<

Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Windows File Server - Folder ownership problems and resolution

Published on
54,557 Points
42,657 Views
9 Endorsements
Last Modified:

Background Information


Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.


The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.

The problem:


For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.


For example:

Folder-Access-1.jpgFolder-Access-2.jpgI went to folder properties, and it shows me that folder is empty, when in reality the folder is not empty, but I don’t have permission to view folder size.

Folder-Access-3.jpgI don’t have access to view the folder NTFS permissions, but I am able to view share permissions, and share permissions are full control for everyone.


I am even unable to see folder owner:

Folder-Access-4.jpgThe administrator can take folder ownership forcefully with the replace permissions option, but this will destroy existing file server permissions, which is not desirable.

Folder-Access-5.jpgIf I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:

Folder-Access-6.jpg 

 

Folder-Access-7.jpg  

Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.

 

The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.


NTFS Folder ownership


  • Every object has an owner, whether the object is in an NTFS volume or in Active Directory Domain Services (AD DS). The owners can controls how permissions are set on the object and to whom permissions are granted.
  • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file if he does not have already.
  • By default, the owner is the entity that created the object. The owner can always change permissions on an object, even when the owner is denied all access to the object.

Ownership can be taken by

  • By default, the Administrators group is granted the Take ownership of files or other objects user right.
  • Any user or group who has the Take Ownership permission on the object.
  • A user who has the Restore files and directories user right.

Ownership can be transferred in the following ways:

  • The current owner can grant the Take Ownership permission to another user. The user must actually take ownership to complete the transfer.
  • A member of local administrators group can take ownership.
  • A user who has the Restore files and directories user right can double-click Other users and groups and choose any user or group to assign ownership to.

 

CREATOR OWNER

Folder-Access-8.jpgIf you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.

 

I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.

There are TWO options left:

Either I take folder ownership from top to bottom without destroying existing permissions

OR

I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.


Takeown – Built-in tool available in Windows-based systems for managing folder ownership


Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.

takeown /f <directory path> /r /a
where
/f stands for file \ folder
/r stands for recursive
/a stands for administrators group

AND

Icacls <Directory Path> /grant administrators:f /t
/t switch will take care of sub folders and files
f stands for full control permission

Example:
takeown /f C:\TFolders /r /a
Icacls C:\Tfolders /grant administrators:f /t

Folder-Access-9.jpgIn above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.


This is the same case when you try to take folder ownership from the GUI in recursive mode:

Folder-Access-10.jpgIn the above snapshot, if you select yes, it will destroy existing folder permissions by granting you full control in addition to ownership.

 

Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.

Folder-Access-12.jpgAgain you have to run Takeown utility to take ownership of further subfiles and subfolders since you have access to the root folder.

Folder-Access-13.jpgOnce you have ownership of further folders, again you need to assign permissions with the Icacls utility as shown below.

Folder-Access-14.jpgIn above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.

  

Subinacl – Free utility available from Microsoft

 

SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.


Syntax of command: 

Syntax:
Subinacl /noverbose /Subdirectories <Directory Path> <action parameter>

Ex:
To take ownership of folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators

To take ownership of all sub folders and files underneath root folder:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators

To grant administrators full control on folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f

To grant administrators full control on all subfolders and files underneath folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f


The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.

Folder-Access-15.jpgThe Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.


Syntax of command:

Subinacl /noverbose <action parameter> /subdirectories <Directory path>

To backup NTFS permissions of root folder:
Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data"

To backup NTFS permissions of all sub folders and files underneath root folder:
Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*"

To restore NTFS permissions on folder root:
Subinacl /noverbose /playfile C:\TFolders_Root.txt

To restore NTFS permissions on sub folders:
Subinacl /noverbose /playfile C:\TFolders_Child.txt

The 1st command will restore security on root folder (C:\TFolders)
The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)

For example:

Folder-Access-18.jpgThe Subinacl command line reference help file is attached here subinacl.zip


SetACL

The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.


Syntax of command: 

SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent
Where
-on stands for "object name",the name of directory
-ot stands for "Object type"
-actn stands for action to be performed, setting up owner (setowner) in our case
-rec stands for recursive action, to be carried out on all sub folders and files (cont_obj)
-silent no output will be printed on screen.

Ex:
To set owner on entire folder:
SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent

To grant administrators group full control on entire folder:
SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent

For example:

Folder-Access-16.jpgThe above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/


Some best practices about setting up standard share folders to minimize management efforts:


  1. Always share folder with everyone full control share permissions.
  2. Control user access over NTFS access control list.
  3. In order to control user access over NTFS permissions, disable inheritance from advanced NTFS security page on the root share folder.
  4. Avoid granting users full control NTFS permissions on root shares and subfolders unless absolutely necessary.
  5. Ensure that the server local administrators group has full control NTFS permissions on the root share and has root folder ownership as well. Never grant individual administrator full control NTFS permissions.
  6. Remove the Creator owner group from root share. This is the main culprit that can cause most of folder ownership and access issues. This will ensure that individual users never get subfolder and files ownership.
  7. Try to avoid granting deny permissions to users or groups on the NTFS access control list.
  8. Avoid granting permissions to individual users on shared folder access control list as far as possible.
  9. Instead of adding individual users on access control list, create global security groups and add required users to them, and grant these security groups appropriate rights on access control list.
  10. The process to setup roaming profiles is bit different than above; by default these folders are not accessible to administrators. However you can apply group policies in advance on the server where you want to store roaming profiles so that built-in administrators group can have access to roaming profile folders if necessary. The GPO setting "Add the administrator’s security group to roaming user profiles" can be found under Computer configuration => Administrative templates => System => User profiles. A great article is already published on the TechNet blog to set up Roaming Profiles \ home directories: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
  11. Another option is to take complete roaming profile share ownership with SetACL OR Subinacl without destroying existing ACL, and then add the administrators group to the roaming profile root share. That will eventually be inherited by subsequent profile folders.
9
Comment
Author:Mahesh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Expert Comment

by:wannabecraig
File shares on the C drive? I would address that before addressing other issues.
A key component for a file server is file shares on different Volumes than the C drive.

Certainly would not be having Access lists containing usernames and not security groups. It becomes unmanageable if this is avoidable get rid of the usernames.

Try getting the take ownership snap in for the context menu in windows google it and you can find it.
When you right click on a folder in Windows GUI you then have a take ownership button.
0
 
LVL 37

Author Comment

by:Mahesh
On system drive we do have default administrative shares only, we don't have to touch those folders normally.
I have taken C:\ drive folders for example only
In case of active directory you also have sysvol and netlogon shares as well, but we never touch those folders from either gui or command line unless there are weird issues

I have seen the registry hack which enables Take Ownership context menu.
http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
Not very useful in production file servers:
It just grant you\administrators group ownership of folder, grant you full control on folder, wipe out existing security on folder and enable inheritance again.
This is not desirable when you need to retain existing security on share folder, because as already mentioned in article, in order to take ownership with takeown, you have to have at least read access on folders, If you don't have read access, it will ask you if you want to grant you full control on entire ACL and if you enter yes, it will wipe out existing security.

That is why I always prefer Subinacl \ SetAcl which are more powerful and useful than Takeown utility
0
 
LVL 1

Expert Comment

by:wannabecraig
ye some of your tips are pretty cool thanks.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 9

Expert Comment

by:schmiegu
Good advice and very similar to the way I'm working. Only some comments/suggestions on your best practices:

I prefer Authenticated Users over Everyone (not really a great difference).
I prefer to remove Creator/Owner permission from the disk level as well as Users, so only Administrators and System have Full Access (if I don't forget it). One caveat: doing so on 2012 will cause you to disable UAC or to work on the commandline, you may create a folder with Explorer, but you can't access it, unless you add yourself to the ACL by username (although member of the Administrators Group). Because I'm not a friend of UAC on a Server, I disable it - and ACL stays simple.
0
 
LVL 37

Author Comment

by:Mahesh
Thanks

There is slight difference between authenticated users and everyone
Everyone group contains Guest, IUSR & the IWAM accounts in addition to authenticated users \ domain users in trusted domains and forests
Previously anonymous users are part of everyone group, but with 2003 AD, it is removed

The Authenticated Users group includes all users whose identities were authenticated when they logged on. This includes local user accounts as well as all domain user accounts from trusted domains and forests
Authenticated users do not contains guest, ISSR, IWAM, Anonymous, local service and network service accounts.
Normally these accounts cannot logon to any machine to access shared resources and guest account is disabled by default unless you enable it

As a fact I really do not see noticeable difference between TWO, however you may use authenticated users instead of everyone
The major permissions control remains on NTFS permissions

Probably we need to disable UAC, otherwise it will unnecessarily prompting, in some organizations they have policy to keep UAC enabled

Normally I do want to clear Creator owner from share folder root at beginning, you can remove it from drive root, however I don't think it is required.

I observed on 2012 and above servers, If you are server administrator and if you trying to open share folder for which you don't have access on NTFS ACL, and you tried to access it through local path, it will prompt you popup so that you can click on continue and you will get access.
0
 

Expert Comment

by:Gaurav Chauhan
Many thanks for this detailed article this subinacl tool is just awesome far better than icacls,solved my greatest problem,  now I am surprised why this tool is mentioned nowhere this should be promoted as built in tool by Microsoft . Many thanks again.
1

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Join & Write a Comment

This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month