Solved

Windows 2008 NTFS group permissions not applying correctly

Posted on 2009-05-19
9
845 Views
Last Modified: 2013-12-22
I have a data folder where I am trying to setup permissions. I set the local administrators group and system to full control at the root. I then apply user group permissions at each sub directory as I always have within windows 2003. Logged in as a domain administrator I am unable to to view the root directory as it gives me access denied. I can take ownership and reset the permissions to include my explicit user name instead of a group and it works fine. Another weird result is I can check effective permissions and it says they are correct. Am I misunderstanding 2008 because it appeared to me to be pretty much the same permission setup.
0
Comment
Question by:ScruggsT
9 Comments
 
LVL 2

Expert Comment

by:MatheusM
Comment Utility
Generally if you don't have access at the root, you don't have access to any sub-folders.  Unless I'm reading what you wrote wrong, the domain admin group doesn't expressly have access to the folder.  While domain admins have the ability to take ownership then change permissions, the best practice is to allow authenticated users access at the root and then set folder level permissions below that.  Remember to start with open permissions, then narrow them down as you move into each sub folder until you're satisfied with the security, just don't forget that a user needs to have access to the parent folder.  This only applies if you are talking about a single share however, if you share out each subfolder, you can set permissions individually per share.
0
 

Author Comment

by:ScruggsT
Comment Utility
Sorry, I am not very good at writing. My normal setup that I have used for years on windows 2003 and earlier is to set Local administrators group and system full control at the root of the drive. I then set my permissions for the users at the folders that im shareing. In this case I am shareing a folder called Apps whaere I share it to authenticated users with share permissions of full control and then set NTFS permissions so they inherit the permissions from above plus add modify permissions to authenticated users or read and execute as it is in this case. I feel like I am not a novice at this as I have been doing it for over twenty years but this issue is starting to make me doubt myself. This 2008 server is setting within a 2003 domain, do you think I need to bring up a 2008 server as a domain controller and extend the schema? I cannot imagin this would be required for NTFS permissions to flow correctly.
0
 
LVL 8

Expert Comment

by:Kavostylin
Comment Utility
Hi There,

The problem you are experiencing is in the INHERIT PERMISSIONS settings. You need to remove the inherit permissions from the Root directory. I believe this to be a BUG in server 2008 microsoft would call it ADDED SECURITY but its just a real pain in the BUM.

Add your domain administrator group or individual administrators to you "Local Administrators" group once you have done that remove the "Inherit Permissions from parent" setting can be found on one of the tabs of the advanced security secition. I usually remove it from the whole drive (if you do then the creater is the owner and occasionally may need to manually add users)

Once this is done then you should have no further problems.

Let me know.

KAVO
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:ScruggsT
Comment Utility
Kavo, I have not had a chance to get back to this customers site. If I understand you correctly you are saying to remove inherited permissions from the root of the drive? I was unaware that this was even setable at the root as what is it inheriting from. I will attempt to set the root as non inheritable and same with first sub folder level. I will make my permission assignments at the first folder level as well as my shares and share permissions. I will let you know on Monday July 8 of the outcome.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
This is very probably User Account Control interfering.
Are you using the default admin or a domain account that is a member of the domain admins group?
Do you have access if you add your account to another group that has access to this folder?
Try to run Notepad with elevated rights (Right-click, "Run as Administrator"), and check if you can save a file in this folder then.
Jorge 's Quest For Knowledge! > Access Denied does not seem to be what it really means
http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx
Utility Spotlight Script Elevation PowerToys for Windows Vista
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
0
 

Author Comment

by:ScruggsT
Comment Utility
oBda, thank you for the info. As soon as I get system time I will try your suggestions. I think this may be in line with what I am seeing. I am logging in with a user that is a member of the domain admins group. My permissions are set in this way.
At root of drive "D"
Local Administrators group and System have "Full Control"
Each sub folder is a share and I have set them to inherit permissions and added domain local groups assigning the appropriate permissions for user access. The share permissions are not part of the equation as I have not shared them yet.
0
 

Author Closing Comment

by:ScruggsT
Comment Utility
Thank you for the input and sorry for the delay accepting it. I had a new baby and was busy with my wife and baby. Turning off the UAC fixed my problem, most of the info you sent was in relation to running programs but to be honest I did not look very long due to lack of time. I will be looking for more information regarding UAC and setting file system permissions. It appears that if you access the share the UAC does not ask you or allow you to elevate your permissions for the administrative rights to work correctly. Thank you again for the info you sent as it led me in the right direction for a quick fix.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now