Server 2012 file sharing permissions

Hello Experts...I recently installed a file server with Server 2012.  I'm seeing some small problems with permissions on some of the shares that I don't quite understand.  Domain admins have full permissions at the root of each drive on the file server.  Even though this group should have access when I log in with a domain admin account I either get Access Denied or the following screen (see permissions1).

If I press Advanced and Continue it opens the tab and I can see I have permissions (see permissions2).

For some domain admins they just get access denied, they don't get prompted  to use the advanced permissions page.

The other issue I'm having is with how to gracefully change permissions to a large number of redirected desktops and my documents folders.  In order to make changes to permissions I need to first take ownership, apply them to the top level share, propogate them down to the subfolders, the give ownership back.  Its the last part I'm struggling with.  Its easy enough to take ownership but how can I give it back without having to touch each of the 100+ redirected folders I have?

I very much appreicate any help with this, thanks!
First LastAsked:
Who is Participating?
Sanga CollinsConnect With a Mentor Systems AdminCommented:
With windows server shares, there are 2 places that cause issues.

1. share permissions (this controls who can connect to a share, if Domain admins is not on this list then they will not be able to connect to the share even though they have NTFS permissions)

2.NTFS permission (this controls who can connect to files and folders on the drive. If you have share permissions set a user can connect to the share. If they do not have NTFS permission set, they will not be able to do anything on that share.

If you took ownership of the users folders, dont bother giving it back, too much work. Just make sure the folder share and NTFS permissions give full control to the user and you will be fine. I moved my users folders off my SBS server to another (for more space) and was able to do the above with no major issue.
First LastAuthor Commented:
David Johnson, CD, MVPOwnerCommented:
Issue #1:  is the group domain admins given full control from the root and applied to all subfolders and files?

Issue #2 Why do you need to take ownership of these directories? Isn't full control enough?
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

First LastAuthor Commented:
For #1 yes, I can see the domain admins group propagated down to the file level in every directory with full permissions.  I read earlier today that with 2012 file sharing having domain admin group permissions isn't enough, you have you apply permissions specific to the user who is performing the action or else deal with the prompt.  Disabling uac was the only work around I saw.

I need to take ownership because of the above problem.  I can't make top level changes even with a domain admin account unless I add individual user accounts which I'd rather not do unless that's the only option.
CoralonConnect With a Mentor Commented:
It sounds like you are running into UAC?

Have you tried running explorer as administrator?  The reason is even with an admin account, your admin privileges are stripped if UAC is turned on, unless you select to elevate them.  I usually end up just keeping an elevated command prompt open all the time to save me some hassle :-)

The next question is what permissions change do you want to make specifically?  I'm not sure on 2012 if cacls.exe is is still available, or if they are forcing you to use icacls or subinacl?

In any case, whatever you are trying to do in bulk should be pretty easy from the command line.  I just need to know what you want to do, and we can figure it out :-)

First LastAuthor Commented:
This was indeed a UAC issue.  What I didn't know is that with 2012 even when the somain administrators group has permission its not enough.  The individual user's account must be in the list or UAC will stop it.  Strange choice by MS but there we have it.  Thanks all!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.