Public, Server Permissions, and Endpoints
I am seeking a good discussion of how to handle the impact of revoking connect to endpoint permissions for the public role. Up to this point, I've encountered several resources, including the Microsoft documentation, that recommend removing all server
permissions from public. I find this amusing due to the fact that all other logins inherit their permissions on the various endpoints from public. Of course, if I revoke connect for the endpoints from public, only system administrators can connect.
None of the sources that I've found address handling this issue. This reminds me a bit of the old South Park episode with the Underpants Gnomes and their business plan: Step 1 - Underpants, Step 2 - ?, Step 3 - Profit! In this case, it is
Step 1 - Revoke rights from public, Step 2 - ?, Step 3 - Security!
There is a comment on the SQL Server 2008 on-line documentation that recommends granting connect to endpoint to specific logins, but it does not supply any detail. I understand that Step 2 is highly dependent on factors that vary from location to location,
and application to application.
My question is whether there is a resource that details the considerations for granting connect to endpoint for the various endpoints and logins? I am looking for answers to questions like:
Is there a case in which one would have a login that was not granted connect to any endpoint?
Do logins like ##MS_PolicyTsqlExecutionLogin## need these rights, and if so, to which endpoints specifically?
I have a number of others, but I was hoping someone could provide me with a resource from which I could draw this information without having to chase all over the documentation. Thanks in advance!
Rick,
First, thanks so much for the helpful reply! It validates what I was thinking.
For versions 2008, 2008 R2, and 2012, if you follow Administer Servers by Using Policy-Based Management -> Monitor and Enforce Best Practices by Using Policy-Based Management -> Server public Permissions, it advises, "Do not grant server permissions
to the server public role." The links below are for the 2012 version of this page:
http://technet.microsoft.com/en-us/library/cc645930.aspx
http://msdn.microsoft.com/en-us/library/cc645930(v=sql.110).aspx
You and "Quantum John" are listed as authors of a comment on the 2008 version of this page (http://technet.microsoft.com/en-us/library/cc645930(v=sql.100).aspx) that acknowledge
this problem. The last part of that comment is:
However, as mentioned in Harry Zheng's post on Dosql (http://dosql.com/cms/index.php?option=com_content&view=article&id=96:sql-server-best-practice-policy-public-not-granted-server-permissions&catid=40:microsoft-sql-server&Itemid=41),
executing the following command:
REVOKE CONNECT ON ENDPOINT::[TSQL Default TCP] FROM public
while best practice, is nevertheless liable to get you in deep trouble on a production server unless you also execute:
GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [loginname]
for each of your logins, because without this, no-one except sysadmins will have permission to connect to your instance via TCP.
It refers to performing the revoke connect on endpoint as best practice, which we agree is arguable. Unfortunately, Harry Zheng's post is a dead link. None of the later editions of this page are commented on in any way.
Further, the policy referenced by this documentation, "Public Not Granted Server Permissions," is distributed with SQL Server and evaluates @PublicServerRoleIsGranted. It flags this policy as failed if any connect to endpoint is granted to public.
Fortunately, I'm one of those that insists on testing before moving forward with any change. I also cannot leave gaps in my knowledge unfilled, which is why I posted. Again, thanks for the assistance!
Similar Messages
-
hyper link of public image(hyperlink or image) can not be saved on windows server 2012 and sharepoint 2010 problem, is this a bug?
thanks for any reply.
RosoneIt is not a bug, you might be using IE in Windows server 2012 and and browser might be restricting your site actions to respond properly.
Check this in a different browser or access site in a differ OS.
Adnan Amin MCT, SharePoint Architect | If you find this post useful kindly please mark it as an answer. -
SQL Server UID Permissions and JDBC
I'm using Netbeans 5.5.1 on my local PC and have created a connection to a remote SQL server using IP. I have followed the JDBC driver installation (as obtained from the Microsoft site) and I have even connected to the remote database in my Netbeans IDE using an account "imsteam". All appears okay with the connectivity....except...
With the account "imsteam", that I use to remotely connect to the database server...I can only see tables and stored procedures that were created by the user "imsteam". All other tables and stored procedures have been created/owned by "dbo", which I know exist, but I can't see them in my "run-time" window in Netbeans.
I have had our DBA check the permissions on the SQL server itself, and "imsteam" account has access to all tables and stored procedures, but I still can't see them through the JAVA netbeans IDE.
Is there some little "gotcha" that I need to be aware of when using netbeans so I can see these tables and procedures. Any advice, or references to articles specifically on account permissions with netbeans would be appreciated.
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>formats1='(\\+\\d{1,3} ?)(\\(\\d{1,5}\\)|\\d{1,5}) ?\\d{1,6} ?\\d{0,7} ?\\d{0,5} ?\\d{0,5}'</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>formats2='(?:\\+? ?[01] ?-?\\.?)?\\(?\\d{3}\\)?\\�?-?\\.? ?\\d{3}-?\\.?\\�? ?\\d{4}'</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>dialPath='C:/Program Files/Avaya/Avaya IP Softphone'</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>var ecNumStr='';function captureMouseClick(e){sel=event.srcElement;if(sel.className=="clickableSpan"){val=ReturnValidNumber(sel.innerText);if(val){dial(val);}ecNumStr='';}}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function captureMouseOverOut(e){sel=event.srcElement;if(sel.className=="clickableSpan"){status="Click to dial using Avaya IP SoftPhone";document.body.style.cursor="file://"+dialPath+"/ring.ico";}else{document.body.style.cursor="";status="";}}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>document.onclick=captureMouseClick;document.onmouseover=captureMouseOverOut;document.onmouseout=captureMouseOverOut;</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function mainFuncFN(){parsePhoneNums();return;}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function parsePhoneNums(){var formats=new Array;formats[0]=RegExp(formats1,"gi");formats[1]=RegExp(formats2,"gi");for(var nof=0;nof<2;nof++){if(document.body.createTextRange==null)return;var brng=document.body.createTextRange();var drng=brng.duplicate();bodytext=brng.text;var numbers=bodytext.match(formats[nof]);if(numbers==null);else{for(var i=0;i<numbers.length;i++){flag=0;if(ReturnValidNumber1(numbers[i])==-1)continue;if(!drng.findText(numbers))continue;if(check_valid_range(drng) == -1) flag = 1;brng.setEndPoint("StartToEnd",drng);if(flag == 0)assignContextMenu(drng);drng=brng.duplicate();}}}}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function assignContextMenu(rng){if (rng.parentElement().tagName=='SPAN'){if(rng.parentElement().className=='clickableSpan')return;}if((val2=rng.execCommand("BackColor",0,"YELLOW"))==false)return;fnspan=document.createElement('span');rng.parentElement().appendChild(fnspan);fnspan.className='clickableSpan';fnspan.innerText=rng.text;rng.text="";}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function ReturnValidNumber(inStr){var retnum="";var digits="0123456789";var others=".()-+ �";var others2=".()-+ ";var others1=" ";var i=0;for(i=0;i<inStr.length;i++){var c=inStr.charAt(i);if(digits.indexOf(c)==-1&&others.indexOf(c)==-1)return -1;if(digits.indexOf(c)!=-1||others.indexOf(c)!=-1){retnum+=c;}}return retnum;}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function ReturnValidNumber1(inStr){var retnum="";var digits="0123456789";var others=".()-+ �";var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZ";var i=0;for(i=0;i<inStr.length;i++){var c=inStr.charAt(i);if(digits.indexOf(c)==-1&&others.indexOf(c)==-1&&alpha.indexOf(c)==-1)return -1;if(digits.indexOf(c)!=-1){retnum+=c;}if(alpha.indexOf(c)!=-1){ retnum+=c;}}if(retnum.length<9){return -1;}if(retnum.length>16){return -1;}return retnum;}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function check_valid_range(rng) {rng1 = rng.duplicate();rng1.moveStart("character",-1);length_orig= rng.text.length;length_1 = rng1.text.length;if(length_orig == (length_1 -1)){inStr = rng1.text; var digits = "0123456789";var alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";var c1 = inStr.charAt(0);if ((digits.indexOf(c1) != -1) )return -1;if((alpha.indexOf(c1) != -1))return -1;}rng1.moveEnd("character",1);length_2 = rng1.text.length;if(length_1 == (length_2 -1)){inStr = rng1.text;var digits1 = "0123456789-";var alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";var c2 = inStr.charAt(length_2 -1);if( (alpha.indexOf(c2) != -1))return -1;if((digits1.indexOf(c2) != -1))return -1;}return 1;}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>function dial(telephoneNumber){if(telephoneNumber==null)return;if(telephoneNumber.length<2)return;if(telephoneNumber.length>50){number1=telephoneNumber.slice(0,50);window.location="phone://"+number1;}else window.location="phone://"+telephoneNumber;}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>document.onmouseup=mouseup;function mouseup(){ xE=document.selection.createRange();here=xE.duplicate();here.collapse();etype='mouse';try{top.select=(xE.text).slice(0);}catch(e){;}}</SCRIPT>
<SPAN style="DISPLAY: none">h</SPAN>
<SCRIPT defer>mainFuncFN()</SCRIPT>hi shilohcity,
i did have some problem when i updated my sql server to sp3. The driver i was using.., Atinav's aveConnect3, didn't connect and was throwing exceptions. But after contacting their tech support, they provided me with an updated version, which they had released recently, and that solved the problem. I now believe that with that support, what i paid for that driver was worth it.'cos I would've been kept waiting for the updates if i was using some free driver with poor tech support.
see these links..
http://forum.java.sun.com/thread.jsp?forum=48&thread=351239
and another one
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=e4774458.0301270610.134f9e5d%40posting.google.com&rnum=1&prev=/groups%3Fq%3DaveConnect%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De4774458.0301270610.134f9e5d%2540posting.google.com%26rnum%3D1
I do think this is some problem that could be solved by the driver vendors. the M$ 's TDS version is still a mystery as far as i know. and the driver should communicate with sql server using this TDS protocol. I dont know, may be SP3 would've introduced updates in the TDS protocol.. and the drivers should be able to support it, or new updated versions released.
It can happen in future too... M$ may change their stance anytime.. better be wise in choosing your DB Server and even be more careful while chosing JDBC drivers.
cheers,
-Jer -
Outlook Public Folder access and permissions
How do I add an account to a public Folder and grant management permissions to that account?
Hi,
To add permissions for client users to access Public Folder content, we can use Exchange Management Shell to add it as what ManU PhiliP posted.
Alternatively, we can use the Public Folder Management Console to add public folder permissions for a client user. For detailed steps about this, please refer to the following official article:
https://technet.microsoft.com/en-us/library/aa998834(v=exchg.141).aspx
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support -
Remote Server Shares and Permissions...
Hi there...is there any command prompt CMD to view or list the server shares and permission (either Remotely or locally) in Windows environment... Pls let me know...
VTHi,
Yes, you can use "ICACLS <path>" to check NTFS permissions (locally on the file server using the local drive or remotely using the UNC path). You could refer to the article below to know more detailed infomation about iCacls.
iCacls
http://technet.microsoft.com/en-us/library/cc753525.aspx
You can use "NET SHARE <sharename>" to check share permissions (locally on the file server).
Net share
http://technet.microsoft.com/en-us/library/bb490712.aspx
Best Regards,
Mandy
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Outlook cached mode, shared calendars, permissions and sync errors
We have the following environment -
Exchange 2010 SP2, no public folder DB; Outlook 2010 sp1 cached mode.
under very specific circumstances, but unfortunately a common circumstance, we're getting sync errors -
15:59:56 Synchronizer Version 14.0.6126
15:59:56 Synchronizing Mailbox 'Nigel'
15:59:56 Synchronizing server changes in folder 'Naomi - Calendar'
15:59:56 Downloading from server 'outlook.cri.camres.org'
15:59:56 Error synchronizing folder
15:59:56 [80070005-508-80070005-560]
15:59:56 You do not have sufficient permission to perform this
operation on this object. See the folder contact or your system administrator.
15:59:56 Microsoft Exchange Information Store
15:59:56 For more information on this failure, click the URL below:
15:59:56
http://www.microsoft.com/support/prodredirect/outlook2000_us.asp?err=80070005-508-80070005-560
15:59:56 Done
This occurs if Naomi shares her Calendar with me, without granting me read "Full Details", if she changes the permissions and allows me to read Full Details, the sync error goes away.
It's repeatable, i have tested it with a few users sharing calendars with each other, and changing permissions.
The peculiar thing is that Naomi is in My Team, so her calendar is listed under Team Calendar, I get no sync errors, it's only when I add Naomi's Calendar as a Shared Calendar and don't have read Full Access permission that the sync errors appear.
User's don't necessarily want to give Full Access to their Calendars, so that's not really a viable work around for us, this smells very much like a bug with outlook, is anyone else seeing this?Hi
Thanks for sharing
Cheers
Zi Feng
TechNet Community Support -
Task or script to monitor file ownership, permissions and change as needed
I'm using a Mac OS X Tiger (10.4.9) computer as a file server for a group of people who are (1) individually non-administrative users and (2) members of Groups. The hard drive is partitioned into 2 volumes: Vol1 has no non-admin access, Vol2 has a Shared folder containing folders with files intended for either Public or Private access. I'm admin with UID=501 and trying not to be a danger. Each other user has a unique UID. Each Group has a unique GID. The folder that all users have access to is named Pub_shares. Every user allowed to access Pub_shares is a member of PubGroup (GID=505).
Now when a user accesses a file nested in Pub_shares, that file usually becomes owned by that user and the group membership may change from PubGroup and may undergo a change to "Read only" or "No Access." Since all members of PubGroup should have Read & Write access to files in Pub_shares, this is a problem. All files in Pub_shares, regardless of who last touched them, should remain:
Owner = chris / Access Read & Write
Group = PubGroup / Access Read & Write
Others = No Access
I've read some about Ownership & Permissions. I've seen it suggested that an admin set up an automated task, say to run every 3 minutes; that task checks file ownership and permissions and, if different, changes the values recursively to those shown above, such that:
Owner = 501 / Access = rwx
Group = 505 / Access = rwx
What do I need here? An Automator workflow? A shell script? AppleScript? Cron? launchd? How do I put this together? I don't know the syntax or the expressions to use. Any help is much much appreciated. [Note again: My "server" runs Tiger 10.4.9.] Thanks...."I have some Windows users (trying) to access shared files. Will the afp inheritance options stand up to a Windows user?"...
No the afp inherit settings won't apply to windows sharing, but I think there are equivalent settings that can be applied to smb.
..."I thought, too, I'd read somewhere that inheritance options use the topmost volume folder to set inheritance patterns."...
I am not able to double-check this for Tiger, but I don't think that is the case. As far as I know, with those settings enabled (and it doesn't work reliably if only one is enabled) permissions and ownership should be inherited from the folder that the items are added to.
..."My topmost folder on vol2 is "Shared" but it contains both Pub_shares (accessible by members of PubGroup) and a few Private_shares (folders accessible by members of various private groups)."...
Sorry I missed that point in your earlier post. The above would cause complications if a user were to move items from the private area to the public area. The inheritance only applies to when files are created, so something moved from the private area to the public area would retain its original permissions. To make it work, the public and private areas would have to be set up as separate shares, rather sharing the whole volume. -
Configuring a5505 setup public server + DMZ
Please bear with me, as am I utter new to the a5505 and Cisco products in general.
Setup:
LAN (192.168.1.X, with .3 as gateway)
DMZ (192.168.2.X with .1 as gateway)
WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)
I want to set it up so that X.146 is where all my outbound traffic appears to originate.
I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.
Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)
I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".
I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..
My config:
: Saved
ASA Version 8.2(5)
hostname kcisco
enable password X encrypted
passwd X encrypted
names
name X.X.X.144 outside-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 5
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.146 255.255.255.248
interface Vlan5
description DMZ interface
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
object-group service DM_INLINE_SERVICE_0
service-object gre
service-object tcp eq pptp
service-object udp eq isakmp
service-object udp eq 1701
service-object udp eq 1723
service-object udp eq 4500
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq smtp
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a
: end
no asdm history enableThanks, fixed that at least.
But still no further in getting the connection to be established.
I see this in my logs:
6 Oct 09 2012 15:29:22 Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)
6 Oct 09 2012 15:29:52 Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout
(Z.Z.Z.Z is the outside host I am testing from)
(I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3) -
DNS Issues - Can ping server name and IPs but not FQDNs.
Hi All,
Hopefully some one can help me here, I am having an issue where one of my domain attached servers cannot ping any FQDNs in the environment but it can ping the host names and the IPs and look up the host names from a reverse look up.
We have done the following troubleshooting:
Flushed and registered DNS cache.
Restarted the DNS client and net logon services on the effected server
Preformed standard checks and commands such as:
Checked the event logs and found there were warnings for DNS registration.
Compared the DNS settings in the network adapters across the rest of the servers in the environment and found that they were all the same. DNS Suffixes are added in the correct order and are set to register.
Pinging FQDNs which is not giving any results.
Tracert FQDNs which is also not giving any results.
Nslookup which is querying the DNS server directly and giving results as expected
Ran the command which reported successful: dcdiag /test:registerindns /dnsdomain:sub.domain.net /v
Checked and updated the permissions on DNS for the affected server to give the server full control of its own DNS entry.
Replaced the DNS Client service DLL with one from a server that is working as expected.
Also worth noting is that the affected server (as well as every other server in the environment) has 2 NICs, one that communicates with DNS and AD and the other does not have any DNS IPs set.
Not this is not the first time this happened, a reboot fixed the issue before but it seems to be a reoccurring problem now.
If any one can shed some light on this issue I would be grateful.
Regards,
Steve.Hi Steve,
First, we should confirm if this issue is caused by DNS.
When you ping the FQDN, does the server show the correct corresponding IP address?
If no, there should be some error messages. If it is possible, please post the screenshot of this issue.
To check the process about how does server resolve the FQDN, please follow the steps below:
clear local DNS cache with command ipconfig /flushdns
perform the network capture
ping the specified FQDN
Check the DNS traffic
To download Network Monitor, please click the link below:
http://www.microsoft.com/en-hk/download/details.aspx?id=4865
Besides, have you tried to update the NIC driver to the latest version?
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Exchange 2013 SP1 RU4 Public Folder Permissions
Hi All,
Exchange 2013 SP1 RU4 Public Folder Permissions
We have a weird problem after migrating our PF from Exchange 2010 to 2013.
Users do not have permission to create or delete in PF even thou they have owner permissions.
Example:-
I have created a '\test1' folder in the root which has the following permissions (this works OK):-
Myself - Owner
Default - Author
Anonymous - None
I have created another folder '\admin\test2' folder which has the same permissions as above but i get the "cannot create the folder. you don't have appropriate permissions to perform this operation"
I get this problem across all of the folders that were migrated. clean folders created at the root with the correct permission function as per expected.
Regards
Paul SheldonHi,
I recommend you use the Get-PublicFolderClientPermission -Identity publicfolder command to check the client access permissions to a public folder.
If possible, please remove permission and re-add permission to check the result.
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
Setting up a new server - terminology and set up
I have a new mac OS X snow leopard mac mini server.
The set up is a follows:
The modem goes into the Time capsule router and from the time capsule there is the mac mini server and also a network printer. There are 4 other computers wirelessly 'attached' to the time capsule.
I am very confused about some of the terminology and the set up procedure.
First of all, I might have made a mistake when I did my initial setup without being attached properly to a public IP address. I set up my server inadvertently as hobbes.private. When I go to the server preferences now the DNS is listed as hobbes.private. First of all, is there anyway to change that?
The set up goes as follows:
I have a public IP address which is set at the router. From the router there is a designated IP address which goes to the server.
I have my A records and MX records set up.
my Domain name is hobbeswiki.com
the IP address is 114.160.205.178
When I do an NS lookup IP address, I get this:
Non-authoritative answer:
178.205.160.114.in-addr.arpa name = p4018-ipngnfx01morioka.iwate.ocn.ne.jp.
I've been told that this is normal.
I use a company in australia for my domain name and they have given me 2 name servers:
ns1.secure.net
ns2.secure.net
The router then takes the info and then gives me an IP address for the server
its a 10.X.X.X number.
When I set up my server properly with the IP address, it set up as hobbes.local and under available servers, under network in the server admin, it gives me
Ethernet (en0) Family IPv4 the 10.X IP address and the DNS name as hobbes.local
I tried setting up DNS but it won't take.
I don't know how to set up kerberos, but I want to get the functionality of the podcasting etc, but it tells me I need it.
I have an SSL certificate.
With all this info, how can I set this server up and do I need to start from scratch? Do I need to erase the current server and start from the beginning? Is this hobbes.private causing problems?
In the DNS settings there are just so many different names for different things and I'm not sure what goes where.
I have a lynda.com account, but I'm not sure their info is the same as mine and they have words like server.samplename.com etc...
Can someone help?
The web set up works and I've got a couple users and groups set up to try things out, so it's not a complete failure.... I just can't get anything else to work.
Thank you!
YomogiYes you can. Ideally make also sure that your ISP sets the PTR record for 217.36.255.25 to myserver.address.com
-
Crystal 8 Web Component Server ond Windows Server 2003 and IIS 6
I am trying to get Crystal 8 Web Component and Page Server to run on Windows 2003 Server with IIS 6. I have done the following:
Added the .cri and .rpt ISAPI extension mappings
Have Cache ISAPI extentions selected
Deselected "verify that file exists"
Aded the .cri and .rpt MIME types
Added wcsinsapi.dll as a IIS 6.0 extension
The above resolved all HTTP 40x.x errors but when trying to access a report from IE I receive the following error:
Error: Could not connect to the Web Component Server.
The page server and web component server services are running and I do see the listen ports (6401, 6403) active.
I know this is old software but it works quite well under a Windows 2000 Server and other web postings indicate that it is possible to run Crystal 8 under WS2003 and IIS 6.
Does any one know of a white paper/support document that details how to run Crystal 8 under Windows Server 2003 and IIS 6?
Has any one done this successfully?
Any tips as to cause of the "Could Not Connect" problem would be greatly appreciated.Well as it turns out it looks like it was just this server.
We tried everything, and I added those user accounts to full
permission for the Coldfusion folders and we just could not get it
to work. We tried it on another couple servers running 2003, and it
installed perfectly right out of the box with no other permissions
needed. And those servers were all running default configs with no
other permissions done.
We still have no idea what was the problem, but at least for
now it seems to be this server. But I will tell you what, that II6
stuff seems to be a bit of a pain, we had major problems installing
new version of PHP with it too. Oh well, good luck to you
too! -
Permission and ownership in Server 2003 and 2008 file server
I have an issue but I am not sure if these are the designs of the file server permissions. I have one user who has the modify rights to modify/read and create folders in a share folder. In the share folder, she had created a subfolder; so she should
be the owner of the subfolder and her security permission is modify. By right, modify does not have the rights to assign the permission to other users but as owner, she does. Does this mean that the folder owner supersede the security? And is this possible
to avoid this? eg. folder owner but does not have the rights to assign permissions to other user to access. Thanks a lot.Hi Thim,
>>Does this mean that the folder owner supersede the security?
If the user is the Owner of the folder, he or she should have Full Control permissions to the folder,
which means the user can do anything to the folder.
>>And is this possible to avoid this? eg. folder owner but does not have the rights to assign permissions to other user to access.
As far as I know, unless we deprive the user of the ownership, we can't achieve this.
Regarding file and folder permissions, the following article can be referred to for more information.
File and Folder Permissions
http://technet.microsoft.com/en-us/library/cc732880.aspx
Best regards,
Frank Shen -
Need to connect SQL Server 2008 and CR 2008 via OLE DB SQL Server Provider
I am relatively new to Crystal but have done some minor design/layout work in the past. I just purchased CR 2008 and dowloaded a Eval Copy of SQL Server 2008 to build test reports that will then be uploaded to a hosted web app we use for use with live data.
I am having some trouble, however, getting SQL server and CR 08 to talk the way I need them to. We have to use the OLE DB for SQL Server Provider connection for the reports to work in our hosted live environment but I cannot get this to work on SQL 2008. The server never appears in the Server dropdown and if I manually type it get the following error:
failed to open connection.
Detail ADO Error Code: 0x80004005
Source: Microsoft OLE DB Provider for SQL Server
Description: [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access is denied.
SQL State: 08001
Native Error: 17 [Database Vendor Code: 17 ]
I am setting up the connection through the Database Expert choosing the OLE DB (ADO) folder and then selecting 'Microsoft OLE DB Provider for SQL Server' then entering my server name, user id, password, and Database name.
I have uninstalled and reinstalled everything twice. I have installed the Microsoft SQL Server 2008 Analysis Service 10.0 OLEDB Provider pack.
My provider/host does use SQL Server 2005 but since I can't get a free Evaluation version of it I have to use 2008 for my local copy. I have searched the web over (including here) and cannot find an answer to my issue.
I cannot use SQL Server Express version because our copy of the DB is too big. I cannot use the Native 10 provider as the reports will not work once I have uploaded them to the live data.
any help anyone can provide for this would be GREATLY appreciated. Thank you and sorry if this is a dupe post. I have searched everywhere and cannot find the answer.Hello,
Go to Microsoft's site and download their OLE DB test tool and test the connection. Did you install the MS client tools to test the connection also?
As a test try creating an ODBC System DSN just to verify you can connect and create a report also.
And don't use the SA account, MS 2008 disabled it, sort of, so you'll have to create a new account and grant permissions to any table you need to use.
SQL 2008 changed security model big time so it's not the same as 2005 once was....
Good luck
Don -
How to get server hostname and port from web form
Hi All,
I need to find out server hostname and port number
from 9i form.
That is if the form was called via:
http://myserver.com:1234/f90servlet?form=test,
i would like to call some
GET_XXX_PROPERTY(SERVER_HOSTNAME) that would return
myserver.com
and
GET_XXX_PROPERTY(SERVER_PORT) that would return
1234
or alternatively
GET_XXX_PROPERTY(SERVER_URL) that would return
complete URL, so that i can parse it myself.
Does anything like this exist? If not,would be
possible to get that information from any Java
function via java importer?
BR,
Robert
BR,
RobertRobert,
I'd add the code as a Java Bean in Forms and get this information from the Forms request URL.
Add the following bean to a Canvas and make it a size of 1x1 pixel so taht it appears hidden
import java.applet.Applet;
import java.net.URL;
import oracle.forms.handler.IHandler;
import oracle.forms.properties.ID;
import oracle.forms.ui.VBean;
public class FrmRequestInfo extends VBean
public static final ID pGetPort = ID.registerProperty("GET_PORT");
public static final ID pGetHost = ID.registerProperty("GET_HOST");
public static final ID pGetProtocol = ID.registerProperty("GET_PROTOCOL");
private String _host;
private String _port;
private String _protocol;
private URL FormsURL;
Applet m_applet;
/*Forms settings*/
IHandler m_handler;
public FrmRequestInfo()
public final void init (IHandler handler)
super.init(handler);
m_handler = handler;
// get the forms applet handler
m_applet = m_handler.getApplet();
// initialize cookie domain to the same domain that runs Forms
// Services
FormsURL = m_applet.getDocumentBase();
_host = FormsURL.getHost();
_port = new Integer(FormsURL.getPort()).toString();
_protocol = FormsURL.getProtocol();
public Object getProperty(ID p0)
if (p0 == pGetHost)
return _host;
else if (p0 == pGetPort)
return _port;
else if (p0 == pGetProtocol)
return _protocol;
else
return super.getProperty(p0);
To get the port number you call
VarcharVariable_Port := get_custom_property('beanblock.beanname',1,'GET_PORT');
for the hostname
VarcharVariable_Host:= get_custom_property('beanblock.beanname',1,'GET_HOST');
Frank
Ps.: just wrote the bean on the fly, without testing - but I am positive that it works as similar functionality works for me in other beans.
Maybe you are looking for
-
How do I duplicate a user account?
I have the main admin account which I installed all the software and I want to create a user account that is also an admin that I will work in. When I go to this new account some of the previously installed software is no longer registered. I don't w
-
Workbook is not Executing in a Role
Hello Experts, I have created a Workbook in BW3.5 version. My security team were able to assign the workbook to this particular Role called "Sales" in the Dev system. But when I try to execute the workbook, I am getting the foll
-
Invoking a webservice as an "application process"
Hello there, I have setup a web service successfully and I can invoke it as a "Page Process", get the response in a collection , and do a few validation based on it. However, I will need this validation for most of my pages in the application, so I t
-
Exit Code: 7 Please see specific errors and warnings below for troubleshooting. For example, ERROR: DW041 ... WARNING: DW017 ... -------------------------------------- Summary -------------------------------------- - 0 fatal error(s), 1 error(s), 1
-
Why do we have pop ups from google? How do you stop them entirely, it's annoying
Why do we have pop ups from google? How do you stop them entirely, it's annoying. I use the iPad 2' with the most current version of software