Solved

SBS 2011 administrator getting 'don't have permission' errors

Posted on 2013-01-12
6
1,525 Views
Last Modified: 2013-02-26
Hi,

I have SBS2011 with a few Windows 7 Pro machines attached in a single domain environment. My issue started a few months ago but it seems to be so erratic and unpredictable I have no idea where to start looking.

Here is an example of more disruptive issues I have experienced so far.  A standard user's PC started locking up and crashing.  I had a spare (clean installed) Win 7 Pro laptop so I used that and setup for the user (meaning, logged in with their username).  within a few hours, it locked up.  I tried with another 'clean' Win 7 Pro machine and that locked up within 30 minutes of logging in.  In the end, I deleted the user account and created a new user account and logged on with that new account and everything worked.  For that user, everything has been stable for weeks.

A few days ago, I needed to edit a file (I created in the past) in c:\windows on every Win 7 PCs.  Just a text file needed to run special accounting software.  I login to the PC directly (using my administrator username) and successfully modified the file in couple of PCs.  When I got to the 3rd PC, I got 'You do not have permission, only administrator can…' I continued and it let me modify the file.  By the time I got to the 4th PC, it said 'You do not have permission…' then locked up the PC.  I restarted the PC and tried just renaming that text file but that locked up the PC also.  No [CTRL] + [ALT] + [DEL], no access to Start button, etc.,  I had to force shut down.  I have read a few posts about people experiencing permission issues on shared folder but this is not the case for me.  I am logged in directly to PCs.  However my access credentials must come from the server so something on the server must have gone strange.

I can only assume that this is some sort of corrupt permissions issue associated with user accounts (be it 'user' or 'admin' accounts).  Maybe something to do with 'Group Policy'?  Not sure.  That is my problem.  I don't know where to start.

In the immediate term, I need to replace the text file in c:\windows, but I really need to get to the bottom, of what appears to me a 'permission' or 'group policy' related issue.  My request to all you experts.  "Can anyone point me where the issue might be coming from?"  Do I need to reset the permissions (if that is possible)?

I can do everyday stuff on SBS but not an expert so if you are kind enough to help, I would very much appreciate some details in your recommendations (ie. which admin tool to use, what specifically need doing, etc.,)  Sorry to be a pain.  And definitely please don't suggest anything risky that can kill the SBS server.

Thanks for reading this post.
0
Comment
Question by:sleepy-bear
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:SolracM
Comment Utility
First you must determine where the user is getting their domain credentials is it a LOCAL policy or domain? IF you sign on to the domain and authenticate on active directory? do you have them on a anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories? is this users part of the EVERYONE group? or when he/se logs on does the domain user profile invoke a GPO? your default policy may do an EXPLICIT deny ALL and invoke permissions base on time. user folder, if this user logs on to the LOCAL account is this situation still the same? when it happens do a right click on the folder In question and check the PERMISSIONS, MOVE ONE of them OUT of the everyone group to see if it helps.
0
 

Author Comment

by:sleepy-bear
Comment Utility
Hi and thank you for your reply.

I too was interested to see if I could modify the text file (I created) in c:\windows\ if I login as (computer name)\(username).  I was surprised to get "File Access Denied" dialog box with "You'll need to provide administrator permission to rename this file".  Later I tried the same on my stand alone Win 7 Pro home computer and I got the same message so I guess this is normal.  

I am reasonably sure that policy is set by the domain as if I create a new user in SBS Console, I can login to a PC on the network using the credential I just created.  Like wise, if I disable a user on SBS, I can no longer login to the PC.

Re: "anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories?" - I don't have antivirus 'server'.  Just BitDefender 2013 on all PCs and BitDefender server edition (maybe 2012) on the SBS.  That's it.

Funny you should mention the antivirus... the special account software we use runs couple of files that have always triggered BitDefender to popup with false positive (and yes, I'm 100% sure it is false positive and not a virus on the server).  Usually, I have to exclude that file from scanned.  When I did that today, it still blocked the required file to run.  In BitDefender, you can say, "Allow & monitor" in the alert.  This adds the file to exclusion list.  Normally, when I exclude, it looks like O:\server\folder\hello.dll.  But today, when BitDefender blocked the file today, what was added to the 'safe' list was something like \\;O:000000000000033443\server\folder\hello.dll.  And when I log out and log back in, the 00000000000 bit changes to something like 00000000000000023245.  I can only assume it is some sort of session number included into the file path.  Now I cannot exclude any files from my antivirus app, I have to manually 'allow' it after virus alert pops up.        :   (

Re: "is this users part of the EVERYONE group?" - all users are created in SBS console and they are either 'Standard Users' or 'Administrator'.  Nothing fancy done in Active Directory Users.

Re: "domain user profile invoke a GPO?" - I'm not sure how to check that!  The event log on SBS shows users have successfully logged in.

Re: "default policy may do an EXPLICIT deny ALL and invoke permissions base on time" - again, sorry to be slow here but no idea what I should do to verify this for you.  After reading this post, if you still think this might be an issue, please tell me what to do and I will give it a go.

Re: "user folder, if this user logs on to the LOCAL account is this situation still the same?" - As mentioned at the start of this post, when I got the 'File Access Denied', I thought so but when I've realised it happens to all Win 7, connected to domain or stand alone, I am not 100% but I had no issues saving files to the desktop, etc., when I was logged in as a local user.
0
 
LVL 3

Expert Comment

by:SolracM
Comment Utility
Hello that was a good follow up,
I was a little "gun shy" since part of your post was you need to show caution as always one does NOT want to give advice that may put you in worse shape than we expected. If you do a right click,, navigate to the security tab,,, advanced
you will see you can TAKE ownership. the WIN 7 OS assumes even ADMINS make mistakes. (and we do) so you may have to take full ownership of the PARENT folder. but be careful at this point you are going to affect the entire folders permission, if I read correctly when you log on as a LOCAL ADMIN there is no problem? can you hit the PF8 key after the MOBO's splash screen and select SAFE MODE with NETWORKING ,, does it work ok? it may be your firewall on your anti virus (that was MY problem when I experienced what you described) you need to logon on to your  active directory admin account to access GPO's. it would take a long post here to explain GPO and active directory (not that I do not want to)here is MS account http://support.microsoft.com/kb/216359
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sleepy-bear
Comment Utility
Huh haha!  Thanks for your cautious advice.  Yes, no fun having to reinstall unexpectedly or having to rely on backup.

Re: taking ownership of Windows folders - Yes, I was worried about that too.

Re: F8 and Firewall - I should clarify that this SBS2011 and Windows 7 have been running for 3+ years without any issues.  Either due to dodgy Microsoft patches or file read/write errors over time (same reason why Windows needs reinstall every few years), my SBS is having issues (I assume).

Re: antivirus - Just so happens, I had a PC that was half way through clean reinstall and did not have an antivirus app installed yet.  And even on that PC, it is causing issues so, I am guessing it is not the BitDefender on the PC.  It might be possible that it is the server version of antivirus I guess but it has not been updated recently (just virus definitions) so I am guessing less likely.

Re: GPO - I will take a look and see if I can make any adjustments to GPO.

Re: Next time I cannot access something, I will try that "Safe mode with networking" and see if that will let me do it.  Thanks for the tip!  Didn't think of that one.

If anyone happen to know a way to reset user/administrator permissions on SBS, please feel free to suggest (unless it can kill the server).  I recall reading some time ago that SBS administrator is not a real 'Domain Admin' of the past (like in NT4 days).  I sort of remember someone saying to create a new 'group' and add administrator group inside it to truly give 'power' to admin users but I can't remember the details... if anyone happen to know what I'm on about here, please let me know.
0
 

Accepted Solution

by:
sleepy-bear earned 0 total points
Comment Utility
Server has been online for over 3 years so, in the end, I reinstalled the server.  I didn't get to find out what the cause was...  sometimes you just have to get it 'fixed' rather than figure out the cause and risk taking longer.

Thanks SolarcM for chipping in.  I do appreciate your assistance.
0
 

Author Closing Comment

by:sleepy-bear
Comment Utility
No solution found.  Just closing the thread.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now