Do not use on any
shared computer
August 29, 2008 08:29pm pdt
 
[x]
Attachment Details

Strange Behavior with NTFS Permissions Inheritance

Zones: Appletalk, Computer Servers
Tags: ntfs, permissions, 2003, inheritance
Experts:

All of my client files are hosted on a single File Server located in-house.
The Hardware is new and very efficient, HP DL380 G5 server with loads of RAM, HDD space, processing power, etc. It is a member server of my domain and runs Server 2003 R2 SP2. I currently have both Macintosh and Windows clients touching the same directory hierarchy where all my client files reside.

I've setup the directory permissions where a folder and its nested files inherits NTFS permissions from its parent directory. The default permissions on the root directory is set as: Domain Admins=FullControl, SYSTEM=FullControl, Domain Users=Modify. This works fine for the most part. However, at least once or twice a week, I get a call from a Macintosh user complaining that a directory/file they worked on is locked out to other users (and sometimes vice versa). So I go check it out and find that the inheritabnce has been superceded by the user's own permissions, therefore setting a new inhertince structure starting at the level where the anomoly happened.

Here's a good example:
Lisa is a Macintosh user - she's working today in Clients/VISA/Creative/Rev1 directrory where
there is a file within Rev 1 called cardshot.vh.psd. She closes out Photoshop and sends Jim, a windows user, an email telling him this project is ready for proofing. Jim goes on the server, drilling down to ~/Creative but is locked-out of the ~Rev 1 directory for some reason. So I have Sally, another Mac user have a look, and sure enough, the ~Rev 1 directory has a red STOP-SIGN on it via the Macintosh Finder window. When I check the NTFS permissions on ~Rev 1, I see that the expected permissions inheritance was blown away and replaced with: Domain Admins=Modify, Everyone=<nothing>, Lisa=FullControl, SYSTEM=Modify.

It's the weirdest thing and seems to happen only with a handful of Macintosh users/computers (three, actually). Right now, I "fix" the problem ad-hoc as it happens by repossessing ownership of the problem file/folder and reinheriting the permissions from the proper parent structure. But this is a reactive measure. My creatives want better, more secure file permission stability and I don't blame them.

So here's what I I'd like to see from you Experts:
1)  Any insight into diagnosing any problems directly causing this behavior (from a Windows permission or Appletalk  perspective)
2)  Any scripts for automating resetting the proper perm-inheritance structure on a regular basis
3)  your suggestions based on past experience will help...


- juckyt -
Start your free trial to view this solution
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.4
Question Stats
Zone: Networking
Question Asked By: juckyt
Solution Provided By: lnkevin
Participating Experts: 4
Solution Grade: A
Views: 24
Translate:
Loading Advertisement...
 
[+][-]Accepted Solution by lnkevin

Rank: Sage

Accepted Solution by lnkevin:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Assisted Solution by JjcampNR

Rank: Master

Assisted Solution by JjcampNR:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Expert Comment by lnkevin

Rank: Sage

Expert Comment by lnkevin:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Expert Comment by JjcampNR

Rank: Master

Expert Comment by JjcampNR:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Administrative Comment by Venabili
Administrative Comment by Venabili:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Expert Comment by lnkevin

Rank: Sage

Expert Comment by lnkevin:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Open Discussion
Open Discussion
 
Comment by Computer101
Forced accept.

Computer101
EE Admin
 
 
Comment by rbrownnh999
I am having the same issue. I noticed this a few days ago. I do not have MACs I have all Windows XP SP2 workstations and all Windows 2003 R2 servers. The hardware is an HP DL380 G4.

The file server is the only place I notice this happening and that server is running the 64bit version of W2K3R2. I have had issues with security corruption on this machine where all the permissions were missing.

Now I see everytime someone creates of copies/moves a folder they become the owner of that folder and their domain account is listed in the security area with special permissions.

You have to assign permissions other then special in order to remove the users account from the security list, if not you receive a message stating you can remove them because they are inherited, which is not true.

I'm starting to wonder if it is a SCSI disk controller issue and not a Windows issue.

junkyt, Are you running the 64 bit version of W2K3R2?

I do not see this happening to the other servers but they are not file servers and folder and files are not created often.

If anyone has a resolution I would be very interested since this could lead to data lose.

Thanks
 
 
Comment by rbrownnh999
Sorry it should read.


You have to assign permissions other then special in order to remove the users account from the security list, if not you receive a message stating you CAN NOT remove them because they are inherited, which is not true.
 
 
Comment by JjcampNR
Please open a new question for this.
 
 
20080723-EE-VQP-34 / EE_QW_2_20070628