• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Unable to delete a file in my fileshare even though I am an administrator...

Me, John Smith (names changed to protect the ignorant) :-) am unable to delete a file I should be able to.  On boot, H: is assigned to \\server-name\Information Systems.  From the XP desktop, I navigate to my Employee\JSmith share and attempt to delete a file.  I am unable to.  Windows returns an error saying "Cannot Delete <file name>: Access is denied".  I am failing to see why I am unable to delete this file... or any file for that matter.  I cannot create, edit, delete files on this share for some reason.

Path on server: D:\Information Systems\Employee\JSmith

File: test.txt

Permissions in folder JSmith:
- Allow: JSmith, Full Control, <not inherited>, This folder, subfolders and files
- Allow: CREATER OWNER, Full Conrol, <not inherited>, Subfolders and files only
- Allow: SYSTEM, Full Control, <not inherited>, This folder, subfolders and files
- Allow: Administrators (company.com\Administrators), Full Control, <not inherited>, This folder, subfolders and files

Owner (tab) of folder JSmith:
- Current owner of this item: John Smith (JSmith@company.com)

Effective Permissions (tab) of folder JSmith
- If I enter JSmith the system returns all check boxes as checked

I've tried checking "Replace permission entries on all child objects with entries shown here that apply to child objects" but it hasn't changed anything.  I still am unable to delete.

JSmith is a member of the enterprise admins, domain admins.
3 Solutions
Have you changed your password recently?  Run gpupdate /force from a command prompt on the server to update its group policy settings and also try rebooting the server.  Try changing \\server-name\Information Systems to the server's ip address, \\192.168.x.x\Information Systems.  Changing to the ip willusually fix this issue.
awsiemieniecAuthor Commented:
victorjones1: Thanks for the suggestion.  I have not changed my password for a while.  Just this AM the system prompted me that I have 14 days to do so.  This problem has been ongoing for about 8 days now.  Being this is a production/live server I am unable to reboot at the moment.  I'll reboot tonight.
Do you use a boot script, group policy, or the Profile tab in Active Directory to automatically connect this folder at startup?

Try changing the server name to the ip address.  You don't have to reboot for that, and doing so will most likely resolve your issue.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

I think you should read this article i created.  It's similar to your problem and I believe it may help you out.  Though its for disk quota setup, it also talks about the situation you're facing.  It can't hurt and hopefully it helps.

awsiemieniecAuthor Commented:
On my AD server for my profile, my logon script is set to logon.vbs and my home folder is (X) Connect: H: to \\server-name\Information Systems\Employee\ASiemieniec

So I will change \\server-name\... to \\<IP Address>\...

While doing so on the server under my account on the profile tab, an error box appears.
Title: Active Directory
Message: The \\\Information Systems\Employee\JSmith home folder was not created because you do not have create access on the server.  The user account has been updated with the new home folder value but you just create the directory manually after obtaining the required access rights.
Buttons: OK

So, what's up with that?  Attached is the logon.vbs generic script we run.
On Error Resume Next
Dim GroupList
Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")
LogonPath = fso.GetParentFolderName(WScript.ScriptFullName)
'**************************************Group Mappings Based on Grouplist.csv*********************************
If fso.FileExists(logonpath&"\Grouplist.csv") Then
   Set grplist = Fso.OpenTextFile(logonpath&"\Grouplist.csv")
   ' make File into an Array
   aGroup = Split(grplist.Readall,vbcrlf)
   For I = 0 to UBound(GroupList) ' Check Every Group Membership the user is in (populated into Grouplist)
      grpname = Grouplist(i)
      For x = 0 to UBound(aGroup) ' Read the entire CSV to make sure all drives are mapped for each Group
         mapline = agroup(x)
         If InStr(LCase(mapline),LCase(grpname)) Then ' If you're in the group
            mapline = Mid(mapline,InStr(mapline,",")+1) ' Remove the GroupName from the line
            Drive = Left(mapline,InStr(mapline,",")-1) ' Extract Drive Letter
            Path = Mid(mapline,InStr(mapline,",")+1) ' Extract the path
            If (fso.DriveExists(drive) <> True) and (Drive<>"!!") Then ' If The Drive is not already mapped
               WshNetwork.MapNetworkDrive drive,path,true ' Map The Drive
               wscript.sleep 1000
            End If
        If Drive = "!!" then
               WSHNetwork.AddWindowsPrinterConnection Path
               wscript.sleep 1000
            end if
         End If
End If
'*************************************************Sub GetGroupInfo********************************************
Sub GetGroupInfo
Set UserObj = GetObject("WinNT://" & wshNetwork.UserDomain & "/" & WshNetwork.UserName)
Set Groups = UserObj.groups
For Each Group In Groups
	GroupCount = GroupCount + 1
ReDim GroupList(GroupCount -1)
i = 0
For Each Group In Groups
	GroupList(i) = Group.Name
	i = i + 1
End Sub

Open in new window

Does this logon script map you to more than one folder or just your home folder. \\\Information Systems\Employee\JSmith?
Or did you change the server name to the ip here:

Connect:  Z:  To:  \\Information Systems\Employee\JSmith

on the profile tab in you AD user properties?
I am not sure what you are trying to do with this VB script because I have not use VB for at least 5 years, but it seems like an overly complicated way of mapping multiple drives.  I use simple .bat files for this similar to:

@echo off

net use T: /delete
net use U: /delete
net use V: /delete
net use T: \\192.168.x.x\Depts /yes
net use U: \\192.168.x.x\Depts\Everyone /yes
net use V: \\192.168.x.x\scans\scan_folder /yes

The \\\Information Systems\Employee\JSmith home folder was not created because you do not have create access on the server.  The user account has been updated with the new home folder value but you just create the directory manually after obtaining the required access rights.

error says to me that your file server has lost part of its connection to the domain controller, which is why it says you can't create any files on it.  It is looking to the DC for your user name but can't see it for some reason.  A reboot on both servers should fix this, and make sure you do not have a firewall blocking anything.

Also try to access the file server from remote desktop.  If you are able to access it using your user name that might also clear up the problem.
awsiemieniecAuthor Commented:
victorjones1: The file share server is the same machine as the DC.
Accessing the file server via RDP and logging in as myself, I ge the same error that I'm not able to delete/change/add any of my files.
The logon.vbs file looks at what group membership the user has.  Finds the group by name in the "grouplist.csv" file and applies a drive letter to it.  That way if JSmith is a member of Accounting, Scheduling, Reception that user will get the Accounting drive, Scheduling drive and Reception drive; others if needed.
I changed from server name to server IP in both my logon script/CSV file where it references the server as well as in my profile tab in my AD user properties.

cshepfam: I've read your article.  I'll try applying the same method you outlined to my structure.
Since this server is the DC as well as the problem server your permissions are being blocked somehow.  Try the server restart first to refresh all the DC's settings.  If that does not work, a group that your user belongs to is not allowed access to your folder.  

Are there any groups or users who have checks in the denied column of your folder?  Try creating a test user and giving the test access rights to that folder.  Your AD user's attributes may be corrupt.
It's not only NTFS rights. On the share itself their are also rights, although simple once, which can block you.
On that server: right-click my computer, choose manage, browse to system tools/shared folders/shares. Right-click the share, choose properties, then the share permissions tab and verify if you have at least change rights.

awsiemieniecAuthor Commented:
PowerIT: You nailed the problem. Can't believe I missed that setting.
victorjones1: You had great ideas and I apprechiate your help
cshepfam: I will be using the suggestions you made in your article to my server.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now