Unable to Move, Rename or Delete files created on the network

We have a windows 2003 network with the folloing configuration:

Three servers, Windows File Server Running Win2003 SP2, Exchange 2003 Server running on a Windows 2003 Server SP2 Platform and a Terminal Server also running on a Windows 2003 Server Platform.  Workstations are running Windows XP Pro SP2.

Problem:

After users on the network create a word document or any other type of document and save it to one of the assigned network drives and then try to either move, rename or delete the file, the system states that the file is currently in use and cannot be moved or deleted.  I checked the security for the file that was created and the user has FULL security rights to the file and directory.  I tested it myself and the same thing is happening.  If i create a document and save it to the local drive, I can rename it, move it and delete it if I want to.  This is happening with all users from any workstation within the network.  I ran a scan to make sure we didnt have a virus and it came back clean.

Does anyone know what might be causing this?

Thanks for the help.
mcgowrayAsked:
Who is Participating?
 
Brian PiercePhotographerCommented:
Here is an explanation I gave in another question

When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in "My Computer"
0
 
Brian PiercePhotographerCommented:
What rights so they have on the SHARE - they need Full Control.
0
 
tcicatelliCIOCommented:
I'm sure I'm restating the obvious, but by "Full" permissions, are you saying full NTFS permissions AND full network permissions?  The two are separate.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Brian PiercePhotographerCommented:
The two are seperate. to set the share permission go to the shared folder - right click, select Properties, Sharing and select the PERMISSIONS option on the share tab - set to Full Control for the group (or Full control for EVERYONE) - don't panic the NTFS permission will still apply.
0
 
mcgowrayAuthor Commented:
I believe they have both.  When I click on the network folder in question and go to the security tab, it shows all the users that have access to that folder with full access.  When I go the file server and right click on the shared folder for the users and go to security the share has full access rights.  This started occurring a few days ago.  I dont understand the problem.  If I have a users that has full access rights to a folder and everything under it, they can create a doc, open it and edit it but they cant move, rename or delete it.  The security on the file itself is set to full for this user.

I'm confused.
0
 
tcicatelliCIOCommented:
If you are having an issue where you can't modify, edit, delete, etc over the network, but can do all these things locally, the problem is with your share permissions.  You need to go to the server, right-click "sharing" and set permissions there.  It can be nothing else.
0
 
mcgowrayAuthor Commented:
I checked all the permissions and everything looks like it is set correctly.  As a test I created a test share on the server.  I gave the share full access to the "Everyone" object.  I went back to the users station, mapped a drive to the new share, created a test doc in that folder and the same issues occured.  How can that happen if I gave full access rights to the folder and the user?
0
 
Brian PiercePhotographerCommented:
Have you got any deny options set anywhere ?
0
 
mcgowrayAuthor Commented:
No.  I check all of the permissions for the users.  I agree that it is a security issue but I just cant seem to find it.  I have been up all night trying to get this resolved and I admit I'm a littel punchy right now.  I setup a test folder on the terminal server just to see.  I mapped a drive to it from the users workstation and I was able to create and delete the doc.  So it is definitely on the file server.  Where else can I check if there are deny permissions set?
0
 
Brian PiercePhotographerCommented:
Check that you have not put any deny options on any of the share permissions or on any of the NTFS permissions on the hared folder or any folders above it that it may be inheriting permissions from.

You can also user the |Effective permissions tab on NTFS - see if that reveals anything - http://technet2.microsoft.com/windowsserver/en/library/87b011ec-b1b4-4baf-8ab0-53147b22a4201033.mspx?mfr=true
0
 
mcgowrayAuthor Commented:
I checked the effective permissions and there are no checks in any of the Deny entries.  I'm lost.
0
 
Brian PiercePhotographerCommented:
Does seem very odd - I'll have to think about that a bit more.
0
 
mcgowrayAuthor Commented:
Thanks I do appriciate the help.
0
 
tcicatelliCIOCommented:
Have you tried accessing it remotely as an administrator?
0
 
tcicatelliCIOCommented:
Oh, I know, I Know!!!

Did you log off and log back on to read the new permissions?
0
 
mcgowrayAuthor Commented:
Tried that.  No Joy.
0
 
Brian PiercePhotographerCommented:
.. could be - here's hoping ....
0
 
samiam41Commented:
Are you set up in an AD environment?  I didn't see where you mentioned that part.  Also, have you made any changes to your network (DNS, DHCP, WINS) during the last 3 days or install a new AV product?  Are you getting any error messages in the event viewers on the desktops or server(s)?
0
 
samiam41Commented:
Is this Windows 2003 R2 SP2?  There is another post (sorry, no solution for them either yet) with similiar issues on their server.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22869537.html?cid=365

0
 
mcgowrayAuthor Commented:
It is an AD environment.  We have recently added Macafee Enterprise AV 8.5i to the servers.  No Errors in the logs that would indicate a problem.
0
 
samiam41Commented:
Is McAfee doing any kind of scanning that would prevent access to the files during the day?  Check to see your AV settings.
0
 
mcgowrayAuthor Commented:
Checked.  Everything looks OK.  I dont think it is interfereing with the writting of the files
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.