Link to home
Start Free TrialLog in
Avatar of cbryant
cbryantFlag for United States of America

asked on

Users Keep Losing Certain Permissions to Certain Files on the Server

Some of our domain users keep losing their "Modify" permissions on various shared files on the server. Every time they do, we remote into the server and reassign them the "Modify" permissions. Everything is good for a few days, but all of the sudden the file will lose the "Modify" permissions AGAIN. It keeps happening over and over, though only on certain files. Why are the permissions not "sticking?" Where does it sound like I should look first?
Avatar of snoopfrogg
snoopfrogg
Flag of United States of America image

I would begin by using Windows 2003 auditing:  http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx.

Specifically, enable auditing for "policy changes" on the affected shares.  Then check the security event log for entries associated with the folder.  Here are the associated events you can look for when you enable this setting:

http://technet2.microsoft.com/windowsserver/en/library/962f5863-15df-4271-9ae0-4b0412e297491033.mspx?mfr=true

It looks like events 608 and 609 are what you're interested in.
Hi , Have you tried auditing the directory? the other thing I would check is to see if any users or groups have full control as this will give them the ability to modify permissions.
haha good thinking snoopfrog :)
Ha, great minds think alike.  I think it happens to every poster on here...
Avatar of cbryant

ASKER

Thank you guys for your dual suggestion!
I am struggling with the auditing. I believe I configured it correctly (I referenced the articles you linked to) but I am not turning up any 608 or 609 event IDs, even though I've been modifying the permissions of the file in question. Maybe I'm doing something wrong there?
And I am nearly positive that someone with Full Control would not be changing the permissions. This is a relatively small company and people are hesitant to change anything because they know it can be easily traced back to them. Now, some of the "default" accounts (Admin, SYSTEM) have Full Control. Could one of them be "magically" (haha) changing the permissions?
One step I didn't delineate above is that of enabling auditing on the folder itself.  Once you do so, events will be tracked for the particular folder in question:

1.  Right-click the folder
2.  Properties
3.  Security tab
4.  Advanced button
5.  Auditing
6.  Add the "Everyone" group to track changes made by any user.  You'll probably want to add both local\everyone and domain\everyone to track changes made by any local or domain account.

The 608 or 609 events won't be generated until a user right is assigned or removed, so you have to wait until the next rights removal/assignment for the events to be generated.
Avatar of cbryant

ASKER

OK, so I did what you suggested above, went to lunch, and came back. Upon my arrival back, one of the users who used to have access to the folder is now gone completely (was there before I left) and all of the auditing I set up before lunch is gone as well. There are no 608 or 609 entries in the Event Viewer (I'm looking under Security). Also, yesterday I unchecked "Allow Inheritable Permissions..."  and now it's checked again. All of these properties and permissions are on an .xls file.
Have you enabled auditing in the local or group policy? go to start / run and type gpedit.msc then go to Computer Config / Windows Settings / local policy / audit policy then set object access to success/failure.

You can also do this through a Group Policy
Avatar of cbryant

ASKER

OK, I just set Auditing using gpedit.msc. I will report back when I have some more info.
Thank you!
Avatar of cbryant

ASKER

I just had to edit permissions for another file on the same server (a file unrelated to this question) so when I was finished I hopped into Event Viewer --> Security to see if I could find the entry for me changing that permission. I browsed through every single entry for the time that I performed the action, and I found nothing that reported me changing that permission. Am I looking in the wrong place?
Thanks
SOLUTION
Avatar of snoopfrogg
snoopfrogg
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cbryant

ASKER

Well, I set up auditing on the file before I went to lunch, and it has removed itself from the file when I returned. So right now I just set it on the folder that is holding the file and checked "Replace permissions on all child objects."
HOWEVER
I just went in to view what I did and "Replace permissions on all child objects..." was UNCHECKED already! I had set it less than a minute earlier. Something has a mind of its own...just wish I knew WHAT!
Avatar of cbryant

ASKER

OK, the auditing feature is not working for me. I set it up using all of the instructions provided and it is not turning up any useful information.
But I have noticed that it appears that "User1" keeps taking ownership of this file (unintentionally) and when that happens, "Modify" permission gets removed for "User2." I know that User1 is not doing this on purpose because he is the one who reports to me that User2 is unable to modify the spreadsheet.
It seems like some kind of security setting somewhere along the lines continues to overwrite the desired settings. What is more unusual is that User2 is a member of the "Engineering" group, and the Engineering group RETAINS its "Modify" permissions when User2 loses them.
Do I need to change settings in the .XLS file itself? If so, how would I go about doing this?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial