We help IT Professionals succeed at work.

Users or Groups in the Security Settings of Folder Share Vanish

Hi,

We've a strange problem here on a Server 2003 for SBS machine.

We've a number of shared folders which are all mapped to the client PC's during log-in.

Intermittantly, access issues appear.

For example today, the Users or Groups in the Security tab of the shared folder have been vanishing.

We've had similar problems before, but thought it was a network issue.

Today, out of the 8 mapped drives, two of them (the most frequently used) have lost the above settings.  We can add the group back into the list, reselect 'Allow' full rights and then apply that to all child folders etc.  It will rebuild and then we can get access.  Then after a period of time (maybe 2 minutes, maybe 20) the sub folders start to deny access, then the main shared folder will deny access.

Checking the Security tab again shows it to be empty.

We've never seen this before and can find no reason for it to happen.  It's been doing this on and off for a number of months and sometimes will do it for a while, then stop of 5 or 6 weeks.

(Since this has been happening, we've replaced the hard drives, changed the memory, the cpu and the motherboard.  The network swtiches have also been replaced.)

Any help would be appreciated as we're running out of ideas.

Thanks.
Comment
Watch Question

Top Expert 2009

Commented:
There are a few things to be done:
- Create an audit on the folder to ensure no users disturb it. Here is the guide:
1. Go to start -> run -> write gpedit.msc.
2. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
3. Double click "objects access" and choose success and failure
4. Reboot the computer.
5. On the require directory right click and choose security.
5. Click on Advanced button and then on auditing tab.
6. Add "Everyone" group for tracking.
You can see the audit result in the local machine event log -> security.

- Run chckdsk /f on the partition. Some time, disk error will impact to permission setup.
- Check your GPO to be sure their is no rule set up again this folder or shared folder.

K


Author

Commented:
Hi,

Many thanks.

When we get to point 3, success and failure are both greyed out.

Any ideas ?

Now going to start a CHKDSK /F
Top Expert 2009

Commented:
Let's try it again after chckdsk /f
The worst case is running windows recovery console to repair the OS. Every attempt should be done after correct errors on the disk with chckdsk.

K

Author

Commented:
CHKDSK /F has completed with no errors.

The Success and Failure boxes are still greyed out.

Any other ideas?

Thanks.
Top Expert 2009

Commented:
Run recovery console to restore system file. Here is the how to:
http://www.petri.co.il/install_windows_2000_xp_2003_recovery_console.htm

K

Author

Commented:
Hi,

Ok we have recovery Console running. What do you think we should do next ?

Thanks
Top Expert 2009

Commented:
When we get to point 3, success and failure are both greyed out...

If this option is not available in your local policy, most of the time, you need to check your GPO (Group Policy) because the local policy will be overwritten by GPO. If this option is disable in GPO, your local will be greyed out.
http://technet2.microsoft.com/windowsserver/en/library/3b5204b3-8b18-4b14-babd-a81532331af61033.mspx?mfr=true

K

Author

Commented:
Thanks for your help so far.

We can now select the boxes and we are auditing both success and failures (by the main user group) in relation to the two folders in question.

Since starting the audit, I've changed the permissions/access rights for the folders and they've changed back.

There seems to be a lot of audit activity from one of the PC's on the network.

It's a case now of finding which event's are the relevant ones.  There are a lot of Event ID 560's which end with - Accesses: Readattributes.  These also have a blank 'Image File Name'.

Any pointers on where to start looking?

Once again, many thanks for your help so far. It's very much appreciated.
Top Expert 2009
Commented:
Event ID: 560 Source: Object Accesses indicates there are users connect to this folder. It's normal. Since you can be able to capture one PC with a lot of activity, it narrower our focus. You are having permission issue with someone took over the folder owner. Did you check the Owner and Permission tab in Advance Security to see if there is suspicous users? if yes, take ownership of the folder and remove any other users that should not be in the group. Also, set user permission for Read Write, Execute, but Deny Change so user cannot change permission on the folder.

K

Author

Commented:
Hi,

Just to keep you informed, we're currently monitoring the situation.

Hopefully more news next week.

Author

Commented:
We've tied down the permissions and are auditing the setup.

Thanks for your help Inkevin.
Top Expert 2009

Commented:
You are welcome.

K

Explore More ContentExplore courses, solutions, and other research materials related to this topic.