Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Users with full control and full share permissions can't write to shared folder

Posted on 2010-11-09
10
Medium Priority
?
5,686 Views
Last Modified: 2012-05-10
Greetings,

I have a weird problem that occurred during migration of file server. We had old file server Windows 2003 which we migrated to Windows 2008 Server R2. The problem is some of the shared folders are shared with full permissions for the users (NTFS and shared permissions are configured correctly), but users CAN access the files but CAN'T write to shared folder. We tried to remove all permissions and add them again manually but it still doesn't work like it should. So any suggestions would be welcome. I'm running blind in this case. The effective permissions for all users are Full Control. When we added a new test user to same share directory, the user could write to the shared folder.

Thanks in advance.

If you need any further information let me know.
0
Comment
Question by:Dewiced
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 4

Expert Comment

by:Antyrael
ID: 34091791
This sounds weird, but have you tried removing the specific groups from a user, apply the changes, then add the group(s) again?
You may want to do this in 2 steps:
1) remove group(s) from a user, logout and back in again,
2) add user to the group(s) again, logout and back in again.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34091852
You can use Accessenum & sharenum too to verify the permission on the folder.

Try to take the ownership of the folder,define the access again,see if it works.

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

http://www.softpedia.com/get/Security/Security-Related/ShareEnum.shtml
0
 
LVL 1

Author Comment

by:Dewiced
ID: 34091995
Antyrael: A new group was created and permissions were assigned to that group. To no effect. Logoff, Login didn't make any difference

Awinish: accessenum, shareenum show the same permission model. Ownership was taken and access granted. Didn't work.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 24

Expert Comment

by:Awinish
ID: 34092022
If you create a new folder & give user access, if it works i can think of file/folder corruption.

Can you check permission on root drive which is inheriting to other folders?
0
 
LVL 6

Expert Comment

by:nsonbaty
ID: 34092280
What is your AD OS version, is it 2008 r2 or still 2003
0
 
LVL 6

Expert Comment

by:nsonbaty
ID: 34099889
try to remove the inheritance option and copy the permission, and then re-add the permissions on all folders
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 34109481
Are these distributive file shares with read only permissions on the DFS namespace. Read only is the default configuration of a DFS share namespace. So, when setting up a namespace you have to MANUALLY configure the namespace to have full permissions for the share permissions.

Also if the users is an authenticated user on the share and inhereted permissions from the parent share has read only permissions for authenticated users, while you add that user to have full permission, the share permissions will take the LESSER of the two permissions. So, you may have conflicting shares. So, as a general practice, when setting up shares is I break inhereted permissions. Then, I fill out my share permissions all the way until I get to the User's individual files. Then, that users will be the only one to use the file.

Sounds like you have one of two scenarios:
1) read only distributive file share namespace
2) inhereted permissions from the parent folder that have less permissions than full control.

Both of these will show effective permissions to be full control for the users, BUT you will get read only on the file folder because it's taking the lesser of the two permissions on the share permissions, since their GROUP permissions override their personal permissions.
0
 
LVL 1

Author Closing Comment

by:Dewiced
ID: 34109826
Solved

Problem was with inheritance permissions since folders were part of already shared folder.

Thanks for all your time and help.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34109893
ChiefIT: too Good..:)
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 34117248
LOL Awnish:

Thanks. (I ran into this myself a whil ago. It took me a week to sort out all of our shares, break inheretance, and remove all the inhereted permissions for it to work right).
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question