Server 2008 folder keeps loosing NTFS permissions
We have a Windows Server 2008 system that has a folder on it that is shared. We have a process that copies a file to this share. For some reason the folder keeps loosing the NTFS permissions on the folder. This server is currently on the domain, we just migrated to it. The previous server was not on the domain and had the same issue which leads be to believe something is removing it.
For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.
I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.
I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
net use /d * /Y
Rem Add credentials before connecting (net use \\IP\IPC$ /User:User <PASS>
net use \\10.0.0.15\IPC$ /User:domain\user password
copy E:\file.csv \\10.0.0.15\csvupload$\file.csv /Y
REM DIR \\10.0.0.15\csvupload$\file.csv
net use \\10.0.0.15\IPC$ /d /Y
Darius Ghassem
Check your DNS servers they should be pointing to Domain Controllers for DNS only
ASKER
I just checked and they are.
Reset secure channel password.
http://technet.microsoft.com/en-us/library/cc788073(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc788073(WS.10).aspx
On what disk is this share?
C:\ has a more restrictive policy that might exaplain why permissions revert.
The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?
Enable auditing on the share and see what process and when the permissions are reverted.
C:\ has a more restrictive policy that might exaplain why permissions revert.
The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?
Enable auditing on the share and see what process and when the permissions are reverted.
One more thought do you have software that supposed to maintain the state of the system and it is what reverts the "unapproved" permission changes?
ASKER
It is on the E drive, I'm not sure on the way the user connects the way it does, the script was here when I got here. If I re-configure the permissions I should be able to use the following to simply copy the file right?
copy E:\file.csv \\10.100.0.15\share\file.csv /yASKER
Actually after 2nd thought that won't work. The problem is the source server is in a workgroup and the destination is on the domain. So I would have to do something like below right?
net use Y: /delete
net use Y: \\10.0.0.15\share /User:domain\user password
copy E:\file.csv Y:\file.csv /y
Correct you must setup authentication so you can move files and folders between the workgroup and domain computer. What you can do is create a local user instead of using a domain user
ASKER
True, that should resolve the SID issue, which I don't understand why it is happening anyways but at this point whatever works.
The most common reason that the SIDs show is because you have a DNS issue or your secure channel password needs to be reset againist the domain
ASKER
What doesn't make sense though is we had this same exact problem with the old server. That server was not on the domain. We had local users setup on this same directory and those local users would turn into SIDs.
So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.
So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.
So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
ASKER
So I changed the batch file in hopes that it would resolve the issue but it has come back again.
I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.
Before I reset the secure channel password do you have any idea why this is happening?
I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.
Before I reset the secure channel password do you have any idea why this is happening?
DNS or secure channel issue. Usually is secure channel password
ASKER
Are there any risks with resetting the password? Do I run this on the server having the problem? Do you know the exact syntax I should use?
If this is the problem, why did the issue exist when the server was standalone in a workgroup?
If this is the problem, why did the issue exist when the server was standalone in a workgroup?
Again are you having issues with Domain Accounts being listed in SID?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Huzzah! I think the issue has been found and resolved. I found a scheduled task on the server with the folder that kept getting permissions messed up that is shown below. I believe the /o and /k were messing it up. We just disabled this scheduled task because it was redundant and causing problems.
/R Overwrites read-only files.
/O Copies file ownership and ACL information.
/Y Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S Copies directories and subdirectories except empty ones.
/K Copies attributes. Normal Xcopy will reset read-only attributes.
/R Overwrites read-only files.
/O Copies file ownership and ACL information.
/Y Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S Copies directories and subdirectories except empty ones.
/K Copies attributes. Normal Xcopy will reset read-only attributes.
xcopy \\10.0.0.19\e$\FTP\folder e:\folder2/r /o /y /d /e /s /k