• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 857
  • Last Modified:

Windows 2008 NTFS group permissions not applying correctly

I have a data folder where I am trying to setup permissions. I set the local administrators group and system to full control at the root. I then apply user group permissions at each sub directory as I always have within windows 2003. Logged in as a domain administrator I am unable to to view the root directory as it gives me access denied. I can take ownership and reset the permissions to include my explicit user name instead of a group and it works fine. Another weird result is I can check effective permissions and it says they are correct. Am I misunderstanding 2008 because it appeared to me to be pretty much the same permission setup.
0
ScruggsT
Asked:
ScruggsT
1 Solution
 
MatheusMCommented:
Generally if you don't have access at the root, you don't have access to any sub-folders.  Unless I'm reading what you wrote wrong, the domain admin group doesn't expressly have access to the folder.  While domain admins have the ability to take ownership then change permissions, the best practice is to allow authenticated users access at the root and then set folder level permissions below that.  Remember to start with open permissions, then narrow them down as you move into each sub folder until you're satisfied with the security, just don't forget that a user needs to have access to the parent folder.  This only applies if you are talking about a single share however, if you share out each subfolder, you can set permissions individually per share.
0
 
ScruggsTAuthor Commented:
Sorry, I am not very good at writing. My normal setup that I have used for years on windows 2003 and earlier is to set Local administrators group and system full control at the root of the drive. I then set my permissions for the users at the folders that im shareing. In this case I am shareing a folder called Apps whaere I share it to authenticated users with share permissions of full control and then set NTFS permissions so they inherit the permissions from above plus add modify permissions to authenticated users or read and execute as it is in this case. I feel like I am not a novice at this as I have been doing it for over twenty years but this issue is starting to make me doubt myself. This 2008 server is setting within a 2003 domain, do you think I need to bring up a 2008 server as a domain controller and extend the schema? I cannot imagin this would be required for NTFS permissions to flow correctly.
0
 
KavostylinCommented:
Hi There,

The problem you are experiencing is in the INHERIT PERMISSIONS settings. You need to remove the inherit permissions from the Root directory. I believe this to be a BUG in server 2008 microsoft would call it ADDED SECURITY but its just a real pain in the BUM.

Add your domain administrator group or individual administrators to you "Local Administrators" group once you have done that remove the "Inherit Permissions from parent" setting can be found on one of the tabs of the advanced security secition. I usually remove it from the whole drive (if you do then the creater is the owner and occasionally may need to manually add users)

Once this is done then you should have no further problems.

Let me know.

KAVO
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ScruggsTAuthor Commented:
Kavo, I have not had a chance to get back to this customers site. If I understand you correctly you are saying to remove inherited permissions from the root of the drive? I was unaware that this was even setable at the root as what is it inheriting from. I will attempt to set the root as non inheritable and same with first sub folder level. I will make my permission assignments at the first folder level as well as my shares and share permissions. I will let you know on Monday July 8 of the outcome.
0
 
oBdACommented:
This is very probably User Account Control interfering.
Are you using the default admin or a domain account that is a member of the domain admins group?
Do you have access if you add your account to another group that has access to this folder?
Try to run Notepad with elevated rights (Right-click, "Run as Administrator"), and check if you can save a file in this folder then.
Jorge 's Quest For Knowledge! > Access Denied does not seem to be what it really means
http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx
Utility Spotlight Script Elevation PowerToys for Windows Vista
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
0
 
ScruggsTAuthor Commented:
oBda, thank you for the info. As soon as I get system time I will try your suggestions. I think this may be in line with what I am seeing. I am logging in with a user that is a member of the domain admins group. My permissions are set in this way.
At root of drive "D"
Local Administrators group and System have "Full Control"
Each sub folder is a share and I have set them to inherit permissions and added domain local groups assigning the appropriate permissions for user access. The share permissions are not part of the equation as I have not shared them yet.
0
 
ScruggsTAuthor Commented:
Thank you for the input and sorry for the delay accepting it. I had a new baby and was busy with my wife and baby. Turning off the UAC fixed my problem, most of the info you sent was in relation to running programs but to be honest I did not look very long due to lack of time. I will be looking for more information regarding UAC and setting file system permissions. It appears that if you access the share the UAC does not ask you or allow you to elevate your permissions for the administrative rights to work correctly. Thank you again for the info you sent as it led me in the right direction for a quick fix.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now