Server 2008 folder keeps loosing NTFS permissions

We have a Windows Server 2008 system that has a folder on it that is shared. We have a process that copies a file to this share. For some reason the folder keeps loosing the NTFS permissions on the folder. This server is currently on the domain, we just migrated to it. The previous server was not on the domain and had the same issue which leads be to believe something is removing it.

For example we have the default folder permissions on the folder. We added 2 domain accounts and gave them permission. The domain accounts are now showing up as SIDs. We also gave the built-in users group modify permissions on the folder but it keeps getting reset to only read/execute, list, and read.

I need to figure out what is doing this and how to fix it. Below is the script that is run as a scheduled tasks that is not working. What I am currently doing to fix this is to log into 10.0.0.15, add modify to the users group, and re-run the task.
net use /d * /Y
Rem Add credentials before connecting (net use \\IP\IPC$ /User:User <PASS>
net use \\10.0.0.15\IPC$ /User:domain\user password
copy E:\file.csv \\10.0.0.15\csvupload$\file.csv /Y
REM DIR \\10.0.0.15\csvupload$\file.csv
net use \\10.0.0.15\IPC$ /d /Y

Open in new window

LVL 10
ThorinOAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
arnoldConnect With a Mentor Commented:
dariusq a while back provided a link that has the example of resetting the machine password of the system having issue as well as an explanation of the command.
netdom reset <the local system name that has an issue> /User:addomainname\administrator

The reset is akin to running the process to rejoin the computer into the domain.

Unfortunately, I have no idea what else you have running on the system, you could have a software application that has a snapshot of the filesystem or a specific directory and its function is to maintain the status-quo unless an "approved" change is made.
This cold explain the issue you have i.e. the change in permissions does not follow the correct process for the monitoring software and it on whatever cycle restores the permissions.  I would think that such a software would generate an event in application/system or possibly in security log i.e. folder somefolder permissions reset.

you may have a scheduled task using cacls to insure specific permissions on the folder/directory/drive that propagates to this folder.
You could have this also run as a GPO when the computer restarts within the startup script.
or as part of a local security policy within startup.
Use GPMC and generate the Group policy results wizard to see if there is a GPO that runs a script. Check what the script does etc.

If you have an option to install everything from the begining on a different server or within a Virtual environment to see whether the same issue will come up this way you can double check what you are installing and what you are configuring.
0
 
Darius GhassemCommented:
Check your DNS servers they should be pointing to Domain Controllers for DNS only
0
 
ThorinOAuthor Commented:
I just checked and they are.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Darius GhassemCommented:
0
 
arnoldCommented:
On what disk is this share?
C:\ has a more restrictive policy that might exaplain why permissions revert.

The other question is why you are not accessing the share as a user would i.e. \\server\sharename /user:user@domain password?

Enable auditing on the share and see what process and when the permissions are reverted.
0
 
arnoldCommented:
One more thought do you have software that supposed to maintain the state of the system and it is what reverts the "unapproved" permission changes?
0
 
ThorinOAuthor Commented:
It is on the E drive, I'm not sure on the way the user connects the way it does, the script was here when I got here. If I re-configure the permissions I should be able to use the following to simply copy the file right?
copy E:\file.csv \\10.100.0.15\share\file.csv /y

Open in new window

0
 
ThorinOAuthor Commented:
Actually after 2nd thought that won't work. The problem is the source server is in a workgroup and the destination is on the domain. So I would have to do something like below right?
net use Y: /delete
net use Y: \\10.0.0.15\share /User:domain\user password
copy E:\file.csv Y:\file.csv /y

Open in new window

0
 
Darius GhassemCommented:
Correct you must setup authentication so you can move files and folders between the workgroup and domain computer. What you can do is create a local user instead of using a domain user
0
 
ThorinOAuthor Commented:
True, that should resolve the SID issue, which I don't understand why it is happening anyways but at this point whatever works.
0
 
Darius GhassemCommented:
The most common reason that the SIDs show is because you have a DNS issue or your secure channel password needs to be reset againist the domain
0
 
ThorinOAuthor Commented:
What doesn't make sense though is we had this same exact problem with the old server. That server was not on the domain. We had local users setup on this same directory and those local users would turn into SIDs.

So for some reason something associated with this folder (a job or something else) is messing up the permissions or users.

So even making the change to a local user with the batch file I posted might not fix the issue. Because as I said even the default built-in domain users group is having the modify permission removed by something.
0
 
ThorinOAuthor Commented:
So I changed the batch file in hopes that it would resolve the issue but it has come back again.

I can understand something being wrong with DNS or some DC issue to where the accounts turn into SIDs. However I don't understand why the built-in users group is resetting permissions.

Before I reset the secure channel password do you have any idea why this is happening?
0
 
Darius GhassemCommented:
DNS or secure channel issue. Usually is secure channel password
0
 
ThorinOAuthor Commented:
Are there any risks with resetting the password? Do I run this on the server having the problem? Do you know the exact syntax I should use?

If this is the problem, why did the issue exist when the server was standalone in a workgroup?
0
 
Darius GhassemCommented:
Again are you having issues with Domain Accounts being listed in SID?
0
 
ThorinOAuthor Commented:
Huzzah! I think the issue has been found and resolved. I found a scheduled task on the server with the folder that kept getting permissions messed up that is shown below. I believe the /o and /k were messing it up. We just disabled this scheduled task because it was redundant and causing problems.

/R      Overwrites read-only files.
/O      Copies file ownership and ACL information.
/Y      Suppresses prompting to confirm you want to overwrite an existing destination file.
/D:m-d-y      Copies files changed on or after the specified date. If no date is given, copies only those files whose source time is newer than the destination time.
/E      Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/S      Copies directories and subdirectories except empty ones.
/K      Copies attributes. Normal Xcopy will reset read-only attributes.
xcopy \\10.0.0.19\e$\FTP\folder e:\folder2/r /o /y /d /e /s /k

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.