Solved

Windows 2008 NTFS group permissions not applying correctly

Posted on 2009-05-19
9
846 Views
Last Modified: 2013-12-22
I have a data folder where I am trying to setup permissions. I set the local administrators group and system to full control at the root. I then apply user group permissions at each sub directory as I always have within windows 2003. Logged in as a domain administrator I am unable to to view the root directory as it gives me access denied. I can take ownership and reset the permissions to include my explicit user name instead of a group and it works fine. Another weird result is I can check effective permissions and it says they are correct. Am I misunderstanding 2008 because it appeared to me to be pretty much the same permission setup.
0
Comment
Question by:ScruggsT
9 Comments
 
LVL 2

Expert Comment

by:MatheusM
ID: 24436817
Generally if you don't have access at the root, you don't have access to any sub-folders.  Unless I'm reading what you wrote wrong, the domain admin group doesn't expressly have access to the folder.  While domain admins have the ability to take ownership then change permissions, the best practice is to allow authenticated users access at the root and then set folder level permissions below that.  Remember to start with open permissions, then narrow them down as you move into each sub folder until you're satisfied with the security, just don't forget that a user needs to have access to the parent folder.  This only applies if you are talking about a single share however, if you share out each subfolder, you can set permissions individually per share.
0
 

Author Comment

by:ScruggsT
ID: 24442482
Sorry, I am not very good at writing. My normal setup that I have used for years on windows 2003 and earlier is to set Local administrators group and system full control at the root of the drive. I then set my permissions for the users at the folders that im shareing. In this case I am shareing a folder called Apps whaere I share it to authenticated users with share permissions of full control and then set NTFS permissions so they inherit the permissions from above plus add modify permissions to authenticated users or read and execute as it is in this case. I feel like I am not a novice at this as I have been doing it for over twenty years but this issue is starting to make me doubt myself. This 2008 server is setting within a 2003 domain, do you think I need to bring up a 2008 server as a domain controller and extend the schema? I cannot imagin this would be required for NTFS permissions to flow correctly.
0
 
LVL 8

Expert Comment

by:Kavostylin
ID: 24488613
Hi There,

The problem you are experiencing is in the INHERIT PERMISSIONS settings. You need to remove the inherit permissions from the Root directory. I believe this to be a BUG in server 2008 microsoft would call it ADDED SECURITY but its just a real pain in the BUM.

Add your domain administrator group or individual administrators to you "Local Administrators" group once you have done that remove the "Inherit Permissions from parent" setting can be found on one of the tabs of the advanced security secition. I usually remove it from the whole drive (if you do then the creater is the owner and occasionally may need to manually add users)

Once this is done then you should have no further problems.

Let me know.

KAVO
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:ScruggsT
ID: 24549221
Kavo, I have not had a chance to get back to this customers site. If I understand you correctly you are saying to remove inherited permissions from the root of the drive? I was unaware that this was even setable at the root as what is it inheriting from. I will attempt to set the root as non inheritable and same with first sub folder level. I will make my permission assignments at the first folder level as well as my shares and share permissions. I will let you know on Monday July 8 of the outcome.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24585949
This is very probably User Account Control interfering.
Are you using the default admin or a domain account that is a member of the domain admins group?
Do you have access if you add your account to another group that has access to this folder?
Try to run Notepad with elevated rights (Right-click, "Run as Administrator"), and check if you can save a file in this folder then.
Jorge 's Quest For Knowledge! > Access Denied does not seem to be what it really means
http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx
Utility Spotlight Script Elevation PowerToys for Windows Vista
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
0
 

Author Comment

by:ScruggsT
ID: 24592656
oBda, thank you for the info. As soon as I get system time I will try your suggestions. I think this may be in line with what I am seeing. I am logging in with a user that is a member of the domain admins group. My permissions are set in this way.
At root of drive "D"
Local Administrators group and System have "Full Control"
Each sub folder is a share and I have set them to inherit permissions and added domain local groups assigning the appropriate permissions for user access. The share permissions are not part of the equation as I have not shared them yet.
0
 

Author Closing Comment

by:ScruggsT
ID: 31600399
Thank you for the input and sorry for the delay accepting it. I had a new baby and was busy with my wife and baby. Turning off the UAC fixed my problem, most of the info you sent was in relation to running programs but to be honest I did not look very long due to lack of time. I will be looking for more information regarding UAC and setting file system permissions. It appears that if you access the share the UAC does not ask you or allow you to elevate your permissions for the administrative rights to work correctly. Thank you again for the info you sent as it led me in the right direction for a quick fix.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now