Solved

SBS 2011 administrator getting 'don't have permission' errors

Posted on 2013-01-12
6
1,632 Views
Last Modified: 2013-02-26
Hi,

I have SBS2011 with a few Windows 7 Pro machines attached in a single domain environment. My issue started a few months ago but it seems to be so erratic and unpredictable I have no idea where to start looking.

Here is an example of more disruptive issues I have experienced so far.  A standard user's PC started locking up and crashing.  I had a spare (clean installed) Win 7 Pro laptop so I used that and setup for the user (meaning, logged in with their username).  within a few hours, it locked up.  I tried with another 'clean' Win 7 Pro machine and that locked up within 30 minutes of logging in.  In the end, I deleted the user account and created a new user account and logged on with that new account and everything worked.  For that user, everything has been stable for weeks.

A few days ago, I needed to edit a file (I created in the past) in c:\windows on every Win 7 PCs.  Just a text file needed to run special accounting software.  I login to the PC directly (using my administrator username) and successfully modified the file in couple of PCs.  When I got to the 3rd PC, I got 'You do not have permission, only administrator can…' I continued and it let me modify the file.  By the time I got to the 4th PC, it said 'You do not have permission…' then locked up the PC.  I restarted the PC and tried just renaming that text file but that locked up the PC also.  No [CTRL] + [ALT] + [DEL], no access to Start button, etc.,  I had to force shut down.  I have read a few posts about people experiencing permission issues on shared folder but this is not the case for me.  I am logged in directly to PCs.  However my access credentials must come from the server so something on the server must have gone strange.

I can only assume that this is some sort of corrupt permissions issue associated with user accounts (be it 'user' or 'admin' accounts).  Maybe something to do with 'Group Policy'?  Not sure.  That is my problem.  I don't know where to start.

In the immediate term, I need to replace the text file in c:\windows, but I really need to get to the bottom, of what appears to me a 'permission' or 'group policy' related issue.  My request to all you experts.  "Can anyone point me where the issue might be coming from?"  Do I need to reset the permissions (if that is possible)?

I can do everyday stuff on SBS but not an expert so if you are kind enough to help, I would very much appreciate some details in your recommendations (ie. which admin tool to use, what specifically need doing, etc.,)  Sorry to be a pain.  And definitely please don't suggest anything risky that can kill the SBS server.

Thanks for reading this post.
0
Comment
Question by:sleepy-bear
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:SolracM
ID: 38771048
First you must determine where the user is getting their domain credentials is it a LOCAL policy or domain? IF you sign on to the domain and authenticate on active directory? do you have them on a anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories? is this users part of the EVERYONE group? or when he/se logs on does the domain user profile invoke a GPO? your default policy may do an EXPLICIT deny ALL and invoke permissions base on time. user folder, if this user logs on to the LOCAL account is this situation still the same? when it happens do a right click on the folder In question and check the PERMISSIONS, MOVE ONE of them OUT of the everyone group to see if it helps.
0
 

Author Comment

by:sleepy-bear
ID: 38771337
Hi and thank you for your reply.

I too was interested to see if I could modify the text file (I created) in c:\windows\ if I login as (computer name)\(username).  I was surprised to get "File Access Denied" dialog box with "You'll need to provide administrator permission to rename this file".  Later I tried the same on my stand alone Win 7 Pro home computer and I got the same message so I guess this is normal.  

I am reasonably sure that policy is set by the domain as if I create a new user in SBS Console, I can login to a PC on the network using the credential I just created.  Like wise, if I disable a user on SBS, I can no longer login to the PC.

Re: "anti-virus server that schedules SCAN from the anti-virus admin server that may randomly lock up directories?" - I don't have antivirus 'server'.  Just BitDefender 2013 on all PCs and BitDefender server edition (maybe 2012) on the SBS.  That's it.

Funny you should mention the antivirus... the special account software we use runs couple of files that have always triggered BitDefender to popup with false positive (and yes, I'm 100% sure it is false positive and not a virus on the server).  Usually, I have to exclude that file from scanned.  When I did that today, it still blocked the required file to run.  In BitDefender, you can say, "Allow & monitor" in the alert.  This adds the file to exclusion list.  Normally, when I exclude, it looks like O:\server\folder\hello.dll.  But today, when BitDefender blocked the file today, what was added to the 'safe' list was something like \\;O:000000000000033443\server\folder\hello.dll.  And when I log out and log back in, the 00000000000 bit changes to something like 00000000000000023245.  I can only assume it is some sort of session number included into the file path.  Now I cannot exclude any files from my antivirus app, I have to manually 'allow' it after virus alert pops up.        :   (

Re: "is this users part of the EVERYONE group?" - all users are created in SBS console and they are either 'Standard Users' or 'Administrator'.  Nothing fancy done in Active Directory Users.

Re: "domain user profile invoke a GPO?" - I'm not sure how to check that!  The event log on SBS shows users have successfully logged in.

Re: "default policy may do an EXPLICIT deny ALL and invoke permissions base on time" - again, sorry to be slow here but no idea what I should do to verify this for you.  After reading this post, if you still think this might be an issue, please tell me what to do and I will give it a go.

Re: "user folder, if this user logs on to the LOCAL account is this situation still the same?" - As mentioned at the start of this post, when I got the 'File Access Denied', I thought so but when I've realised it happens to all Win 7, connected to domain or stand alone, I am not 100% but I had no issues saving files to the desktop, etc., when I was logged in as a local user.
0
 
LVL 3

Expert Comment

by:SolracM
ID: 38773199
Hello that was a good follow up,
I was a little "gun shy" since part of your post was you need to show caution as always one does NOT want to give advice that may put you in worse shape than we expected. If you do a right click,, navigate to the security tab,,, advanced
you will see you can TAKE ownership. the WIN 7 OS assumes even ADMINS make mistakes. (and we do) so you may have to take full ownership of the PARENT folder. but be careful at this point you are going to affect the entire folders permission, if I read correctly when you log on as a LOCAL ADMIN there is no problem? can you hit the PF8 key after the MOBO's splash screen and select SAFE MODE with NETWORKING ,, does it work ok? it may be your firewall on your anti virus (that was MY problem when I experienced what you described) you need to logon on to your  active directory admin account to access GPO's. it would take a long post here to explain GPO and active directory (not that I do not want to)here is MS account http://support.microsoft.com/kb/216359
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:sleepy-bear
ID: 38773742
Huh haha!  Thanks for your cautious advice.  Yes, no fun having to reinstall unexpectedly or having to rely on backup.

Re: taking ownership of Windows folders - Yes, I was worried about that too.

Re: F8 and Firewall - I should clarify that this SBS2011 and Windows 7 have been running for 3+ years without any issues.  Either due to dodgy Microsoft patches or file read/write errors over time (same reason why Windows needs reinstall every few years), my SBS is having issues (I assume).

Re: antivirus - Just so happens, I had a PC that was half way through clean reinstall and did not have an antivirus app installed yet.  And even on that PC, it is causing issues so, I am guessing it is not the BitDefender on the PC.  It might be possible that it is the server version of antivirus I guess but it has not been updated recently (just virus definitions) so I am guessing less likely.

Re: GPO - I will take a look and see if I can make any adjustments to GPO.

Re: Next time I cannot access something, I will try that "Safe mode with networking" and see if that will let me do it.  Thanks for the tip!  Didn't think of that one.

If anyone happen to know a way to reset user/administrator permissions on SBS, please feel free to suggest (unless it can kill the server).  I recall reading some time ago that SBS administrator is not a real 'Domain Admin' of the past (like in NT4 days).  I sort of remember someone saying to create a new 'group' and add administrator group inside it to truly give 'power' to admin users but I can't remember the details... if anyone happen to know what I'm on about here, please let me know.
0
 

Accepted Solution

by:
sleepy-bear earned 0 total points
ID: 38916149
Server has been online for over 3 years so, in the end, I reinstalled the server.  I didn't get to find out what the cause was...  sometimes you just have to get it 'fixed' rather than figure out the cause and risk taking longer.

Thanks SolarcM for chipping in.  I do appreciate your assistance.
0
 

Author Closing Comment

by:sleepy-bear
ID: 38929187
No solution found.  Just closing the thread.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question