Solved

Windows 2008 NTFS group permissions not applying correctly

Posted on 2009-05-19
9
850 Views
Last Modified: 2013-12-22
I have a data folder where I am trying to setup permissions. I set the local administrators group and system to full control at the root. I then apply user group permissions at each sub directory as I always have within windows 2003. Logged in as a domain administrator I am unable to to view the root directory as it gives me access denied. I can take ownership and reset the permissions to include my explicit user name instead of a group and it works fine. Another weird result is I can check effective permissions and it says they are correct. Am I misunderstanding 2008 because it appeared to me to be pretty much the same permission setup.
0
Comment
Question by:ScruggsT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 2

Expert Comment

by:MatheusM
ID: 24436817
Generally if you don't have access at the root, you don't have access to any sub-folders.  Unless I'm reading what you wrote wrong, the domain admin group doesn't expressly have access to the folder.  While domain admins have the ability to take ownership then change permissions, the best practice is to allow authenticated users access at the root and then set folder level permissions below that.  Remember to start with open permissions, then narrow them down as you move into each sub folder until you're satisfied with the security, just don't forget that a user needs to have access to the parent folder.  This only applies if you are talking about a single share however, if you share out each subfolder, you can set permissions individually per share.
0
 

Author Comment

by:ScruggsT
ID: 24442482
Sorry, I am not very good at writing. My normal setup that I have used for years on windows 2003 and earlier is to set Local administrators group and system full control at the root of the drive. I then set my permissions for the users at the folders that im shareing. In this case I am shareing a folder called Apps whaere I share it to authenticated users with share permissions of full control and then set NTFS permissions so they inherit the permissions from above plus add modify permissions to authenticated users or read and execute as it is in this case. I feel like I am not a novice at this as I have been doing it for over twenty years but this issue is starting to make me doubt myself. This 2008 server is setting within a 2003 domain, do you think I need to bring up a 2008 server as a domain controller and extend the schema? I cannot imagin this would be required for NTFS permissions to flow correctly.
0
 
LVL 8

Expert Comment

by:Kavostylin
ID: 24488613
Hi There,

The problem you are experiencing is in the INHERIT PERMISSIONS settings. You need to remove the inherit permissions from the Root directory. I believe this to be a BUG in server 2008 microsoft would call it ADDED SECURITY but its just a real pain in the BUM.

Add your domain administrator group or individual administrators to you "Local Administrators" group once you have done that remove the "Inherit Permissions from parent" setting can be found on one of the tabs of the advanced security secition. I usually remove it from the whole drive (if you do then the creater is the owner and occasionally may need to manually add users)

Once this is done then you should have no further problems.

Let me know.

KAVO
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:ScruggsT
ID: 24549221
Kavo, I have not had a chance to get back to this customers site. If I understand you correctly you are saying to remove inherited permissions from the root of the drive? I was unaware that this was even setable at the root as what is it inheriting from. I will attempt to set the root as non inheritable and same with first sub folder level. I will make my permission assignments at the first folder level as well as my shares and share permissions. I will let you know on Monday July 8 of the outcome.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 24585949
This is very probably User Account Control interfering.
Are you using the default admin or a domain account that is a member of the domain admins group?
Do you have access if you add your account to another group that has access to this folder?
Try to run Notepad with elevated rights (Right-click, "Run as Administrator"), and check if you can save a file in this folder then.
Jorge 's Quest For Knowledge! > Access Denied does not seem to be what it really means
http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx
Utility Spotlight Script Elevation PowerToys for Windows Vista
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
0
 

Author Comment

by:ScruggsT
ID: 24592656
oBda, thank you for the info. As soon as I get system time I will try your suggestions. I think this may be in line with what I am seeing. I am logging in with a user that is a member of the domain admins group. My permissions are set in this way.
At root of drive "D"
Local Administrators group and System have "Full Control"
Each sub folder is a share and I have set them to inherit permissions and added domain local groups assigning the appropriate permissions for user access. The share permissions are not part of the equation as I have not shared them yet.
0
 

Author Closing Comment

by:ScruggsT
ID: 31600399
Thank you for the input and sorry for the delay accepting it. I had a new baby and was busy with my wife and baby. Turning off the UAC fixed my problem, most of the info you sent was in relation to running programs but to be honest I did not look very long due to lack of time. I will be looking for more information regarding UAC and setting file system permissions. It appears that if you access the share the UAC does not ask you or allow you to elevate your permissions for the administrative rights to work correctly. Thank you again for the info you sent as it led me in the right direction for a quick fix.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question