Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2008 NTFS group permissions not applying correctly

Posted on 2009-05-19
9
Medium Priority
?
854 Views
Last Modified: 2013-12-22
I have a data folder where I am trying to setup permissions. I set the local administrators group and system to full control at the root. I then apply user group permissions at each sub directory as I always have within windows 2003. Logged in as a domain administrator I am unable to to view the root directory as it gives me access denied. I can take ownership and reset the permissions to include my explicit user name instead of a group and it works fine. Another weird result is I can check effective permissions and it says they are correct. Am I misunderstanding 2008 because it appeared to me to be pretty much the same permission setup.
0
Comment
Question by:ScruggsT
9 Comments
 
LVL 2

Expert Comment

by:MatheusM
ID: 24436817
Generally if you don't have access at the root, you don't have access to any sub-folders.  Unless I'm reading what you wrote wrong, the domain admin group doesn't expressly have access to the folder.  While domain admins have the ability to take ownership then change permissions, the best practice is to allow authenticated users access at the root and then set folder level permissions below that.  Remember to start with open permissions, then narrow them down as you move into each sub folder until you're satisfied with the security, just don't forget that a user needs to have access to the parent folder.  This only applies if you are talking about a single share however, if you share out each subfolder, you can set permissions individually per share.
0
 

Author Comment

by:ScruggsT
ID: 24442482
Sorry, I am not very good at writing. My normal setup that I have used for years on windows 2003 and earlier is to set Local administrators group and system full control at the root of the drive. I then set my permissions for the users at the folders that im shareing. In this case I am shareing a folder called Apps whaere I share it to authenticated users with share permissions of full control and then set NTFS permissions so they inherit the permissions from above plus add modify permissions to authenticated users or read and execute as it is in this case. I feel like I am not a novice at this as I have been doing it for over twenty years but this issue is starting to make me doubt myself. This 2008 server is setting within a 2003 domain, do you think I need to bring up a 2008 server as a domain controller and extend the schema? I cannot imagin this would be required for NTFS permissions to flow correctly.
0
 
LVL 8

Expert Comment

by:Kavostylin
ID: 24488613
Hi There,

The problem you are experiencing is in the INHERIT PERMISSIONS settings. You need to remove the inherit permissions from the Root directory. I believe this to be a BUG in server 2008 microsoft would call it ADDED SECURITY but its just a real pain in the BUM.

Add your domain administrator group or individual administrators to you "Local Administrators" group once you have done that remove the "Inherit Permissions from parent" setting can be found on one of the tabs of the advanced security secition. I usually remove it from the whole drive (if you do then the creater is the owner and occasionally may need to manually add users)

Once this is done then you should have no further problems.

Let me know.

KAVO
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ScruggsT
ID: 24549221
Kavo, I have not had a chance to get back to this customers site. If I understand you correctly you are saying to remove inherited permissions from the root of the drive? I was unaware that this was even setable at the root as what is it inheriting from. I will attempt to set the root as non inheritable and same with first sub folder level. I will make my permission assignments at the first folder level as well as my shares and share permissions. I will let you know on Monday July 8 of the outcome.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 24585949
This is very probably User Account Control interfering.
Are you using the default admin or a domain account that is a member of the domain admins group?
Do you have access if you add your account to another group that has access to this folder?
Try to run Notepad with elevated rights (Right-click, "Run as Administrator"), and check if you can save a file in this folder then.
Jorge 's Quest For Knowledge! > Access Denied does not seem to be what it really means
http://blogs.dirteam.com/blogs/jorge/archive/2007/08/01/access-denied-does-not-seem-to-be-what-it-really-means.aspx
Utility Spotlight Script Elevation PowerToys for Windows Vista
http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
0
 

Author Comment

by:ScruggsT
ID: 24592656
oBda, thank you for the info. As soon as I get system time I will try your suggestions. I think this may be in line with what I am seeing. I am logging in with a user that is a member of the domain admins group. My permissions are set in this way.
At root of drive "D"
Local Administrators group and System have "Full Control"
Each sub folder is a share and I have set them to inherit permissions and added domain local groups assigning the appropriate permissions for user access. The share permissions are not part of the equation as I have not shared them yet.
0
 

Author Closing Comment

by:ScruggsT
ID: 31600399
Thank you for the input and sorry for the delay accepting it. I had a new baby and was busy with my wife and baby. Turning off the UAC fixed my problem, most of the info you sent was in relation to running programs but to be honest I did not look very long due to lack of time. I will be looking for more information regarding UAC and setting file system permissions. It appears that if you access the share the UAC does not ask you or allow you to elevate your permissions for the administrative rights to work correctly. Thank you again for the info you sent as it led me in the right direction for a quick fix.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question