Solved

Server 2012 file sharing permissions

Posted on 2013-06-07
8
1,311 Views
Last Modified: 2013-06-17
Hello Experts...I recently installed a file server with Server 2012.  I'm seeing some small problems with permissions on some of the shares that I don't quite understand.  Domain admins have full permissions at the root of each drive on the file server.  Even though this group should have access when I log in with a domain admin account I either get Access Denied or the following screen (see permissions1).

If I press Advanced and Continue it opens the tab and I can see I have permissions (see permissions2).

For some domain admins they just get access denied, they don't get prompted  to use the advanced permissions page.

The other issue I'm having is with how to gracefully change permissions to a large number of redirected desktops and my documents folders.  In order to make changes to permissions I need to first take ownership, apply them to the top level share, propogate them down to the subfolders, the give ownership back.  Its the last part I'm struggling with.  Its easy enough to take ownership but how can I give it back without having to touch each of the 100+ redirected folders I have?

I very much appreicate any help with this, thanks!
permissions1.jpg
permissions2.jpg
0
Comment
Question by:First Last
8 Comments
 
LVL 1

Author Comment

by:First Last
ID: 39230283
Anyone?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39231001
Issue #1:  is the group domain admins given full control from the root and applied to all subfolders and files?


Issue #2 Why do you need to take ownership of these directories? Isn't full control enough?
0
 
LVL 1

Author Comment

by:First Last
ID: 39231082
For #1 yes, I can see the domain admins group propagated down to the file level in every directory with full permissions.  I read earlier today that with 2012 file sharing having domain admin group permissions isn't enough, you have you apply permissions specific to the user who is performing the action or else deal with the prompt.  Disabling uac was the only work around I saw.

I need to take ownership because of the above problem.  I can't make top level changes even with a domain admin account unless I add individual user accounts which I'd rather not do unless that's the only option.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 39242230
With windows server shares, there are 2 places that cause issues.

1. share permissions (this controls who can connect to a share, if Domain admins is not on this list then they will not be able to connect to the share even though they have NTFS permissions)

2.NTFS permission (this controls who can connect to files and folders on the drive. If you have share permissions set a user can connect to the share. If they do not have NTFS permission set, they will not be able to do anything on that share.

If you took ownership of the users folders, dont bother giving it back, too much work. Just make sure the folder share and NTFS permissions give full control to the user and you will be fine. I moved my users folders off my SBS server to another (for more space) and was able to do the above with no major issue.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 39242740
It sounds like you are running into UAC?

Have you tried running explorer as administrator?  The reason is even with an admin account, your admin privileges are stripped if UAC is turned on, unless you select to elevate them.  I usually end up just keeping an elevated command prompt open all the time to save me some hassle :-)

The next question is what permissions change do you want to make specifically?  I'm not sure on 2012 if cacls.exe is is still available, or if they are forcing you to use icacls or subinacl?

In any case, whatever you are trying to do in bulk should be pretty easy from the command line.  I just need to know what you want to do, and we can figure it out :-)

Coralon
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 39253227
This was indeed a UAC issue.  What I didn't know is that with 2012 even when the somain administrators group has permission its not enough.  The individual user's account must be in the list or UAC will stop it.  Strange choice by MS but there we have it.  Thanks all!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question