Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server 2008 folder keeps loosing NTFS permissions

Posted on 2011-02-21
19
Medium Priority
?
1,801 Views
Last Modified: 2012-08-14
We have a Windows Server 2008 system that has a folder on it that is shared. We have a process that copies a file to this share. For some reason the folder keeps loosing the NTFS permissions on the folder. This server is currently on the domain, we just migrated to it. The previous server was not on the domain and had the same issue which leads be to believe something is removing it.

For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.

I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
net use /d * /Y
Rem Add credentials before connecting (net use \\IP\IPC$ /User:User <PASS>
net use \\10.0.0.15\IPC$ /User:domain\user password
copy E:\file.csv \\10.0.0.15\csvupload$\file.csv /Y
REM DIR \\10.0.0.15\csvupload$\file.csv
net use \\10.0.0.15\IPC$ /d /Y

Open in new window

0
Comment
Question by:ThorinO
  • 8
  • 8
  • 3
19 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34944826
Check your DNS servers they should be pointing to Domain Controllers for DNS only
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34944992
I just checked and they are.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945036
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 80

Expert Comment

by:arnold
ID: 34945308
On what disk is this share?
C:\ has a more restrictive policy that might exaplain why permissions revert.

The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?

Enable auditing on the share and see what process and when the permissions are reverted.
0
 
LVL 80

Expert Comment

by:arnold
ID: 34945313
One more thought do you have software that supposed to maintain the state of the system and it is what reverts the "unapproved" permission changes?
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945429
It is on the E drive, I'm not sure on the way the user connects the way it does, the script was here when I got here. If I re-configure the permissions I should be able to use the following to simply copy the file right?
copy E:\file.csv \\10.100.0.15\share\file.csv /y

Open in new window

0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945453
Actually after 2nd thought that won't work. The problem is the source server is in a workgroup and the destination is on the domain. So I would have to do something like below right?
net use Y: /delete
net use Y: \\10.0.0.15\share /User:domain\user password
copy E:\file.csv Y:\file.csv /y

Open in new window

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945514
Correct you must setup authentication so you can move files and folders between the workgroup and domain computer. What you can do is create a local user instead of using a domain user
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945524
True, that should resolve the SID issue, which I don't understand why it is happening anyways but at this point whatever works.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945555
The most common reason that the SIDs show is because you have a DNS issue or your secure channel password needs to be reset againist the domain
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945584
What doesn't make sense though is we had this same exact problem with the old server. That server was not on the domain. We had local users setup on this same directory and those local users would turn into SIDs.

So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.

So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945665
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945670
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038048
So I changed the batch file in hopes that it would resolve the issue but it has come back again.

I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.

Before I reset the secure channel password do you have any idea why this is happening?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038115
DNS or secure channel issue. Usually is secure channel password
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038197
Are there any risks with resetting the password? Do I run this on the server having the problem? Do you know the exact syntax I should use?

If this is the problem, why did the issue exist when the server was standalone in a workgroup?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038211
Again are you having issues with Domain Accounts being listed in SID?
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 35038375
dariusq a while back provided a link that has the example of resetting the machine password of the system having issue as well as an explanation of the command.
netdom reset <the local system name that has an issue> /User:addomainname\administrator

The reset is akin to running the process to rejoin the computer into the domain.

Unfortunately, I have no idea what else you have running on the system, you could have a software application that has a snapshot of the filesystem or a specific directory and its function is to maintain the status-quo unless an "approved" change is made.
This cold explain the issue you have i.e. the change in permissions does not follow the correct process for the monitoring software and it on whatever cycle restores the permissions.  I would think that such a software would generate an event in application/system or possibly in security log i.e. folder somefolder permissions reset.

you may have a scheduled task using cacls to insure specific permissions on the folder/directory/drive that propagates to this folder.
You could have this also run as a GPO when the computer restarts within the startup script.
or as part of a local security policy within startup.
Use GPMC and generate the Group policy results wizard to see if there is a GPO that runs a script. Check what the script does etc.

If you have an option to install everything from the begining on a different server or within a Virtual environment to see whether the same issue will come up this way you can double check what you are installing and what you are configuring.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038786
Huzzah! I think the issue has been found and resolved. I found a scheduled task on the server with the folder that kept getting permissions messed up that is shown below. I believe the /o and /k were messing it up. We just disabled this scheduled task because it was redundant and causing problems.

/R      Overwrites read-only files.
/O      Copies file ownership and ACL information.
/Y      Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y      Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E      Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S      Copies directories and subdirectories except empty ones.
/K      Copies attributes. Normal Xcopy will reset read-only attributes.
xcopy \\10.0.0.19\e$\FTP\folder e:\folder2/r /o /y /d /e /s /k

Open in new window

0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question