sleepy-bear
asked on
SBS 2011 administrator getting 'don't have permission' errors
Hi,
I have SBS2011 with a few Windows 7 Pro machines attached in a single domain environment. My issue started a few months ago but it seems to be so erratic and unpredictable I have no idea where to start looking.
Here is an example of more disruptive issues I have experienced so far. A standard user's PC started locking up and crashing. I had a spare (clean installed) Win 7 Pro laptop so I used that and setup for the user (meaning, logged in with their username). within a few hours, it locked up. I tried with another 'clean' Win 7 Pro machine and that locked up within 30 minutes of logging in. In the end, I deleted the user account and created a new user account and logged on with that new account and everything worked. For that user, everything has been stable for weeks.
A few days ago, I needed to edit a file (I created in the past) in c:\windows on every Win 7 PCs. Just a text file needed to run special accounting software. I login to the PC directly (using my administrator username) and successfully modified the file in couple of PCs. When I got to the 3rd PC, I got 'You do not have permission, only administrator can…' I continued and it let me modify the file. By the time I got to the 4th PC, it said 'You do not have permission…' then locked up the PC. I restarted the PC and tried just renaming that text file but that locked up the PC also. No [CTRL] + [ALT] + [DEL], no access to Start button, etc., I had to force shut down. I have read a few posts about people experiencing permission issues on shared folder but this is not the case for me. I am logged in directly to PCs. However my access credentials must come from the server so something on the server must have gone strange.
I can only assume that this is some sort of corrupt permissions issue associated with user accounts (be it 'user' or 'admin' accounts). Maybe something to do with 'Group Policy'? Not sure. That is my problem. I don't know where to start.
In the immediate term, I need to replace the text file in c:\windows, but I really need to get to the bottom, of what appears to me a 'permission' or 'group policy' related issue. My request to all you experts. "Can anyone point me where the issue might be coming from?" Do I need to reset the permissions (if that is possible)?
I can do everyday stuff on SBS but not an expert so if you are kind enough to help, I would very much appreciate some details in your recommendations (ie. which admin tool to use, what specifically need doing, etc.,) Sorry to be a pain. And definitely please don't suggest anything risky that can kill the SBS server.
Thanks for reading this post.
I have SBS2011 with a few Windows 7 Pro machines attached in a single domain environment. My issue started a few months ago but it seems to be so erratic and unpredictable I have no idea where to start looking.
Here is an example of more disruptive issues I have experienced so far. A standard user's PC started locking up and crashing. I had a spare (clean installed) Win 7 Pro laptop so I used that and setup for the user (meaning, logged in with their username). within a few hours, it locked up. I tried with another 'clean' Win 7 Pro machine and that locked up within 30 minutes of logging in. In the end, I deleted the user account and created a new user account and logged on with that new account and everything worked. For that user, everything has been stable for weeks.
A few days ago, I needed to edit a file (I created in the past) in c:\windows on every Win 7 PCs. Just a text file needed to run special accounting software. I login to the PC directly (using my administrator username) and successfully modified the file in couple of PCs. When I got to the 3rd PC, I got 'You do not have permission, only administrator can…' I continued and it let me modify the file. By the time I got to the 4th PC, it said 'You do not have permission…' then locked up the PC. I restarted the PC and tried just renaming that text file but that locked up the PC also. No [CTRL] + [ALT] + [DEL], no access to Start button, etc., I had to force shut down. I have read a few posts about people experiencing permission issues on shared folder but this is not the case for me. I am logged in directly to PCs. However my access credentials must come from the server so something on the server must have gone strange.
I can only assume that this is some sort of corrupt permissions issue associated with user accounts (be it 'user' or 'admin' accounts). Maybe something to do with 'Group Policy'? Not sure. That is my problem. I don't know where to start.
In the immediate term, I need to replace the text file in c:\windows, but I really need to get to the bottom, of what appears to me a 'permission' or 'group policy' related issue. My request to all you experts. "Can anyone point me where the issue might be coming from?" Do I need to reset the permissions (if that is possible)?
I can do everyday stuff on SBS but not an expert so if you are kind enough to help, I would very much appreciate some details in your recommendations (ie. which admin tool to use, what specifically need doing, etc.,) Sorry to be a pain. And definitely please don't suggest anything risky that can kill the SBS server.
Thanks for reading this post.
First you must determine where the user is getting their domain credentials is it a LOCAL policy or domain? IF you sign on to the domain and authenticate on active directory? do you have them on a anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories? is this users part of the EVERYONE group? or when he/se logs on does the domain user profile invoke a GPO? your default policy may do an EXPLICIT deny ALL and invoke permissions base on time. user folder, if this user logs on to the LOCAL account is this situation still the same? when it happens do a right click on the folder In question and check the PERMISSIONS, MOVE ONE of them OUT of the everyone group to see if it helps.
ASKER
Hi and thank you for your reply.
I too was interested to see if I could modify the text file (I created) in c:\windows\ if I login as (computer name)\(username). I was surprised to get "File Access Denied" dialog box with "You'll need to provide administrator permission to rename this file". Later I tried the same on my stand alone Win 7 Pro home computer and I got the same message so I guess this is normal.
I am reasonably sure that policy is set by the domain as if I create a new user in SBS Console, I can login to a PC on the network using the credential I just created. Like wise, if I disable a user on SBS, I can no longer login to the PC.
Re: "anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories?" - I don't have antivirus 'server'. Just BitDefender 2013 on all PCs and BitDefender server edition (maybe 2012) on the SBS. That's it.
Funny you should mention the antivirus... the special account software we use runs couple of files that have always triggered BitDefender to popup with false positive (and yes, I'm 100% sure it is false positive and not a virus on the server). Usually, I have to exclude that file from scanned. When I did that today, it still blocked the required file to run. In BitDefender, you can say, "Allow & monitor" in the alert. This adds the file to exclusion list. Normally, when I exclude, it looks like O:\server\folder\hello.dll
Re: "is this users part of the EVERYONE group?" - all users are created in SBS console and they are either 'Standard Users' or 'Administrator'. Nothing fancy done in Active Directory Users.
Re: "domain user profile invoke a GPO?" - I'm not sure how to check that! The event log on SBS shows users have successfully logged in.
Re: "default policy may do an EXPLICIT deny ALL and invoke permissions base on time" - again, sorry to be slow here but no idea what I should do to verify this for you. After reading this post, if you still think this might be an issue, please tell me what to do and I will give it a go.
Re: "user folder, if this user logs on to the LOCAL account is this situation still the same?" - As mentioned at the start of this post, when I got the 'File Access Denied', I thought so but when I've realised it happens to all Win 7, connected to domain or stand alone, I am not 100% but I had no issues saving files to the desktop, etc., when I was logged in as a local user.
I too was interested to see if I could modify the text file (I created) in c:\windows\ if I login as (computer name)\(username). I was surprised to get "File Access Denied" dialog box with "You'll need to provide administrator permission to rename this file". Later I tried the same on my stand alone Win 7 Pro home computer and I got the same message so I guess this is normal.
I am reasonably sure that policy is set by the domain as if I create a new user in SBS Console, I can login to a PC on the network using the credential I just created. Like wise, if I disable a user on SBS, I can no longer login to the PC.
Re: "anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories?" - I don't have antivirus 'server'. Just BitDefender 2013 on all PCs and BitDefender server edition (maybe 2012) on the SBS. That's it.
Funny you should mention the antivirus... the special account software we use runs couple of files that have always triggered BitDefender to popup with false positive (and yes, I'm 100% sure it is false positive and not a virus on the server). Usually, I have to exclude that file from scanned. When I did that today, it still blocked the required file to run. In BitDefender, you can say, "Allow & monitor" in the alert. This adds the file to exclusion list. Normally, when I exclude, it looks like O:\server\folder\hello.dll
Re: "is this users part of the EVERYONE group?" - all users are created in SBS console and they are either 'Standard Users' or 'Administrator'. Nothing fancy done in Active Directory Users.
Re: "domain user profile invoke a GPO?" - I'm not sure how to check that! The event log on SBS shows users have successfully logged in.
Re: "default policy may do an EXPLICIT deny ALL and invoke permissions base on time" - again, sorry to be slow here but no idea what I should do to verify this for you. After reading this post, if you still think this might be an issue, please tell me what to do and I will give it a go.
Re: "user folder, if this user logs on to the LOCAL account is this situation still the same?" - As mentioned at the start of this post, when I got the 'File Access Denied', I thought so but when I've realised it happens to all Win 7, connected to domain or stand alone, I am not 100% but I had no issues saving files to the desktop, etc., when I was logged in as a local user.
Hello that was a good follow up,
I was a little "gun shy" since part of your post was you need to show caution as always one does NOT want to give advice that may put you in worse shape than we expected. If you do a right click,, navigate to the security tab,,, advanced
you will see you can TAKE ownership. the WIN 7 OS assumes even ADMINS make mistakes. (and we do) so you may have to take full ownership of the PARENT folder. but be careful at this point you are going to affect the entire folders permission, if I read correctly when you log on as a LOCAL ADMIN there is no problem? can you hit the PF8 key after the MOBO's splash screen and select SAFE MODE with NETWORKING ,, does it work ok? it may be your firewall on your anti virus (that was MY problem when I experienced what you described) you need to logon on to your active directory admin account to access GPO's. it would take a long post here to explain GPO and active directory (not that I do not want to)here is MS account http://support.microsoft.com/kb/216359
I was a little "gun shy" since part of your post was you need to show caution as always one does NOT want to give advice that may put you in worse shape than we expected. If you do a right click,, navigate to the security tab,,, advanced
you will see you can TAKE ownership. the WIN 7 OS assumes even ADMINS make mistakes. (and we do) so you may have to take full ownership of the PARENT folder. but be careful at this point you are going to affect the entire folders permission, if I read correctly when you log on as a LOCAL ADMIN there is no problem? can you hit the PF8 key after the MOBO's splash screen and select SAFE MODE with NETWORKING ,, does it work ok? it may be your firewall on your anti virus (that was MY problem when I experienced what you described) you need to logon on to your active directory admin account to access GPO's. it would take a long post here to explain GPO and active directory (not that I do not want to)here is MS account http://support.microsoft.com/kb/216359
ASKER
Huh haha! Thanks for your cautious advice. Yes, no fun having to reinstall unexpectedly or having to rely on backup.
Re: taking ownership of Windows folders - Yes, I was worried about that too.
Re: F8 and Firewall - I should clarify that this SBS2011 and Windows 7 have been running for 3+ years without any issues. Either due to dodgy Microsoft patches or file read/write errors over time (same reason why Windows needs reinstall every few years), my SBS is having issues (I assume).
Re: antivirus - Just so happens, I had a PC that was half way through clean reinstall and did not have an antivirus app installed yet. And even on that PC, it is causing issues so, I am guessing it is not the BitDefender on the PC. It might be possible that it is the server version of antivirus I guess but it has not been updated recently (just virus definitions) so I am guessing less likely.
Re: GPO - I will take a look and see if I can make any adjustments to GPO.
Re: Next time I cannot access something, I will try that "Safe mode with networking" and see if that will let me do it. Thanks for the tip! Didn't think of that one.
If anyone happen to know a way to reset user/administrator permissions on SBS, please feel free to suggest (unless it can kill the server). I recall reading some time ago that SBS administrator is not a real 'Domain Admin' of the past (like in NT4 days). I sort of remember someone saying to create a new 'group' and add administrator group inside it to truly give 'power' to admin users but I can't remember the details... if anyone happen to know what I'm on about here, please let me know.
Re: taking ownership of Windows folders - Yes, I was worried about that too.
Re: F8 and Firewall - I should clarify that this SBS2011 and Windows 7 have been running for 3+ years without any issues. Either due to dodgy Microsoft patches or file read/write errors over time (same reason why Windows needs reinstall every few years), my SBS is having issues (I assume).
Re: antivirus - Just so happens, I had a PC that was half way through clean reinstall and did not have an antivirus app installed yet. And even on that PC, it is causing issues so, I am guessing it is not the BitDefender on the PC. It might be possible that it is the server version of antivirus I guess but it has not been updated recently (just virus definitions) so I am guessing less likely.
Re: GPO - I will take a look and see if I can make any adjustments to GPO.
Re: Next time I cannot access something, I will try that "Safe mode with networking" and see if that will let me do it. Thanks for the tip! Didn't think of that one.
If anyone happen to know a way to reset user/administrator permissions on SBS, please feel free to suggest (unless it can kill the server). I recall reading some time ago that SBS administrator is not a real 'Domain Admin' of the past (like in NT4 days). I sort of remember someone saying to create a new 'group' and add administrator group inside it to truly give 'power' to admin users but I can't remember the details... if anyone happen to know what I'm on about here, please let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No solution found. Just closing the thread.