Passport Partner Area Contact Passport Site Map Legal
HomeAccounting and Business SolutionsThe Passport AdvantageCurrent News & EventsLearn About Passport
 
PASSPORT TECH NOTES
 
  Post PBS Version 11 Installation Permissions

Recent Passport Listserv activity expressed some concern about PBS V11 and RW32 not working properly unless users are made members of the "administrators" group on Windows 2000 and Windows 2003 servers.

These problems are related to file and directory permissions, or what Microsoft calls Access Control Lists (ACL's).  A file or directory's ACL plus the security context of the user determines how files and directories are accessed on the server.

You can control ACL's on the server by using a built-in command "CACLS".

You can find the CACLS command documented for Windows 2000 Server here and in the WIndows XP documentation here.

PBS V11 installs in it's default location on the server at C:\Program Files\PBS.  Using the CACLS command to look at the default permissions you would see:

C:\Program Files>cacls pbs
C:\Program Files\PBS BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\TERMINAL SERVER USER:C
NT AUTHORITY\TERMINAL SERVER USER:(OI)(CI)(IO)C

To correct the problem discussed on the listserv, you can use the following CACLS command to assign FULL permissions for Everyone, achieving the same result as changing the default location on a Windows 2000 server, as was mentioned by one of the listserv posts.  The "changing the default location" solution will not work, however, on a Windows 2003 Server since the security was tightened up in that release.  In that case you must use the following command on any directory you choose to install PBS into:

C:\Program Files>cacls pbs /E /T /G Everyone:F
processed dir: C:\Program Files\PBS

Resulting in:

C:\Program Files\PBS Everyone:(OI)(CI)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\TERMINAL SERVER USER:C
NT AUTHORITY\TERMINAL SERVER USER:(OI)(CI)(IO)C
 

You can also use the CACLS command to change any existing permissions that are displayed, in order to achieve the security context you are looking for.  Basically, problems that are caused by the security context of the user are best solved with some solid system administration skills, because an installation routine cannot anticipate all environments it might encounter.

You can also used the CACLS command in a batch file - click here to learn about it

This issue may be more rigorously addressed in the next release of the installation routines.

These operations can also be performed in the GUI using Windows Explorer->Properties context menu->Security tab:

Then by clicking the Advanced Button, you can get or edit further:

Notice, this was after the execution of the CACLS command above.

To send comments, questions, corrections, or additions, etc. on this article click here.