Users or Groups in the Security Settings of Folder Share Vanish

Hi,

We've a strange problem here on a Server 2003 for SBS machine.

We've a number of shared folders which are all mapped to the client PC's during log-in.

Intermittantly, access issues appear.

For example today, the Users or Groups in the Security tab of the shared folder have been vanishing.

We've had similar problems before, but thought it was a network issue.

Today, out of the 8 mapped drives, two of them (the most frequently used) have lost the above settings.  We can add the group back into the list, reselect 'Allow' full rights and then apply that to all child folders etc.  It will rebuild and then we can get access.  Then after a period of time (maybe 2 minutes, maybe 20) the sub folders start to deny access, then the main shared folder will deny access.

Checking the Security tab again shows it to be empty.

We've never seen this before and can find no reason for it to happen.  It's been doing this on and off for a number of months and sometimes will do it for a while, then stop of 5 or 6 weeks.

(Since this has been happening, we've replaced the hard drives, changed the memory, the cpu and the motherboard.  The network swtiches have also been replaced.)

Any help would be appreciated as we're running out of ideas.

Thanks.
s-compsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lnkevinCommented:
There are a few things to be done:
- Create an audit on the folder to ensure no users disturb it. Here is the guide:
1. Go to start -> run -> write gpedit.msc.
2. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
3. Double click "objects access" and choose success and failure
4. Reboot the computer.
5. On the require directory right click and choose security.
5. Click on Advanced button and then on auditing tab.
6. Add "Everyone" group for tracking.
You can see the audit result in the local machine event log -> security.

- Run chckdsk /f on the partition. Some time, disk error will impact to permission setup.
- Check your GPO to be sure their is no rule set up again this folder or shared folder.

K


0
s-compsAuthor Commented:
Hi,

Many thanks.

When we get to point 3, success and failure are both greyed out.

Any ideas ?

Now going to start a CHKDSK /F
0
lnkevinCommented:
Let's try it again after chckdsk /f
The worst case is running windows recovery console to repair the OS. Every attempt should be done after correct errors on the disk with chckdsk.

K
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

s-compsAuthor Commented:
CHKDSK /F has completed with no errors.

The Success and Failure boxes are still greyed out.

Any other ideas?

Thanks.
0
lnkevinCommented:
Run recovery console to restore system file. Here is the how to:
http://www.petri.co.il/install_windows_2000_xp_2003_recovery_console.htm

K
0
s-compsAuthor Commented:
Hi,

Ok we have recovery Console running. What do you think we should do next ?

Thanks
0
lnkevinCommented:
When we get to point 3, success and failure are both greyed out...

If this option is not available in your local policy, most of the time, you need to check your GPO (Group Policy) because the local policy will be overwritten by GPO. If this option is disable in GPO, your local will be greyed out.
http://technet2.microsoft.com/windowsserver/en/library/3b5204b3-8b18-4b14-babd-a81532331af61033.mspx?mfr=true

K
0
s-compsAuthor Commented:
Thanks for your help so far.

We can now select the boxes and we are auditing both success and failures (by the main user group) in relation to the two folders in question.

Since starting the audit, I've changed the permissions/access rights for the folders and they've changed back.

There seems to be a lot of audit activity from one of the PC's on the network.

It's a case now of finding which event's are the relevant ones.  There are a lot of Event ID 560's which end with - Accesses: Readattributes.  These also have a blank 'Image File Name'.

Any pointers on where to start looking?

Once again, many thanks for your help so far. It's very much appreciated.
0
lnkevinCommented:
Event ID: 560 Source: Object Accesses indicates there are users connect to this folder. It's normal. Since you can be able to capture one PC with a lot of activity, it narrower our focus. You are having permission issue with someone took over the folder owner. Did you check the Owner and Permission tab in Advance Security to see if there is suspicous users? if yes, take ownership of the folder and remove any other users that should not be in the group. Also, set user permission for Read Write, Execute, but Deny Change so user cannot change permission on the folder.

K
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
s-compsAuthor Commented:
Hi,

Just to keep you informed, we're currently monitoring the situation.

Hopefully more news next week.
0
s-compsAuthor Commented:
We've tied down the permissions and are auditing the setup.

Thanks for your help Inkevin.
0
lnkevinCommented:
You are welcome.

K
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.