Solved

Domain user cannot save to C Drive

Posted on 2011-09-21
9
1,688 Views
Last Modified: 2012-05-12
Windows 2003 domain, Windows 7 Pro

We have a user who needs to be able to save to the C Drive, to use their commercial banking application (some Java app).

I logged in as domain admin, added the domain user to the security permissions on the whole C Drive, for which it threw up errors for hyberfil.sys, pagefile.sys etc. No problems.

User stiill cannot save to C Drive. If they try they get a permissions error.

I added the domain user to the local admin group as a test, sure this would work.

Still doesnt.

What I noticed was that when I checked UAC before the user was part of the local admin group, UAC was ON. When I logged into the domain admin account, and also as the user with local admin rights, UAC showed as OFF.

Any ideas?
0
Comment
Question by:hongedit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 36572916
Hi. You only need to do the following:
NTFS-Permissions - advanced - add user with write permissions and apply TO THIS FOLDER ONLY.
0
 
LVL 1

Author Comment

by:hongedit
ID: 36572981
Where am I looking for those options? Right-Click Properties?

They need root C access, not a subfolder within C
0
 
LVL 30

Accepted Solution

by:
ded9 earned 500 total points
ID: 36572985
Article might help

This issue can occur if the Administrators group has been removed from the “Backup Files and Directories” user right.

    Click Start ORB, in the Search Field, type secpol.msc, and then press ENTER.
    Double-click Local Policies.
    Double-click User Rights Assignment.
    Double-click Back up Files and directories.
    Click Add, and then double-click the Local Administrators group
    Click OK.



Ref
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-cannot-save-files-to-c-even-after-making/938f2b50-b063-475b-8c5e-905d136df2e3



Ded9
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 36573028
You cannot add and give a normal user an access to the System Files on the C: drive because since Windows Vista launch these people are much more secured in terms of accessing and making the changes at the File Structure Level, if we will compare to the legacy operating systems. To propogate the permissions and to take the ownership of the files, the user should be a part of the Domain Admin Group.

I am not sure with which you are logged and trying to access and what is the group membership and delegated rights are given to this user account. What method I would suggest is...

Create one shared folder on the C: drive.
Give this user Full Shared permissions
Give this user Full NTFS permissions

Create a MAP drive and assign Drive Letter.

See if this works. However, about the UAC confusion that you have, just go through this log.

http://vistavitals.blogspot.com/2008/01/uac-local-admin-vs-domain-admin.html

Hope this helps and good luck..!!

~SG~
0
 
LVL 54

Expert Comment

by:McKnife
ID: 36573146
Hi again.
ded, maybe you can explain to me what the "Backup Files and Directories" privilege has to do with saving (=writing to, not reading from) to the root of c:
By the way, any administrator already may write to c: ->when elevated<-, so the priv. is definitely not needed.

@hongedit: I know you are talking about the root of c: ("c: itself") and not about subfolders. I meant c: itself. Rightclick c: and adjust the permissions on the advanced section and apply TO THIS FOLDER ONLY.

0
 
LVL 1

Author Comment

by:hongedit
ID: 36573159
I just treid ded's suggestion first and it worked so looked into it no further.

0
 
LVL 54

Expert Comment

by:McKnife
ID: 36573192
@hongedit
Please. This is a security matter. How could one possibly make such a change without even knowing what he is doing? The description of the privilege reads
--
Back up files and directories

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system***:

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions

Caution

Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.

Default on workstations and servers: Administrators
Backup Operators.

Default on domain controllers:Administrators
Backup Operators
Server Operators
--

*** OK, so where does it say "write data"? Nowhere.

This privilege does not work in terms of getting you any further. I am not sure what you have done, but if I grant my user this priv., I still can't write to the root of c:

So my advice is to remove that priv. again and go my way. For system security this is highly recommended.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 36573225
Wait, I missed a thing. See my solution at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_25059444.html#26403263
You also have to fire the command icacls c:\ /setintegritylevel M
(from an elevated command prompt).
0
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 36578658
I agree with McKnife.. That's totally a breach of a security....
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question