Solved

Server 2012 file sharing permissions

Posted on 2013-06-07
8
1,305 Views
Last Modified: 2013-06-17
Hello Experts...I recently installed a file server with Server 2012.  I'm seeing some small problems with permissions on some of the shares that I don't quite understand.  Domain admins have full permissions at the root of each drive on the file server.  Even though this group should have access when I log in with a domain admin account I either get Access Denied or the following screen (see permissions1).

If I press Advanced and Continue it opens the tab and I can see I have permissions (see permissions2).

For some domain admins they just get access denied, they don't get prompted  to use the advanced permissions page.

The other issue I'm having is with how to gracefully change permissions to a large number of redirected desktops and my documents folders.  In order to make changes to permissions I need to first take ownership, apply them to the top level share, propogate them down to the subfolders, the give ownership back.  Its the last part I'm struggling with.  Its easy enough to take ownership but how can I give it back without having to touch each of the 100+ redirected folders I have?

I very much appreicate any help with this, thanks!
permissions1.jpg
permissions2.jpg
0
Comment
Question by:First Last
8 Comments
 
LVL 1

Author Comment

by:First Last
ID: 39230283
Anyone?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 39231001
Issue #1:  is the group domain admins given full control from the root and applied to all subfolders and files?


Issue #2 Why do you need to take ownership of these directories? Isn't full control enough?
0
 
LVL 1

Author Comment

by:First Last
ID: 39231082
For #1 yes, I can see the domain admins group propagated down to the file level in every directory with full permissions.  I read earlier today that with 2012 file sharing having domain admin group permissions isn't enough, you have you apply permissions specific to the user who is performing the action or else deal with the prompt.  Disabling uac was the only work around I saw.

I need to take ownership because of the above problem.  I can't make top level changes even with a domain admin account unless I add individual user accounts which I'd rather not do unless that's the only option.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 39242230
With windows server shares, there are 2 places that cause issues.

1. share permissions (this controls who can connect to a share, if Domain admins is not on this list then they will not be able to connect to the share even though they have NTFS permissions)

2.NTFS permission (this controls who can connect to files and folders on the drive. If you have share permissions set a user can connect to the share. If they do not have NTFS permission set, they will not be able to do anything on that share.

If you took ownership of the users folders, dont bother giving it back, too much work. Just make sure the folder share and NTFS permissions give full control to the user and you will be fine. I moved my users folders off my SBS server to another (for more space) and was able to do the above with no major issue.
0
 
LVL 24

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 39242740
It sounds like you are running into UAC?

Have you tried running explorer as administrator?  The reason is even with an admin account, your admin privileges are stripped if UAC is turned on, unless you select to elevate them.  I usually end up just keeping an elevated command prompt open all the time to save me some hassle :-)

The next question is what permissions change do you want to make specifically?  I'm not sure on 2012 if cacls.exe is is still available, or if they are forcing you to use icacls or subinacl?

In any case, whatever you are trying to do in bulk should be pretty easy from the command line.  I just need to know what you want to do, and we can figure it out :-)

Coralon
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 39253227
This was indeed a UAC issue.  What I didn't know is that with 2012 even when the somain administrators group has permission its not enough.  The individual user's account must be in the list or UAC will stop it.  Strange choice by MS but there we have it.  Thanks all!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 82
Trouble enabling network for Hyper-V client 10 34
Set up secondary Domain Controller 4 71
RDS Licensing on Server 2012R2 5 19
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question