Migrated SAN partition from Windows 2003 to Windows 2008 R2 results in access denied for all but local administrator account

Hi, I just moved two SAN drives/partitions from a Windows 2003 x86 file server to a new Windows 2008 R2 x64 server. I followed an earlier EE recommendation "How to move a SAN partition from Windows 2003 to Windows 2008", but I am getting access denied when I use the explorer to get to the drives. If I right click for properties in the Windows 2008 server, I get an access denied and the drive shows no space information, just a  round blue disk.

One of the partitions is a staging partition, I am trying to take ownership for the Windows 2008 Administrators to see if that makes a difference. It is just taking a long time to change ownership of at least one TB of storage.

I am a domain admin. Domain admins are in the Local Administrators Security group on the server. I logged out using my own account and logged in as the local administrator. Now I can see the drives, as well as the security for all of them. The shares are there, too! I can access the shares and their directories according to my NTFS permissions via my laptop, but I cannot be logged into the server and see the drives using my AD account.

I also created a local account and added it to the server's local administrators' group. That account could not see the drives either.

I can review the drives NTFS permissions if I go through the Roles>File Services>Share Storage and Management.
I just cannot browse or explore the drives that I actually have NTFS permissions to.  

Any help would be appreciated.  
jdonesAsked:
Who is Participating?
 
oBdACommented:
UAC can be disabled.
The permissions on the other servers can be different.
Did you ever try to access any of the folders in question with an elevated Notepad?
0
 
rapcoCommented:
It happens to me once because both server were part of a different Domain.

So all files ownership (SID) makes no sense to the new unit.

You probably will have to go around and Take Ownership, as you know you can use Local Admin Account and any Enabled User Account with in the Local Admin Group.

There's a command line utility called takeown, give it a try, should be installed already.

TAKEOWN [/S system [/U username [/P [password]]]]
        /F filename [/A] [/R [/D prompt]]

Description:
    This tool allows an administrator to recover access to a file that
    was denied by re-assigning file ownership.

Parameter List: 
    /S           system          Specifies the remote system to
                                 connect to.

    /U           [domain\]user   Specifies the user context under
                                 which the command should execute.

    /P           [password]      Specifies the password for the
                                 given user context.
                                 Prompts for input if omitted.

    /F           filename        Specifies the filename or directory
                                 name pattern. Wildcard "*" can be used
                                 to specify the pattern. Allows
                                 sharename\filename.

    /A                           Gives ownership to the administrators
                                 group instead of the current user.

    /R                           Recurse: instructs tool to operate on
                                 files in specified directory and all 
                                 subdirectories.

    /D           prompt          Default answer used when the current user
                                 does not have the "list folder" permission
                                 on a directory.  This occurs while operating
                                 recursively (/R) on sub-directories. Valid 
                                 values "Y" to take ownership or "N" to skip.

    /?                           Displays this help message.

    NOTE: 1) If /A is not specified, file ownership will be given to the
             current logged on user.

          2) Mixed patterns using "?" and "*" are not supported.

          3) /D is used to suppress the confirmation prompt.

Examples: 
    TAKEOWN /?
    TAKEOWN /F lostfile
    TAKEOWN /F \\system\share\lostfile /A
    TAKEOWN /F directory /R /D N
    TAKEOWN /F directory /R /A
    TAKEOWN /F *
    TAKEOWN /F C:\Windows\System32\acme.exe
    TAKEOWN /F %windir%\*.txt
    TAKEOWN /S system /F MyShare\Acme*.doc
    TAKEOWN /S system /U user /F MyShare\foo.dll
    TAKEOWN /S system /U domain\user /P password /F share\filename
    TAKEOWN /S system /U user /P password /F Doc\Report.doc /A
    TAKEOWN /S system /U user /P password /F Myshare\* 
    TAKEOWN /S system /U user /P password /F Home\Logon /R
    TAKEOWN /S system /U user /P password /F Myshare\directory /R /A

Open in new window


This link should give you an idea where to look.
http://technet.microsoft.com/en-us/library/cc753659.aspx

0
 
jdonesAuthor Commented:
Thank you, Rapco.

Unfortunately, both servers are within the same domain. I simply moved 4 SAN-based drives from the Windows 2003 server to the Windows 2008 R2 server. Two had no problems. The two I did have problems were my company's department and user shares and a staging drive with a fair amount of data in a similar directory structure as the department and user shares.  I tested taking ownership of one of the problem partitions. It did not work.

The really weird thing was all of the shares and NTFS permissions were present on the file shares. I tested group membership access to particular directories with a regular AD account. It accessed the shares & directories that it had group membership access. Using the regular AD account, I could access the shares over the network. Everything worked as expected. However I could not be logged into the server with my domain admin account and browse the drive on which these shares reside. Although I could access the shares (including the admin hidden share) from over the network.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
oBdACommented:
This is just User Account Control; it strips the local Administrators group from your security token, except for the default local Administrator account. You can verify this by opening Notepad with elevated rights (right-click, "Run as administrator"); you should be able to use the "Open" dialog to browse to any folder with administrative access. Opening a command prompt the same way should allow you to "cd" into the folders as well.
User Account Control Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx

Since it's not possible to run Explorer elevated, and instead of disabling UAC, I'd recommend installing a third-party file explorer (for example http://www.freecommander.com/, but there are enough others to match basically all preferences) and run this with elevated rights for GUI file access.
0
 
jdonesAuthor Commented:
Thanks, oBdA.

However, this is not the first time I heard this. The only snag is I have a couple of file servers running Windows 2003 R2 in the same OU that does not experience this issue. The big difference in this case is that I am migrating the SAN-based partitions from the Windows 2003 server to a Windows 2008 R2 server instead of building the shares from scratch.

If I add the Local Users group to the root of the drive with Read Only permissions, I can browse the drive using my Domain Admin account which is okay as long as I don't allow inheritance from the directories below. But then I can only browse to that level of directories. I then get challenged and asked if I want to acceess the drive I can click "continue". The OS then proceeds to grant my account full permissions that matriculates down to all levels. That is not acceptable.
0
 
oBdACommented:
This has nothing to do with it being a SAN based storage; UAC was only introduced with Vista/W2k8, that's why it doesn't occur on W2k3.
Again: as long as UAC is active, the Administrators SID is stripped from your access token unless you explicitly run a program with elevated rights (for example the dialog that pops up when starting regedit).
Note that the Explorer prompt to continue when trying to access a folder is NOT an elevation prompt; as you've noticed, this changes the NTFS permissions.
If you can browse to any of the "Denied" folders in the "Open" dialog of an elevated notepad as I suggested above, the "issue" is definitely UAC.
0
 
jdonesAuthor Commented:
I misspoke. What I intended to say is I have a couple of file servers running Windows 2008 R2 in the same OU that does not experience this issue. If it was an UAC issue, they would be exhibiting the same behavior. That is not the case.
0
 
jdonesAuthor Commented:
UAC was not disabled on this new server. It was on the other existing servers. I have disabled UAC & confirmed that this is working. Thank you for your patience.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.