Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Server 2012 file sharing permissions

Posted on 2013-06-07
8
Medium Priority
?
1,327 Views
Last Modified: 2013-06-17
Hello Experts...I recently installed a file server with Server 2012.  I'm seeing some small problems with permissions on some of the shares that I don't quite understand.  Domain admins have full permissions at the root of each drive on the file server.  Even though this group should have access when I log in with a domain admin account I either get Access Denied or the following screen (see permissions1).

If I press Advanced and Continue it opens the tab and I can see I have permissions (see permissions2).

For some domain admins they just get access denied, they don't get prompted  to use the advanced permissions page.

The other issue I'm having is with how to gracefully change permissions to a large number of redirected desktops and my documents folders.  In order to make changes to permissions I need to first take ownership, apply them to the top level share, propogate them down to the subfolders, the give ownership back.  Its the last part I'm struggling with.  Its easy enough to take ownership but how can I give it back without having to touch each of the 100+ redirected folders I have?

I very much appreicate any help with this, thanks!
permissions1.jpg
permissions2.jpg
0
Comment
Question by:First Last
6 Comments
 
LVL 1

Author Comment

by:First Last
ID: 39230283
Anyone?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39231001
Issue #1:  is the group domain admins given full control from the root and applied to all subfolders and files?


Issue #2 Why do you need to take ownership of these directories? Isn't full control enough?
0
 
LVL 1

Author Comment

by:First Last
ID: 39231082
For #1 yes, I can see the domain admins group propagated down to the file level in every directory with full permissions.  I read earlier today that with 2012 file sharing having domain admin group permissions isn't enough, you have you apply permissions specific to the user who is performing the action or else deal with the prompt.  Disabling uac was the only work around I saw.

I need to take ownership because of the above problem.  I can't make top level changes even with a domain admin account unless I add individual user accounts which I'd rather not do unless that's the only option.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Accepted Solution

by:
Sanga Collins earned 1000 total points
ID: 39242230
With windows server shares, there are 2 places that cause issues.

1. share permissions (this controls who can connect to a share, if Domain admins is not on this list then they will not be able to connect to the share even though they have NTFS permissions)

2.NTFS permission (this controls who can connect to files and folders on the drive. If you have share permissions set a user can connect to the share. If they do not have NTFS permission set, they will not be able to do anything on that share.

If you took ownership of the users folders, dont bother giving it back, too much work. Just make sure the folder share and NTFS permissions give full control to the user and you will be fine. I moved my users folders off my SBS server to another (for more space) and was able to do the above with no major issue.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1000 total points
ID: 39242740
It sounds like you are running into UAC?

Have you tried running explorer as administrator?  The reason is even with an admin account, your admin privileges are stripped if UAC is turned on, unless you select to elevate them.  I usually end up just keeping an elevated command prompt open all the time to save me some hassle :-)

The next question is what permissions change do you want to make specifically?  I'm not sure on 2012 if cacls.exe is is still available, or if they are forcing you to use icacls or subinacl?

In any case, whatever you are trying to do in bulk should be pretty easy from the command line.  I just need to know what you want to do, and we can figure it out :-)

Coralon
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 39253227
This was indeed a UAC issue.  What I didn't know is that with 2012 even when the somain administrators group has permission its not enough.  The individual user's account must be in the list or UAC will stop it.  Strange choice by MS but there we have it.  Thanks all!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question