Solved

Server 2008 folder keeps loosing NTFS permissions

Posted on 2011-02-21
19
1,753 Views
Last Modified: 2012-08-14
We have a Windows Server 2008 system that has a folder on it that is shared. We have a process that copies a file to this share. For some reason the folder keeps loosing the NTFS permissions on the folder. This server is currently on the domain, we just migrated to it. The previous server was not on the domain and had the same issue which leads be to believe something is removing it.

For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.

I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
net use /d * /Y
Rem Add credentials before connecting (net use \\IP\IPC$ /User:User <PASS>
net use \\10.0.0.15\IPC$ /User:domain\user password
copy E:\file.csv \\10.0.0.15\csvupload$\file.csv /Y
REM DIR \\10.0.0.15\csvupload$\file.csv
net use \\10.0.0.15\IPC$ /d /Y

Open in new window

0
Comment
Question by:ThorinO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 3
19 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34944826
Check your DNS servers they should be pointing to Domain Controllers for DNS only
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34944992
I just checked and they are.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945036
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 78

Expert Comment

by:arnold
ID: 34945308
On what disk is this share?
C:\ has a more restrictive policy that might exaplain why permissions revert.

The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?

Enable auditing on the share and see what process and when the permissions are reverted.
0
 
LVL 78

Expert Comment

by:arnold
ID: 34945313
One more thought do you have software that supposed to maintain the state of the system and it is what reverts the "unapproved" permission changes?
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945429
It is on the E drive, I'm not sure on the way the user connects the way it does, the script was here when I got here. If I re-configure the permissions I should be able to use the following to simply copy the file right?
copy E:\file.csv \\10.100.0.15\share\file.csv /y

Open in new window

0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945453
Actually after 2nd thought that won't work. The problem is the source server is in a workgroup and the destination is on the domain. So I would have to do something like below right?
net use Y: /delete
net use Y: \\10.0.0.15\share /User:domain\user password
copy E:\file.csv Y:\file.csv /y

Open in new window

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945514
Correct you must setup authentication so you can move files and folders between the workgroup and domain computer. What you can do is create a local user instead of using a domain user
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945524
True, that should resolve the SID issue, which I don't understand why it is happening anyways but at this point whatever works.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945555
The most common reason that the SIDs show is because you have a DNS issue or your secure channel password needs to be reset againist the domain
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34945584
What doesn't make sense though is we had this same exact problem with the old server. That server was not on the domain. We had local users setup on this same directory and those local users would turn into SIDs.

So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.

So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945665
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34945670
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038048
So I changed the batch file in hopes that it would resolve the issue but it has come back again.

I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.

Before I reset the secure channel password do you have any idea why this is happening?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038115
DNS or secure channel issue. Usually is secure channel password
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038197
Are there any risks with resetting the password? Do I run this on the server having the problem? Do you know the exact syntax I should use?

If this is the problem, why did the issue exist when the server was standalone in a workgroup?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038211
Again are you having issues with Domain Accounts being listed in SID?
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 35038375
dariusq a while back provided a link that has the example of resetting the machine password of the system having issue as well as an explanation of the command.
netdom reset <the local system name that has an issue> /User:addomainname\administrator

The reset is akin to running the process to rejoin the computer into the domain.

Unfortunately, I have no idea what else you have running on the system, you could have a software application that has a snapshot of the filesystem or a specific directory and its function is to maintain the status-quo unless an "approved" change is made.
This cold explain the issue you have i.e. the change in permissions does not follow the correct process for the monitoring software and it on whatever cycle restores the permissions.  I would think that such a software would generate an event in application/system or possibly in security log i.e. folder somefolder permissions reset.

you may have a scheduled task using cacls to insure specific permissions on the folder/directory/drive that propagates to this folder.
You could have this also run as a GPO when the computer restarts within the startup script.
or as part of a local security policy within startup.
Use GPMC and generate the Group policy results wizard to see if there is a GPO that runs a script. Check what the script does etc.

If you have an option to install everything from the begining on a different server or within a Virtual environment to see whether the same issue will come up this way you can double check what you are installing and what you are configuring.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35038786
Huzzah! I think the issue has been found and resolved. I found a scheduled task on the server with the folder that kept getting permissions messed up that is shown below. I believe the /o and /k were messing it up. We just disabled this scheduled task because it was redundant and causing problems.

/R      Overwrites read-only files.
/O      Copies file ownership and ACL information.
/Y      Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y      Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E      Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S      Copies directories and subdirectories except empty ones.
/K      Copies attributes. Normal Xcopy will reset read-only attributes.
xcopy \\10.0.0.19\e$\FTP\folder e:\folder2/r /o /y /d /e /s /k

Open in new window

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question