Microsoft KB Archive/320215

From BetaArchive Wiki

Article ID: 320215

Article Last Modified on 10/27/2006


APPLIES TO

  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server


This article was previously published under Q320215

SYMPTOMS

Permission Translation

The set of permissions that are available for Windows 2000 users differs from the set of permissions that are available for the Macintosh. Services for Macintosh automatically translates permissions so that permissions are enforced for both Windows 2000 and Macintosh users.

The Windows 2000 Server administrator account always has Modify permissions on Services for Macintosh volumes.

Permissions that are set in Macintosh networks behave differently from those that are set in Windows 2000 Server networks, including Macintosh-style permissions. From the Macintosh computer, a right that is assigned to everyone overrides more restrictive rights that are set on the owner or a group. From Windows 2000, permissions that are assigned to everyone do not override permissions that are set on the owner or group.

The built-in Everyone group on a Macintosh client only understands limited permissions. If you want to deny the Everyone group from a Macintosh client share, you must set the permissions on Windows 2000 by not explicitly setting deny but matching the no-access setting that Macintosh uses. To do this, set the Advanced Security properties to allow Read Attributes and Read Permissions for the Everyone group. On the Macintosh side you see a belt around the folder for those users who do not have explicit rights. If you do not do this, the Everyone group receives Read and Execute, List Folders and Read, plus any additional settings that you have checked for the Everyone group.

Rules for Inheritance Before the Hotfix

Inheritance changes occurs if, for example, you use a group membership to grant folder-creation permissions to a Macintosh client and the Macintosh client creates a folder. After this occurs, inheritance is turned on for the subfolder for the group the user receives Full Control.

Example

You create a MACUSER to connect to a Windows 2000 Service Pack 2 Services for Macintosh share from a Macintosh computer. You put the MACUSER membership in a domain group that is called MACGROUP. You have the permissions set like this:

Root Folder

  • MACGROUP (Modify, Read/Ex, List Folder Contents, Read, Write)

If the MACUSER then creates a subfolder that is named Sub-Folder in Root-Folder, the resulting permissions would include the MACUSER with the addition of Full Control like this:

Subfolder

  • The inherited flag will be checked
  • MACGROUP (M, Rx, L, R, W) (An Inherited permission)
  • MACUSER (FC, M, Rx, L, R, W)
  • Everyone (Rx, L, R)

This can be adjusted by removing Rx and L, and by explicitly setting the Advanced Security properties to allow Read Attributes and Read Permissions. On the Macintosh side you see a belt around the folder for those users who do not have explicit rights. You do not want to do this at the root share because you will deny the Everyone group, and no one will be able to create anything.

  • SYSTEM (M, Rx, L, R, W)
  • The User's Primary Group (M, Rx, L, R, W)
  • Administrator (FC, M, Rx, L, R, W)

Notes About Everyone and System Groups

The first noticeable difference of an NTFS file system folder that is created by a Macintosh client in a Services for Macintosh share is that the NTFS permissions include the Everyone and SYSTEM groups as:

  • By default, Windows 2000 gives each new folder Read and Execute, List Folders, and Read for the Everyone group. To prevent this, explicitly set rights under the Advanced security properties to allow Read attributes and Read permissions. On the Macintosh side, you will see a belt around the folder for those users who do not have explicit rights.
  • By default, the SYSTEM group is given Modify, Read and Execute, List Folders and, Read and Write permissions. The SYSTEM Group is granted permissions because the SFM service is running under the SYSTEM context and SFM is responsible for actually completing the file input/output.


CAUSE

The Windows NT operating system in conjunction with using NTFS gives administrators more control over user and group-level permissions. The Macintosh operating system does not recognize all of the custom file, user, and group permissions for folders and files.

Permission Differences

The permissions that are set for Macintosh folders compared to that of the NTFS permissions set are drastically different in granularity. On the Macintosh side, the only permissions you can set are Read, Write, and None. With NTFS permissions, you can set Read, Write, Execute, Modify List and Full Control. Services for Macintosh must translate these permissions to provide the Macintosh operating system with a list of security permissions that it understands. Another aspect of Windows 2000 Server user accounts, the user's primary group, applies only to Services for Macintosh. The user's primary group is the group that the user works with most, and it is typically the group with which the user has the most resource needs in common. When a user creates a folder on a server, that user becomes its owner. The owner's primary group is set as the group that is associated with the folder. The administrator or owner can change the group that is associated with the folder.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack


The English version of this fix should have the following file attributes or later:

   Date         Time      Version         Size     File name
   ----------------------------------------------------------
   12-Feb-2002  11:50:26  5.0.2195.4926    75,700  Sfmsvc.exe
   22-Mar-2002  17:02:38  5.0.2195.5247   150,000  Sfmsrv.sys



STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

After you apply the hotfix, the system permissions are not Inherited any more on subfolders, and will always be M, Rx, L, R and W on new folders.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product


For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot



Additional query words: kbNetworking sfm

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbenv kbnetwork kbhotfixserver KB320215



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/320215&oldid=176469
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki