Link to home
Start Free TrialLog in
Avatar of authen-tech
authen-techFlag for United States of America

asked on

SBS 2003 Server - folder permissions not working.

I have a client who has all of thier important documents in a shared folder called company.  This has been fully shared to everyone up to this point.  It is now required that we limit the access to this folder to only the management of the company.  Something I've done many times without problems.  I setup a security group called Management and added the people who needed access to the folder.  I then removed all permissions from the everyone, authenticated users, and users group and added only administrators and the new management security groups.  I can't access this folder nor can anyone in the management or administrators groups.  The ONLY way anyone can gain access to it is by adding the everyone group back to it.

So, in my frusteration, I created a brand new folder and setup the permissions I am looking for.  Again...no one can access it.  There is a user account called office admin that I have explicitly added and gave full control and still no dice.  HELP!  I can't find any DENY permissions anywhere and I have done a permissions audit which shows that she has full control.  I am including some screenshots of the permissions.  I have this setup on another client and I have tried everything the same as them and it's not working.

dms1.jpg
dms2.jpg
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Just looking at the screenshots have you tried to add the Managment Group to both the share permissions and also adding it to the security group rather then just authenticated users?
Avatar of authen-tech

ASKER

I have...but just to be sure...I added the same permissions to the NTFS side as the shared side.  It shouldn't matter but I added it and got the same results.  
Alright, I figured I would ask just to be sure. Something that I have experienced on our own network is when adding the users to a security group and then applying the permissions to the folder they were not replicating properly. When I added the users account directly to the folder/shared permissions they had access instantly.

Just for testing purposes, have you tried to the users directly to the folder?
As you can see from the screenshot...the user named office admin was directly added and had the same results.
Under the Advance options have you checked to see if there is anything possibly blocking the folder? Who is the "owner" of this folder? Can you try to give the administrator ownership to this folder, then re-apply the permissions? Is this folder getting any inherit permissions that is blocking you from getting access to this folder?
SOLUTION
Avatar of beechy_
beechy_
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
having looked again I think that inherited special permission box is greyed out but not ticked so ignore that part of my comment
Ok Beechy...you are getting me somewhere.  

I have logged off and back on the the user and no change.  This folder was newly created under the D partition so no inherited permissions.  I also tried disabling the inherited permissions and creating from scratch...no change.  

Then I tried my recently created testuser account.  I added this user directly and viola...I can access the shared folder.

I need to test this further to see if it's just that one account or all previously created accounts.
Any ideas on how to fix this problem with a user account?
"How is your access when logged on to the server console as the domain admin account?  Can you access the folder: 1. through the local file system i.e. d:\company2; and 2. through the UNC path i.e. \\servername\sharename?"

The answer to that question will help us work out where the problem lies.

You may be able to see things more clearly by removing all the share and ntfs permissions and just adding the admins and management groups back in to both, give both groups full control on both folders, then confirm a specific user is a member of the management group, have them log off and back on and test folder access again.

Just to be sure, you are aware that the permissions granted to a user equals the most restrictive of the NTFS and share permissions once combined?  Some info here: http://www.lockergnome.com/it/2004/10/01/when-ntfs-mixes-with-share/ 
I temporarily upgraded this user to a Domain Admin...she has full rights in the company anyway.  This seems to have solved the problem for now.  If we need to remove those admin permissions from her later I will be back in the hot seat...but for now this seems to be working.  I do want to know how this happened to that user account and if there is a fix...otherwise I will close the question.  Thanks for your help guys!

ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Then the problem can't lie with deny permissions because they would take precedent over any allow permissions gained by adding her to the domain admins group.  The implication being that there are some allow permissions being granted when you add her to the domain admins group that she doesn't have up to that point.  Is this office admin account definitely a member of the management group and has she been logged off and back on since you made her a member of that group? Can you be sure you are dealing with the correct user account i.e. not two very similarly named accounts (e.g. office.admin and officeadmin) or one account that has been renamed to look like another account at some point?

When you added the office admin account explicitly, did you add it to both the ntfs and share permissions?  In your picture it doesn't show that - it shows you aded her explicitly to the share permissions but not to the ntfs permissions.
Yes I'm sure its the same account, yes I've since added her account to both sides of the permissions, yes she's definitely a member of the management group and yes she's definitely been logged off and back on after each change was made.