Solved

Win 2008 R2 NTFS permissions for home directories

Posted on 2010-08-16
9
2,247 Views
Last Modified: 2013-12-04
We recently began converting our domain to 2008 R2.
So we’re about 80% through upgrading all the domain controllers from 2003 R2.

I’ve set up home directories on a new 2008 r2 enterprise server.
And the users access those directories in the format \\servername\home\%username%

Share permission on HOME is Everyone FULL.

NTFS permissions on HOME have the following:
Domain admins – Full – This folder all subfolders and files
Authenticated users – Traverse folder/execute file, life folder/read data, read attributes, read permissions – this folder only

And then under each user’s home directory we give that user Full permissions.

This has worked in previous versions of windows server, allowing the users enough permissions to get down to their shares, but not so much that they can try and wander into another users home directory.

Here’s my problem with this Windows 2008 R2 server:

If I log in as the Domain\administrator account, I can access everything fine.
If I log in with another Domain Admin account I’m denied access to the users’ home directories. And it asks do I want to gain access, and if I say ‘YES’ it adds my individual account to the security permissions.
And for some reason I can’t log in as the local administrator, so I can’t test that. But that’s an oddity that I haven’t had occur before either.

Local administrator includes domain admins.

Any ideas? I am really stuck. This makes no sense whatsoever.
0
Comment
Question by:Kumerian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 1

Expert Comment

by:czelik
ID: 33449758
did you try accessing it with ip address?
\\IPADDRESS\home\%username%
0
 

Author Comment

by:Kumerian
ID: 33459215
I'm logged into the server and accessing the local directory and having this problem.
0
 
LVL 1

Expert Comment

by:czelik
ID: 33461066
did you try adding domain admins in controll panel/user accounts as local administrator?
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:Kumerian
ID: 33466157
yes, they were added automatically when I added the server to the domain.
0
 
LVL 1

Expert Comment

by:czelik
ID: 33607760
sorry, was out of town

What is the current owner of ntfs set to? Maybe change that to domain admins
0
 

Author Comment

by:Kumerian
ID: 33967857
I have the solution offline with Microsoft. Can I put it here or will you delete the question?
0
 

Accepted Solution

by:
Kumerian earned 0 total points
ID: 33967903
Apparently the issue is caused by the User Account Control in 2008R2.

According to Micrsooft, even though the Admin group has full access, the system will not allow a specific admin access without changing the permissions. This generates an audit log event, which provides for a trace of who has accessed the home directory beyond the user accessing it remotely. This was their way of providing an audit trail for admins accessing secure directories.

Fixed by disabling UAC.
0
 

Author Closing Comment

by:Kumerian
ID: 33999663
Tried this solution and the problem is completely resolved.
This is specific to 2008R2, 2008 does not exhibit this behavior.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question