Office 2007 permissions different from Office 2003

[Robulus]

I've seen 2 posts directly relating to the problems I have had with
O2k7.

http://groups.google.com/group/micr...st&q=office+2007+ntfs&rnum=1#47e9befb98b350c6
http://groups.google.com/group/micr...st&q=office+2007+ntfs&rnum=2#10ec8fc237bc41b6

I've got a test group using 2007 and they have had all sorts of
problems with permissions on the file server.
After some poking around, I found that they need Modify access over
the original Read/Write access that they had using Office 2003.

Here's what I've determined:

- Office 2003 and 2007 use a temp file for when a user is modifying a
file (which I have seen as a hidden file when editing a word or excel
file)
- Something in the way 2007 saves/converts/overwrites the original
file is different from 2003
- Any one who asks this is ridiculed with the response: "Office has
always done that, nothing has changed, you don't know what your
talking about, STFU & GBTW" which tells me that no one actually HAS an
answer to this dilemma.

Basically, I just need to know if there is anyway to get Office 2007
to act like Office 2003 in regards to NTFS permissions. I'm still
using XP, not upgrading to Vista anytime soon...my servers are W2K3
SP1 or higher.
I have one group of users on Office 2007 and refuse to upgrade anyone
else until I can get a straight answer about this problem...

So anyone have a rational explanation for this phenomenon and,
hopefully, a solution? Or am I just gonna get another wisea$$ comment
from the peanut gallery???

 

[Bob Buckland ?:-\)]

While the file format has changed the basic process and permissions recommendation have not.
http://support.microsoft.com/kb/277867/en-us?FR=1
When working on a server Word copies the file locally then deletes and renames the old temp files, but needs more than just
Read/Write.

FWIW, there isn't a newsgroup, microsoft.public.office, on the MS newsserver at news://msnews.microsoft.com (it was listed in your
message list).

==============I've seen 2 posts directly relating to the problems I have had with
O2k7.

http://groups.google.com/group/micr...st&q=office+2007+ntfs&rnum=1#47e9befb98b350c6
http://groups.google.com/group/micr...st&q=office+2007+ntfs&rnum=2#10ec8fc237bc41b6

I've got a test group using 2007 and they have had all sorts of
problems with permissions on the file server.
After some poking around, I found that they need Modify access over
the original Read/Write access that they had using Office 2003.

Here's what I've determined:

- Office 2003 and 2007 use a temp file for when a user is modifying a
file (which I have seen as a hidden file when editing a word or excel
file)
- Something in the way 2007 saves/converts/overwrites the original
file is different from 2003
- Any one who asks this is ridiculed with the response: "Office has
always done that, nothing has changed, you don't know what your
talking about, STFU & GBTW" which tells me that no one actually HAS an
answer to this dilemma.

Basically, I just need to know if there is anyway to get Office 2007
to act like Office 2003 in regards to NTFS permissions. I'm still
using XP, not upgrading to Vista anytime soon...my servers are W2K3
SP1 or higher.
I have one group of users on Office 2007 and refuse to upgrade anyone
else until I can get a straight answer about this problem...

So anyone have a rational explanation for this phenomenon and,
hopefully, a solution? Or am I just gonna get another wisea$$ comment
from the peanut gallery??? <<
--

Bob Buckland ?
MS Office System Products MVP

*Courtesy is not expensive and can pay big dividends*

 

[Harlan Grove]

While the file format has changed the basic process and permissions
recommendation have not.
http://support.microsoft.com/kb/277867/en-us?FR=1
When working on a server Word copies the file locally then deletes and
renames the old temp files, but needs more than just Read/Write.

Yeah, but this problem has been reported before. I'll believe emprical
evidence before MSFT documentation every time.

FWIW, there isn't a newsgroup, microsoft.public.office, on the MS
newsserver
at news://msnews.microsoft.com (it was listed in your message list).

....

So? My ISP provides it, and Google Groups carries it. Think of it as yet
another USENET newsgroup even if it does begin with microsoft. This isn't a
problem for anyone who accesses newsgroups using a real news reader.

 

[Harlan Grove]

I've seen 2 posts directly relating to the problems I have had with
O2k7. ....
I've got a test group using 2007 and they have had all sorts of
problems with permissions on the file server.
After some poking around, I found that they need Modify access over
the original Read/Write access that they had using Office 2003. ....
Basically, I just need to know if there is anyway to get Office 2007
to act like Office 2003 in regards to NTFS permissions. . . .

Not likely.

And if you don't like this response, too bad.

There is NO EFFECTIVE SECURITY obtained by withholding Modify permission
from users if they can delete then replace existing files. Withholding
Modify permission only makes sense (it's possible to PROVE this) in
environments in which use WRITE ONLY files. If you need the proof,
withholding Modify permission means users can't open the file with READ
*AND* WRITE access (see any C compiler's documentation for either fopen or
open functions for details on what this means). However, users can open the
file with READ access, open another file with WRITE access, effectively copy
the contents of the first file to the second file, add as much malware or
other crap that they want (or their viruses generate for them), close AND
DELETE the first file, save and close the second file THEN RENAME the second
file as the first file.

If users can DELETE existing files (and Microsoft Office has ALWAYS required
at least that level of user permissions), withholding Modify permission does
NOTHING to protect ANY file. [And the much, much wiser people who design[ed]
Unix file systems understood this, which is why Unix file systems provide
only Read, Write and Execute permissions (OK, I'm ignoring add-on access
control). Novell had separate Modify rights for Netware, but Netware also
provided DeleteInhibit and RenameInhibit permissions as well as Transaction
files which NTFS lacks, so separate Modify permission made sense for Netware
(write-only files made some sense), but simply doesn't for NTFS.]

 

[Bob Buckland ?:-\)]

Harlan,

Typically, the 'problem' is reported when only Read/Write permissions are granted. As noted in that article the suggested
permissions haven't changed for several versions. Some of what happens can depend if local copies are made before editing by the
Office apps and also where certain temp files are, and where certain environment variables are pointing as well.

==============
Yeah, but this problem has been reported before. I'll believe emprical
evidence before MSFT documentation every time. >>
--

Bob Buckland ?
MS Office System Products MVP

*Courtesy is not expensive and can pay big dividends*

 

[Robulus]

Harlan,

Typically, the 'problem' is reported when only Read/Write permissions are granted. As noted in that article the suggested
permissions haven't changed for several versions. Some of what happens can depend if local copies are made before editing by the
Office apps and also where certain temp files are, and where certain environment variables are pointing as well.

==============
Yeah, but this problem has been reported before. I'll believe emprical
evidence before MSFT documentation every time. >>
--

Bob Buckland ?
MS Office System Products MVP

*Courtesy is not expensive and can pay big dividends*

That was the answer I was hoping to avoid. I appreciate what Harland
is saying about the effectiveness of the permissions, I think he made
a similar response to one of the other posts concerning this issue,
but thats not really my problem per say. My biggest concern is that I
have tens if not hundreds of thousands of files and folders on a multi-
TB NAS which will require a LOT of man-hours to reassign permissions
to make them "work" for Office 2007. Scripting may be viable for
large chunks of this, but its really going to boil down to manually
changing any folder w/ read/write permissions to modify... I guess if
I get started now, I can be done by the time Office 2010 comes out.

Bad show, Microsoft, bad show.

 

[Harlan Grove]

That was the answer I was hoping to avoid. I appreciate what Harland
is saying about the effectiveness of the permissions, I think he made
a similar response to one of the other posts concerning this issue,
but thats not really my problem per say. My biggest concern is that I
have tens if not hundreds of thousands of files and folders on a multi-
TB NAS which will require a LOT of man-hours to reassign permissions
to make them "work" for Office 2007. Scripting may be viable for
large chunks of this, but its really going to boil down to manually
changing any folder w/ read/write permissions to modify... I guess if
I get started now, I can be done by the time Office 2010 comes out.

....

I'm not a sysadmin, but I'd be very surprised if the Windows Server resource
kit didn't include a command line tool for changing group permissions. And
there's the CACLS command for changing user permissions. If you had a text
file with a list of servers in it, it'd be pretty simple to write a batch
file to iterate through all servers, and through all or specified common
directories on those servers changing group and perhaps user permissions.
This might take a while to run, but it could run unattended.

If you need help writing such a batch file (or would feel more comfortable
using Windows Scripting), post a request for help in

microsoft.public.win2000.cmdprompt.admin

since that's decidedly way off-topic in Office newsgroups. Don't be put off
by the 'win2000'. That newsgroup deals with all Windows Server OS's.