Solved

windows 2003 - admin wants access to users folder

Posted on 2013-01-25
23
686 Views
Last Modified: 2013-12-02
hi i have a windows 2003 domain running:

- master dc 2003 ad/dns/dhcp server
- file server
- xp desktop

note: im also running 'shadow copies' on my: filenprint server.!!

note: domain user: jamesf - has accidentally deleted a file & requires it back!!

my domain user can logon to domain and save data so when the user logs off the data is uploaded automatically to the: \\filenprint\profileroam - successfully

when i logon to the file server and right click the domain user ie:

\\filenprint\profileroam\jamesf, & locate the 'owner' tab it states:

current owner of this item: unable to display current owner.
change owner to: shows 2 x administrators

- administrator (itservices\administrator)
- administrators (filenprint\administrator)

qns1.  i wish to be able to take ownership of the folder so that i can return the deleted file back to 'jamesf', but im worried that the 'jamesf' will not be able to log back on, if i take ownership.  so can someone advise on what i need to do.  i assume i should select: administrators (filenprint\administrator) to take ownership & then click 'ok', but how do i give back 'ownership' back to domain user: jamesf ?
0
Comment
Question by:mikey250
  • 11
  • 4
  • 3
  • +1
23 Comments
 
LVL 17

Assisted Solution

by:Nik
Nik earned 200 total points
ID: 38819593
If you change ownership you won't change anything in ACL.
With that said if james has modify or full control access to that folder, he will retain that permissions.
You also won't need to add him again as the owner as everything will function normally with Administrator being the owner.
But if still needed, james has to have FULL Control permission to be able to change/take ownership of the file/folder.
0
 

Author Comment

by:mikey250
ID: 38821946
morning nimatejic,

(the last time i messed round in here i ended up having to do a complete install of the master dc/file & print server & xp desktop after hours of troubleshooting, but xp desktop kept locating 'temp' profile!!! so just wanted to make sure!!

note: i did not create the d:\profileroam manually, i followed the wizard to add 'file & print' feature & in there i selected:

administrator has full control & users have read & write - if i remember correctly!

in the following:

d:\profileroam - when i right click & select properties, both the everyone & filenprint server are selected with 'full control'

in the following:

d:\profileroam\jamesf - when i right click & go through the options & select: 'owner' in there it states:

qns1. how do i know who is current owner as below current owner states: ?

current owner of this item: unable to display current owner.

change owner to: shows 2 x administrators

- administrator (itservices\administrator)
- administrators (filenprint\administrator)

note: ok i will select under 'owner tab' administrators (filenprint\administrator) & attempt to confirm the domain user can still logon from xp desktop!!
0
 
LVL 17

Accepted Solution

by:
Nik earned 200 total points
ID: 38821953
qns1. how do i know who is current owner as below current owner states: ?
For some reason this folder lost it's owner, not sure why, so there's no owner now.
Can you please check the ownership on another user folder.

As I said, taking ownership can't do any damage. If needed, you can later set jamesf as an owner.

Regards,
Nik
0
 

Author Comment

by:mikey250
ID: 38821965
hi nimatejic, ive done what you said & yes domain user can still logon as normal so thats good!!:)

this is the first domain user in place so far as needed to get process right before i create the others!!

as the administrator of the file & print server, i can now do:

d:\profileroam\jamesf - double click & access files within so that is good.!!

d:\profileroam\jamesf - when i right click 'jamesf' & select 'security tab' i can now see:

administrator (itservices\administrator)

qns1.

but i expected to see:

administrators (filenprint\administrators) - as per owner tab although i presume it is 'administrator (itservices\administrator), because im actually logged onto the domain ?
0
 
LVL 17

Assisted Solution

by:Nik
Nik earned 200 total points
ID: 38821978
You have changed the owner of the folder, you did not change NTFS permissions for the folder or its access control list(ACL).

Now when you click properties/security  you can add filenprint\administrators and jamesf user account and grant Full Control permissions for filenprint\administrators and modify permissions for jamesf.
0
 

Author Comment

by:mikey250
ID: 38822020
hi, im trying to tread carefully here!! thanks for your patience!!

(my main goal as per original question is to be able to give back a file a user had deleted yesturday as ive already been running 'shadow copies')

when i locate via 'run' \\filenprint - it shows me: \\profileroam, but when i double click & right click on 'jamesf' & select properties & previous version & select specific dated user folder with files within that were deleted & selected 'view', it states

qns1. im not sure if this is a gpo issue here ?

"\\filenprint\profileroam\@gmt-2013.01.25-16.48.2\jamesf is not accessible.  you might not have permission to use this network resource.  access denied.  contact admin etc"

so after making that previous change as you suggested, which was successful.  i have now also done the following:

- jamesf - right clicked & selected properties & security tab & selected 'administrator (itservices\administrator) - & allocated 'full access' & click ok.

qns2. below is where im not understanding on what to select & amend, in order to allow successful return of files via 'shadow copies' & im aware it states <not inherited> below: ?

i then returned back to 'jamesf' & selected security tab & advanced button & it shows:

- allow  administrator (itservices\administrator) full control  <not inherited>  this folder, subfolders & files

- allow james... full control <not inherited> this folder, subfolders & files

- allow system  full control <not inherited> this folder, subfolders & files

note: i think this 1st option below is what i should tick for the above 'administrator'!!

unticked - allow inheritable permissions from the parent to propagate to this object & all child objects.  include these with entries explicitly defined here.

unticked - replace permission entries on all child objects with entries shown here that apply to child objects.
0
 
LVL 17

Assisted Solution

by:Nik
Nik earned 200 total points
ID: 38822060
qns1. im not sure if this is a gpo issue here ?
It was a permission issue that you have solved.

unticked - replace permission entries on all child objects with entries shown here that apply to child objects.
Yes, if you have changed permissions for the folder it would be wise to check the option to replace permission entries on all child objects.

As for the shadow copies, unfortunately I don't use that feature as we have a third party backup solution.
0
 

Author Comment

by:mikey250
ID: 38822140
hi, just to clarify, i can 'restore' a specific folder to give back to the user, but the specific issue is i wish to select 'view' so that i can open up that folder & locate a specific or folder or file for that user, rather than copying the whole folder to a users desktop!

ok i appreciate your assistance upto this point!! just trying to find out the answer as to where in my gpo i may need to enable something as ive done this but same 'access denied' issue is still showing.  so i cannot give a specific file back to a user!

im afraid of ticking & unticking stuff as just not get this right & permissions as just takes time to understand.

- im aware a folder is a folder - this would be classed as the 'parent folder.
- im aware there are subfolders within a folder - i assume this is classed as the 'child object'
- im aware there are files within the subfolders

but when i see things like:

- allow inheritable permissions from the parent to propagate to this object & all child objects.  include these with entries explicity defined here.

i assume the above means my:  \\profileroaming - folder is the parent & all subfolders ie child objects, within have inherited the same permissions specifically for all folders within \\profileroam - hence allowing access to that folder specifically.

- replace permissions entries on all child objects with entries shown here that apply to child objects

i assume the above means whatever permissions have been allocated in the permissions tab & as a result i then change, by selecting the above forces the changes to take affect on all child objects specifically here.

- replace owner on subcontainers & objects

although ive never selected this yet at any time, im not quite sure what this means.

im afraid that i might stop my domain user acount from being able to logon.
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 150 total points
ID: 38867906
Mikey250, you're right to be a bit wary of changing the permissions on the user's profile - the root folder for the profiles allows anyone to access it, however the users' individual subfolders are created in the user's name, and by default the administrators don't have enough permissions to see the folder owner - these folders are set to NOT inherit ACLs from their parent folder, so the changes to the root folder won't affect them. You can get round this and still get it to work (I'd take ownership of the folder and all subfolders as "Administrators" (the group, rather than the user), and replace the owner on all subfolders. This won't change the permissions, and won't prevent the user logging on (if you're really worried about this, back up the folder with NTBackup before you start changing things, then you can go back if it breaks), but will allow you to see/modify the security settings. Once you've done this, you can drill down through the folders and add the permissions you need.
Before you start doing that though, why don't you just get the user to restore the file themselves? The already have the access they need to do this, and then you don't need to change anything!
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 150 total points
ID: 38868493
From the series of questions, I can tell that you are new to this. As an aside, I hop that this is just a learning environment. Microsoft will stop providing support of any kind, including SECURITY updates, for Windows Server 2003 on July 14, 2015. Support for Windows XP ends April 2014, which is just over a year away. Time to be upgrading these old operating systems!

Oftentimes, the default permissions regarding user folders are not very good for the real world. What I like to do is set the directory permissions manually. First I set the permissions on the top level folder of the share to .\administrators and .\system full. I remove creator/owner and give users read and list directory contents only on this folder under the advanced NTFS permissions. This prevents new folders from inheriting read permissions for users. I then manually create the user folder before creating the user. After the account has been created, I give the user modify or full control permissions to their directory. This system of permissions keeps the user folders secure from regular users, but allows administrators access. If you are worried about a mistake in parent permissions filtering down, remove inherit parent permissions on the individual user folder in addition to removing them on the top on the share.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mikey250
ID: 38868586
hi by: bluecompute, i did run an 'ntbackup' and also copied a screenshot of both:

profileroam\jamesf - and sucessfully was able to access the users folder and take ownership.

yes i did see that the user could to, but the last thing i could not do on my 'file server' was, when i right click i think the: \\profileroam and properties i also selected the tab to see the users folders created on different dates, but when i clicked 'view' i did not have access and this is what i wanted to do was to be able to click 'view' .!!!
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 150 total points
ID: 38868702
Mikey, this is basically by design - a user's folder is deemed to be theirs not yours, so they're the ones who by default get permissions over it - depending on your jurisdiction/country law, there may actually be legal grounds for this design.
Are you saying that logged on as the user you can't see the previous versions, or logged on as administrator? This is a task (restoring a previous version of a file) that the user would normally do themselves, with instruction or oversight from technical. Interestingly enough, the changes you've made to the permissions won't actually have changed the permissions on the files stored in "previous versions" - I'd expect you to get access (as administrator) to any new shadows created, but possibly not to the ones created before you had the relevant permissions. I'm not actually sure if you can change that after the event, at least not trivially - I'd get the user to restore the file themselves this time, and going forward make sure permissions on the folders allow you to do all the things you need to.
0
 

Author Comment

by:mikey250
ID: 38868807
hi blue,

this is basically by design - ok understood.

i think i can logon with admin account and (view) file from users pc but im going to check now, but i just thought if i did not want the user to do it themselves then i thought i should do it from my actual file and print server which is where i can see the previous versions and have attempted to click (view) but it states i dont have the permission, but surely i should also be able to do this from the file and print server as only using administrators account and have full access: c:\profile\jamesf & ownership.. ?
0
 

Author Comment

by:mikey250
ID: 38868813
hi kevinhsieh,

q1. so on jul 14 2015 your saying i can no longer download those updates after except to install sp1 & sp2 ?

q2. and XP ends April 2014 - so i can no longer download updates except for the sp1/sp2/sp3 i have already ?

yes eventually once i have the equipment ie 64 bit pc/servers then yes i will be updating to windows 2008.  so far i have a 2nd hand dell 1950 64bit server.

yes im beginning to realise this as you state below, but did not realise i could remove 'creator owner':

"often times, the default permissions regarding user folders are not very good for the real world. What i like to do is set the directory permissions manually. first i set the permissions on the top level folder of the share to .\administrators and .\system full. i remove creator/owner and give users read and list directory contents only on this folder under the advanced ntfs permissions."

normally i would manually create on spare partition the following and not touch rights/permissions at all.

- d:\profiles for example

but this time i did not and installed 'file & print' services creating d:\profiles - this way and gave full access to everyone & administrator for this parent folder.  then when a user logged on an automatic folder was created: d:profiles\jamesf - for example, but after some changes and a little better understanding i took ownership of folder and user can still logon, but i did leave 'creator owner' in place as i have not yet played around enough, but i hear what you are saying.  so as i have an 'ntbackup' i should attempt again what you say and do manually also and look at see and as long as the user can logon then im ok and as long as the administrator can gain access then im ok.  but i dont remember seeing the
'system' but what your saying is this is also set to 'full' ?

"i then manually create the user folder before creating the user - are you saying you also create the user folder inside: c:\profile\james for example 1st ?

im going to copy your statement and save it as the explanation seems to have a little more clarity for me and try it out!!  i suppose my only thought is if this is the case then why did microsoft allow it to be like that or in reality could i just leave it as per wizard as i assume this is just you tying down even more securely the system for individual users!!!
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 150 total points
ID: 38868836
This:
"i think i can logon with admin account and (view) file from users pc but im going to check now, but i just thought if i did not want the user to do it themselves then i thought i should do it from my actual file and print server which is where i can see the previous versions and have attempted to click (view) but it states i dont have the permission, but surely i should also be able to do this from the file and print server as only using administrators account and have full access: c:\profile\jamesf & ownership.. ?"
Is exactly what they don't intend you to be able to do by default - only the user has rights on their own profile folder, and they're the ones who do the restores - in much the same was as Administrators don't get access to user mailboxes by default.
It's important to note that the "shadow copies" aren't stored in the user's profie folder, they're stored in system volume information on the disk the shares live on, by default, which is why the changes you've made haven't given you access to older shadows.
By default everyone gets to create folders in the root of your profile share, but the folders they create are for them only. If you don't want the users to have write access to the root folder, you'll need to create their profile folders manually, as kevinhsieh does, and then give the user full control rights on it before the user first logs on - this way you'll get full access as an administrator, and you'll be the "owner" of the folder, rather than the user.
0
 

Author Comment

by:mikey250
ID: 38868876
hi,

oh so i should not be able to specifically view from physical file and print server!!

by the way ive just logged on as the domain user and the only way i know how is to go through 'my network places' or via \\fileprintserver\fileprint\jamesf & yes i can select 'view' so that is correct then.!!!

as i have only created a 'roaming folder' i did not add the 'redirection folder' yet as the 'shadow copies' made me think why do i need it , but from reading i assume you mean this is stored in the 'system volume', so i would need to add the 'redirection folder'.. which i have added before and seen files saved in 'my documents' for example but l left it out for the time being to try and grasp this bit as not seeing what i expected to see but still think if i have 'shadow copies' then why do i need 'redirection folder' which is what i cannot get my head around ?

"it's important to note that the "shadow copies" aren't stored in the user's profile folder, they're stored in system volume information on the disk the shares live on, by default, which is why the changes you've made haven't given you access to older shadows".

also when i logon my file and print server and locate:

d:\fileprint - when i right click and select advanced & owner tab it shows:

current owner of this item
administrators(fileprintserver)\administrators

in the change owner to it states the master dc administrator and the fileprintserver, but i was wondering when i take ownership do i always use the administrators (fileprintserver)administrators) as it is the admin of the phsical file and print server, even though it is logged onto the domain ?

administrator (itservices\administrator)
administrators (fileprintserver)\administrators
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 150 total points
ID: 38869273
You can run Windows Server 2012 on a Dell PE1950. When support ends for Microsoft products, the patches and updates will still be available, as well as documentation found in Technet and elsewhere. What Microsoft will not do is develop and release any new security updates, even for issues that are being actively exploited in the wild, nor will you be able to open up a support case without a special contract that is rumored to host north of $100,000 USD.

FWIW, Roaming Profiles are in general a very bad idea. They have never worked well, and though they sound cool in theory, they don't work well in practice. Using Redirected Folders is a much better idea.

I generally recommend that you don't try implementing Microsoft technologies (such as a certificate authority) unless you understand the technology, and determine whether or not it is actually useful to you, and that you understand the benefits and downsides. One technology I do recommend is DFS Namespace. If you host a domain based DFS namespace (on your domain controller(s) of course), you can use the following path for your files: \\domainname.local\dfsroot\users\%username%, \\domainname.local\dfsroot\Departements\Finance, etc. The advantage is that the path used by the clients isn't dependent on the name of the file server that actually has the files, so you can replace your file server with a new server and as far as the end user is concerned, everything is in the same place. Redirected folders can keep the same path, as well as shortcuts and drive mappings.

http://technet.microsoft.com/en-us/library/cc737358(v=WS.10).aspx
0
 

Author Comment

by:mikey250
ID: 38869825
hi kevinhsieh,

q1. are you saying that when i create a user account it is not a good idea to add the profile path and just use 'redirection folder' instead, although i have known users to logon to different pc's which are obviously part of the same domain and logon, although as far as i was aware it was only for small departments rather than across the board as most users sat at the same desk everyday so did not require a roaming profile, but bad idea im not sure why!! ?

q2. ive never really understood this certificate authority or if it is never used at all, but that dont make sense as it must be there for a reason!!  so after some more reading im understanding that if users are not communicating outside their network then installing a 'ca' would be ok ?

q3. but if a company does communicate via the outside world via email and web server then a 3rd party 'ca' should be purchased and the local 'ca' would then not need to be installed ?

http://www.petri.co.il/configure_message_security_in_exchange_2003.htm
http://www.petri.co.il/install_windows_server_2003_ca.htm

q4. ive setup before as a test 'dfs' but by itself without a file server just to test a remote vpn user on a laptop at home into the domain via the isa 2006 and the user was able to connect.  although yes i realise that the file server(s) are setup and connect via 'dfs' normally and yes if i wanted to change file servers the users would not know as the connection would be via 'dfs'. ?

as for the 'url' ive not got r2 as i used win 2003 standard, but i do have enterprise but not used.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 150 total points
ID: 38870252
A1. I recommend that you leave profile path and logon script blank. You may want to use Home Folder path where you connect a drive letter to a UNC path, preferably a DFS path.

A2. There are lots of features to Windows, most of which you don't need and will never use. Just because it is there doesn't mean you should turn it on. In fact, if you are not using something it should be turned off. Whether or not you need/use a CA has nothing to do with whether or not your users are communicating outside your network.

A3. You can't purchase a 3rd party CA. You can purchase a CERTIFICATE from a CA. Asking to purchase a CA is like buying Ford Motor Company because you need a car. I have never seen Exchange setup with certificates for encryption and digital signatures outside of the government and military. You don't need it, and it isn't very compatible.

A4. DFS without some sort of file server, even if the file server is a domain controller, doesn't make sense by definition. DFS stands for Distributed FILE System. It has nothing to do with VPN, but a VPN user can connect to file resources via a DFS namespace instead of directly to the server holding the files. The point of a DFS namespace isn't to hide the fact that you;re using a DFS namespace, but rather to abstract the physical file server and path that you are using. DFS namespaces have existed since Windows NT 4, and there isn't too much difference between Windows 2003 and Windows 2003 R2 when it comes to DFS namespace. Note that DFS Replication, which has nothing to do with DFS Namespaces, does not exist in Windows 2003, as it is a feature of windows 2003 R2 and later.
0
 

Author Comment

by:mikey250
ID: 38870304
thanks for that!!
0
 

Author Closing Comment

by:mikey250
ID: 38871034
sound advice!!
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now