"You don't have the necessary permissions to use the 'G:\QRM\Secure QRM Ddatabases.mdb' object. Have your system administrator or the person who created this object establish the appropriate permissions for you."
I believe this is a WINDOWS error message telling you that you handled the applications security but NOT the operating system security.
This security thing seems like such a nightmare.
I teach this stuff to U.S. Navy Systems Administrators. You are quite correct, but that is because Windows ITSELF is the source of the nightmare. To really do this right, you need to work with your network / file-sharing system admin to assure the following:
1. All of your users are members of a single "special group" - i.e. a created rather than intrinsic group. Pick a name. Any name not already in use. Make it a group. Let your sys-admin pick it for you if you like. S/he'll know how to do that.
2. The sys admin must assure that the GROUP conveys MODIFY-level access to the folder and contents where your database is stored. NO INDIVIDUAL USER SHOULD HAVE THESE RIGHTS.
If your admin wants to know the advanced permissions, pretty much everything except the ability to control the object's permissions and reset object ownership. It is OK to prevent deletion of the folder but you still need the right to create and delete files in that database folder. Specifically, you will need rights to the .LDB (lock) file. However, since this file doesn't exist when no one is in the DB, you can't set its permanent rights with any method other than inheritance from its parent folder. Which your sys-admin should know how to achieve.
3. For simplicity, your folder should be either a root-level folder or no more than one level deep. I.e. S:\DBFolder\... or S:\AllDBs\DBFolder\... - because you will need passthrough permission for all parents of your DB folder. It is only the group, for sure, but the deeper the folder level, the more places you must touch.
You can build an ICON that points to the exact path to the database, and if you do so, your sys-admin needs ONLY pass-through on the parents. If you need to allow the users to look for the DB, they need Directory Read abilities - the equivalent of BROWSE - to get there. Trust me, the better security is to build the ICON with an explicit (no wild-cards) path and use PASSTHRU.
4. Once you have Windows keyed in on what you want, THEN you can address the issues of Workgroup security with the .WKG file. Again, if you want to put the WKG file in the same folder as the DB, it is OK to make that file not deletable by the group members - but then you as the DB administrator might need to be in a separate group that would allow you to replace the WKG file at need. Or be prepared to work with the server's admin to do so. Unlike the LDB file, the WKG file is at least RELATIVELY stable and can therefore retain individual file rights in its ACL.
5. To do this RIGHT, you need BOTH Windows and Office (Workgroup) security in place. This is because each of those components does something different. Let Windows protect the files. Let Workgroup security protect the contents of the files - because Windows neither knows NOR CARES what is inside the file. This is an example of layered security. The layers are (i) each user's login/password on their local machines and within their domains (ii) shared folder security (iii) file security (iv) applications security.
{spoken in my best Mike-Meyers-as-Shrek imitation} Proper security is like an onion. It's got layers.
{off in the distance a plaintive hacker's voice replies} ... but I like parfait!
