Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server 2012 file sharing permissions

Posted on 2013-06-07
8
Medium Priority
?
1,320 Views
Last Modified: 2013-06-17
Hello Experts...I recently installed a file server with Server 2012.  I'm seeing some small problems with permissions on some of the shares that I don't quite understand.  Domain admins have full permissions at the root of each drive on the file server.  Even though this group should have access when I log in with a domain admin account I either get Access Denied or the following screen (see permissions1).

If I press Advanced and Continue it opens the tab and I can see I have permissions (see permissions2).

For some domain admins they just get access denied, they don't get prompted  to use the advanced permissions page.

The other issue I'm having is with how to gracefully change permissions to a large number of redirected desktops and my documents folders.  In order to make changes to permissions I need to first take ownership, apply them to the top level share, propogate them down to the subfolders, the give ownership back.  Its the last part I'm struggling with.  Its easy enough to take ownership but how can I give it back without having to touch each of the 100+ redirected folders I have?

I very much appreicate any help with this, thanks!
permissions1.jpg
permissions2.jpg
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Author Comment

by:First Last
ID: 39230283
Anyone?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39231001
Issue #1:  is the group domain admins given full control from the root and applied to all subfolders and files?


Issue #2 Why do you need to take ownership of these directories? Isn't full control enough?
0
 
LVL 1

Author Comment

by:First Last
ID: 39231082
For #1 yes, I can see the domain admins group propagated down to the file level in every directory with full permissions.  I read earlier today that with 2012 file sharing having domain admin group permissions isn't enough, you have you apply permissions specific to the user who is performing the action or else deal with the prompt.  Disabling uac was the only work around I saw.

I need to take ownership because of the above problem.  I can't make top level changes even with a domain admin account unless I add individual user accounts which I'd rather not do unless that's the only option.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 18

Accepted Solution

by:
Sanga Collins earned 1000 total points
ID: 39242230
With windows server shares, there are 2 places that cause issues.

1. share permissions (this controls who can connect to a share, if Domain admins is not on this list then they will not be able to connect to the share even though they have NTFS permissions)

2.NTFS permission (this controls who can connect to files and folders on the drive. If you have share permissions set a user can connect to the share. If they do not have NTFS permission set, they will not be able to do anything on that share.

If you took ownership of the users folders, dont bother giving it back, too much work. Just make sure the folder share and NTFS permissions give full control to the user and you will be fine. I moved my users folders off my SBS server to another (for more space) and was able to do the above with no major issue.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1000 total points
ID: 39242740
It sounds like you are running into UAC?

Have you tried running explorer as administrator?  The reason is even with an admin account, your admin privileges are stripped if UAC is turned on, unless you select to elevate them.  I usually end up just keeping an elevated command prompt open all the time to save me some hassle :-)

The next question is what permissions change do you want to make specifically?  I'm not sure on 2012 if cacls.exe is is still available, or if they are forcing you to use icacls or subinacl?

In any case, whatever you are trying to do in bulk should be pretty easy from the command line.  I just need to know what you want to do, and we can figure it out :-)

Coralon
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 39253227
This was indeed a UAC issue.  What I didn't know is that with 2012 even when the somain administrators group has permission its not enough.  The individual user's account must be in the list or UAC will stop it.  Strange choice by MS but there we have it.  Thanks all!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question