Solved

Server 2008 folder keeps loosing NTFS permissions

Posted on 2011-02-21
19
1,710 Views
Last Modified: 2012-08-14
We have a Windows Server 2008 system that has a folder on it that is shared. We have a process that copies a file to this share. For some reason the folder keeps loosing the NTFS permissions on the folder. This server is currently on the domain, we just migrated to it. The previous server was not on the domain and had the same issue which leads be to believe something is removing it.

For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.

I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
net use /d * /Y
Rem Add credentials before connecting (net use \\IP\IPC$ /User:User <PASS>
net use \\10.0.0.15\IPC$ /User:domain\user password
copy E:\file.csv \\10.0.0.15\csvupload$\file.csv /Y
REM DIR \\10.0.0.15\csvupload$\file.csv
net use \\10.0.0.15\IPC$ /d /Y

Open in new window

0
Comment
Question by:ThorinO
  • 8
  • 8
  • 3
19 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Check your DNS servers they should be pointing to Domain Controllers for DNS only
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
I just checked and they are.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
On what disk is this share?
C:\ has a more restrictive policy that might exaplain why permissions revert.

The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?

Enable auditing on the share and see what process and when the permissions are reverted.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
One more thought do you have software that supposed to maintain the state of the system and it is what reverts the "unapproved" permission changes?
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
It is on the E drive, I'm not sure on the way the user connects the way it does, the script was here when I got here. If I re-configure the permissions I should be able to use the following to simply copy the file right?
copy E:\file.csv \\10.100.0.15\share\file.csv /y

Open in new window

0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Actually after 2nd thought that won't work. The problem is the source server is in a workgroup and the destination is on the domain. So I would have to do something like below right?
net use Y: /delete
net use Y: \\10.0.0.15\share /User:domain\user password
copy E:\file.csv Y:\file.csv /y

Open in new window

0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Correct you must setup authentication so you can move files and folders between the workgroup and domain computer. What you can do is create a local user instead of using a domain user
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
True, that should resolve the SID issue, which I don't understand why it is happening anyways but at this point whatever works.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
The most common reason that the SIDs show is because you have a DNS issue or your secure channel password needs to be reset againist the domain
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
What doesn't make sense though is we had this same exact problem with the old server. That server was not on the domain. We had local users setup on this same directory and those local users would turn into SIDs.

So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.

So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
So I changed the batch file in hopes that it would resolve the issue but it has come back again.

I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.

Before I reset the secure channel password do you have any idea why this is happening?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
DNS or secure channel issue. Usually is secure channel password
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Are there any risks with resetting the password? Do I run this on the server having the problem? Do you know the exact syntax I should use?

If this is the problem, why did the issue exist when the server was standalone in a workgroup?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Again are you having issues with Domain Accounts being listed in SID?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
dariusq a while back provided a link that has the example of resetting the machine password of the system having issue as well as an explanation of the command.
netdom reset <the local system name that has an issue> /User:addomainname\administrator

The reset is akin to running the process to rejoin the computer into the domain.

Unfortunately, I have no idea what else you have running on the system, you could have a software application that has a snapshot of the filesystem or a specific directory and its function is to maintain the status-quo unless an "approved" change is made.
This cold explain the issue you have i.e. the change in permissions does not follow the correct process for the monitoring software and it on whatever cycle restores the permissions.  I would think that such a software would generate an event in application/system or possibly in security log i.e. folder somefolder permissions reset.

you may have a scheduled task using cacls to insure specific permissions on the folder/directory/drive that propagates to this folder.
You could have this also run as a GPO when the computer restarts within the startup script.
or as part of a local security policy within startup.
Use GPMC and generate the Group policy results wizard to see if there is a GPO that runs a script. Check what the script does etc.

If you have an option to install everything from the begining on a different server or within a Virtual environment to see whether the same issue will come up this way you can double check what you are installing and what you are configuring.
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Huzzah! I think the issue has been found and resolved. I found a scheduled task on the server with the folder that kept getting permissions messed up that is shown below. I believe the /o and /k were messing it up. We just disabled this scheduled task because it was redundant and causing problems.

/R      Overwrites read-only files.
/O      Copies file ownership and ACL information.
/Y      Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y      Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E      Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S      Copies directories and subdirectories except empty ones.
/K      Copies attributes. Normal Xcopy will reset read-only attributes.
xcopy \\10.0.0.19\e$\FTP\folder e:\folder2/r /o /y /d /e /s /k

Open in new window

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now