup> wrote in message
> news:ueEvoasyKHA.2552@newsgroup

> > Siv wrote:

> >> Hi,
> >> I recently made a minor change to the "Standard user" through the
> >> "Users and Groups" part of the SBS Console in SBS 2008 Standard.
> >>
> >> Since I did that users have started complaining about being denied
> >> access to shared folders??
> >>
> >> I can put them back in the relevant security groups and all is well
> >> then it changes again a few days later?
> >>
> >> Have I got someone tinkering with the settings who has somehow got
> >> Admin rihts who shouldn't or is it something to do with me having
> >> changed the "Standard User" that Group Policy keeps messing with or
> >> something.
> >>
> >> I can't see what the issue is and there appears to be nothing
> >> untoward in the event logs, but how I would see that I don't know?
> >>
> >> Is there a way I can monitor when and who is changing it, if it is not
> >> something SBS is doing itself?
> >>
> >> Any help appreciated, I am getting sick of users ringing me claiming
> >> they are being denied access.
> >>
> >> Siv

> >
> > What "relevant security groups" are you changing that makes them work OK
> > and that they later loose membership in?
> >
> >
> > --
> > /kj
> >

>
>
> .
>

Share permissions or using the security tab? Folders off the root of
drive E:, or whatever you call your data drive, or nested underneath a
pre-existing share? Unchecked the inherit permissions box?

On Wed, 24 Mar 2010 02:21:01 -0700, Siv
<Siv@newsgroup> wrote:

>kj,
>I have created folders for storage on the server used by each of a number of
>office teams such as "sales", "accounts", "warehouse" and the like. I have
>also created corresponding security groups that match those folders.
>
>I set permissions on the folder so that only members of the specified
>security group can gain access to each folder. Giving access to the folder is
>just a case of making the user a member of that group. Likewise removing
>access is just a case of removing their membership of the group. Standard
>stuff I imagine for most admins.
>
>So the "Relevant Security Groups" are "Sales" if you want access to the
>"Sales" share, "Warehouse" if you want access to the Warehouse share and so
>on.
>
>Siv
>--
>Martley, Near Worcester, UK
>
>
>"kj [SBS MVP]" wrote:
>

>> Siv wrote:

>> > Hi,
>> > I recently made a minor change to the "Standard user" through the
>> > "Users and Groups" part of the SBS Console in SBS 2008 Standard.
>> >
>> > Since I did that users have started complaining about being denied
>> > access to shared folders??
>> >
>> > I can put them back in the relevant security groups and all is well
>> > then it changes again a few days later?
>> >
>> > Have I got someone tinkering with the settings who has somehow got
>> > Admin rihts who shouldn't or is it something to do with me having
>> > changed the "Standard User" that Group Policy keeps messing with or
>> > something.
>> >
>> > I can't see what the issue is and there appears to be nothing
>> > untoward in the event logs, but how I would see that I don't know?
>> >
>> > Is there a way I can monitor when and who is changing it, if it is not
>> > something SBS is doing itself?
>> >
>> > Any help appreciated, I am getting sick of users ringing me claiming
>> > they are being denied access.
>> >
>> > Siv

>>
>> What "relevant security groups" are you changing that makes them work OK and
>> that they later loose membership in?
>>
>>
>> --
>> /kj
>>
>>
>> .
>>

See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive...A/default.aspx

Jim,
They are all subfolders of a single top level folder C:\Data (I inherited
the machine from the supplier with the drive formatted as a single C: drive
RAID Array (wouldn't have been my preferred layout always want to separate
O/S from Data but it was already done and no time to re-install).

We have:

C:\Data\Sales
C:\Data\Accounts
....
C:\Data\Warehouse

Each folder has inherit permissions turned off and only the Administrators,
and the individual Security groups with permissions. In the folder
permissions just the individual Security groups are set.

Hope this helps you fugure out what is going on?

Siv
--
Martley, Near Worcester, UK


"Jim Behning SBS MVP" wrote:

> Share permissions or using the security tab? Folders off the root of
> drive E:, or whatever you call your data drive, or nested underneath a
> pre-existing share? Unchecked the inherit permissions box?
>
> On Wed, 24 Mar 2010 02:21:01 -0700, Siv
> <Siv@newsgroup> wrote:
>

> >kj,
> >I have created folders for storage on the server used by each of a number of
> >office teams such as "sales", "accounts", "warehouse" and the like. I have
> >also created corresponding security groups that match those folders.
> >
> >I set permissions on the folder so that only members of the specified
> >security group can gain access to each folder. Giving access to the folder is
> >just a case of making the user a member of that group. Likewise removing
> >access is just a case of removing their membership of the group. Standard
> >stuff I imagine for most admins.
> >
> >So the "Relevant Security Groups" are "Sales" if you want access to the
> >"Sales" share, "Warehouse" if you want access to the Warehouse share and so
> >on.
> >
> >Siv
> >--
> >Martley, Near Worcester, UK
> >
> >
> >"kj [SBS MVP]" wrote:
> >

> >> Siv wrote:
> >> > Hi,
> >> > I recently made a minor change to the "Standard user" through the
> >> > "Users and Groups" part of the SBS Console in SBS 2008 Standard.
> >> >
> >> > Since I did that users have started complaining about being denied
> >> > access to shared folders??
> >> >
> >> > I can put them back in the relevant security groups and all is well
> >> > then it changes again a few days later?
> >> >
> >> > Have I got someone tinkering with the settings who has somehow got
> >> > Admin rihts who shouldn't or is it something to do with me having
> >> > changed the "Standard User" that Group Policy keeps messing with or
> >> > something.
> >> >
> >> > I can't see what the issue is and there appears to be nothing
> >> > untoward in the event logs, but how I would see that I don't know?
> >> >
> >> > Is there a way I can monitor when and who is changing it, if it is not
> >> > something SBS is doing itself?
> >> >
> >> > Any help appreciated, I am getting sick of users ringing me claiming
> >> > they are being denied access.
> >> >
> >> > Siv
> >>
> >> What "relevant security groups" are you changing that makes them work OK and
> >> that they later loose membership in?
> >>
> >>
> >> --
> >> /kj
> >>
> >>
> >> .
> >>

> See what SBS support is working on
> http://blogs.technet.com/sbs/default.aspx
> Check your SBS with the SBS Best Practices Analyzer
> http://blogs.technet.com/sbs/archive...A/default.aspx
> .
>

In article <F2E51534-DEF2-4E70-9D57-6511E17DBF62@newsgroup>,
Siv@newsgroup says...

>
> Jim,
> They are all subfolders of a single top level folder C:\Data (I inherited
> the machine from the supplier with the drive formatted as a single C: drive
> RAID Array (wouldn't have been my preferred layout always want to separate
> O/S from Data but it was already done and no time to re-install).
>
> We have:
>
> C:\Data\Sales
> C:\Data\Accounts
> ...
> C:\Data\Warehouse
>
> Each folder has inherit permissions turned off and only the Administrators,
> and the individual Security groups with permissions. In the folder
> permissions just the individual Security groups are set.
>
> Hope this helps you fugure out what is going on?
>
> Siv

If your permissions are not set to CUSTOM and you don't remove change
ownership and the last one in the list, any user can grant other users
access to the folders if they know a little.

You have to remove the last two options, set them to DENY, in advanced
settings, so that users can't change permissions/ownership.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@newsgroup (remove 999 for proper email address)

Siv wrote:

> kj,
> I have created folders for storage on the server used by each of a
> number of office teams such as "sales", "accounts", "warehouse" and
> the like. I have also created corresponding security groups that
> match those folders.
>
> I set permissions on the folder so that only members of the specified
> security group can gain access to each folder. Giving access to the
> folder is just a case of making the user a member of that group.
> Likewise removing access is just a case of removing their membership
> of the group. Standard stuff I imagine for most admins.
>
> So the "Relevant Security Groups" are "Sales" if you want access to
> the "Sales" share, "Warehouse" if you want access to the Warehouse
> share and so on.
>
> Siv

Right, so are the permissions applied to the secruity groups changing or are
secruity group memberships changing.

Ie, Sales people 'disappearing' from membership in the Sales security
group? - Then you manually put them back and life is good until something
comes along and removes them again? - if so, Server 2008 (AD) has attribute
level auditing and it can be enabled and you can look for changes in
"memberof" (groups). Event log entries would tell you when and by 'what'
these changes were made.

If your permissions are changing, then that's another matter.

>

>> Siv wrote:

>>> Hi,
>>> I recently made a minor change to the "Standard user" through the
>>> "Users and Groups" part of the SBS Console in SBS 2008 Standard.
>>>
>>> Since I did that users have started complaining about being denied
>>> access to shared folders??
>>>
>>> I can put them back in the relevant security groups and all is well
>>> then it changes again a few days later?
>>>
>>> Have I got someone tinkering with the settings who has somehow got
>>> Admin rihts who shouldn't or is it something to do with me having
>>> changed the "Standard User" that Group Policy keeps messing with or
>>> something.
>>>
>>> I can't see what the issue is and there appears to be nothing
>>> untoward in the event logs, but how I would see that I don't know?
>>>
>>> Is there a way I can monitor when and who is changing it, if it is
>>> not something SBS is doing itself?
>>>
>>> Any help appreciated, I am getting sick of users ringing me claiming
>>> they are being denied access.
>>>
>>> Siv

>>
>> What "relevant security groups" are you changing that makes them
>> work OK and that they later loose membership in?
>>
>>
>> --
>> /kj
>>
>>
>> .

--
/kj

kj,
It is membership of groups that seems to be changing. I will get someone
complaining that they are not having access to the particularl folder and
when I check they are not a member of that folder's group. SO i put them back
in the group and everything is fine for a few days maybe a week then all of a
sudden they have dropped out again!?

It's driving me nuts. It all started happening after I mad that small change
to the "Standard" user.

Cheers,

Siv
--
Martley, Near Worcester, UK


"kj [SBS MVP]" wrote:

> Siv wrote:

> > kj,
> > I have created folders for storage on the server used by each of a
> > number of office teams such as "sales", "accounts", "warehouse" and
> > the like. I have also created corresponding security groups that
> > match those folders.
> >
> > I set permissions on the folder so that only members of the specified
> > security group can gain access to each folder. Giving access to the
> > folder is just a case of making the user a member of that group.
> > Likewise removing access is just a case of removing their membership
> > of the group. Standard stuff I imagine for most admins.
> >
> > So the "Relevant Security Groups" are "Sales" if you want access to
> > the "Sales" share, "Warehouse" if you want access to the Warehouse
> > share and so on.
> >
> > Siv

>
> Right, so are the permissions applied to the secruity groups changing or are
> secruity group memberships changing.
>
> Ie, Sales people 'disappearing' from membership in the Sales security
> group? - Then you manually put them back and life is good until something
> comes along and removes them again? - if so, Server 2008 (AD) has attribute
> level auditing and it can be enabled and you can look for changes in
> "memberof" (groups). Event log entries would tell you when and by 'what'
> these changes were made.
>
> If your permissions are changing, then that's another matter.
>
>
>
>
>

> >

> >> Siv wrote:
> >>> Hi,
> >>> I recently made a minor change to the "Standard user" through the
> >>> "Users and Groups" part of the SBS Console in SBS 2008 Standard.
> >>>
> >>> Since I did that users have started complaining about being denied
> >>> access to shared folders??
> >>>
> >>> I can put them back in the relevant security groups and all is well
> >>> then it changes again a few days later?
> >>>
> >>> Have I got someone tinkering with the settings who has somehow got
> >>> Admin rihts who shouldn't or is it something to do with me having
> >>> changed the "Standard User" that Group Policy keeps messing with or
> >>> something.
> >>>
> >>> I can't see what the issue is and there appears to be nothing
> >>> untoward in the event logs, but how I would see that I don't know?
> >>>
> >>> Is there a way I can monitor when and who is changing it, if it is
> >>> not something SBS is doing itself?
> >>>
> >>> Any help appreciated, I am getting sick of users ringing me claiming
> >>> they are being denied access.
> >>>
> >>> Siv
> >>
> >> What "relevant security groups" are you changing that makes them
> >> work OK and that they later loose membership in?
> >>
> >>
> >> --
> >> /kj
> >>
> >>
> >> .

>
> --
> /kj
>
>
> .
>