?
Solved

Network Share permissions work in 2008, but not in 2008 R2

Posted on 2013-11-15
8
Medium Priority
?
605 Views
Last Modified: 2014-01-30
I have a 2008 server that had been working for years. I am moving the programs to a newer machine running 2008 R2. This program doesn't matter. The problem is with Windows permissions. I am a domain admin. On the 2008 server, I can browse to what ever folders I like, but on this 2008 R2 server, it says I must proved permissions to access each folder. Even though domain admins are listed in the security tab. When I click continue, it opens, but adds my user name to the list in the security tab. I need to give read/write permissions to a single folder \\server\group\user\data\share, but not the folders above this "share" folder. In 2008, this was working fine, now in R2 it stopped working. The user had been a member of a group with access to the shared folder, but now even with the user explicitly listed, he does not have access. If it matters \\server\group\ is a shared folder that does show up to "everyone" when you go to \\server.
0
Comment
Question by:akdit1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39653147
From the root folder can you take ownership and then reapply the permissions accordingly? Also are you having any trust issues with this server? Have you tried to remove from the domain and then re-add it back? Also check the event logs to see if there are any errors as well.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39653187
Permissions are one of those things that tend to tedious. Are you saying that on all folders you have to provide permissions on all folders or are we only talking about the folders in this group of folders \server\group\user\data\share. For example if you want to view folders in C:\Windows and below for each new folder you go down it will ask you to provide permissions--this is Microsoft trying to keep files/folders secure. Are you familiar with icacls to manage permissions?
0
 

Author Comment

by:akdit1
ID: 39657021
\\server\group\user\data\share
I was already set as the owner of the parent folder "group".
The local administrators group is the owner of the subfolder "user". Domain admins is in the local admin group. I am a member of domain admins. no groups have any deny permissions.
When I browse to the folder "user" on the "x:" drive on the server, I get a pop-up message saying:
"You don't currently have permissions to access this folder.
click Continue to permanently get access to this folder."
If I click continue, it adds my account to the ACL for this folder. We try really hard not to add individual names, that's why the domain admins group was added to every folder.
If I browse to it as a network share "\\server\group\user\", it doesn't give me any trouble.
The user account that worked fine in 2008, only had permissions at the "share" level, to get it to work from a 2008 R2 server, I had to add explicit read/list contents permissions to every containing folder.

Microsoft said this is just the way it's supposed to work, but I've been lied to by support before just so they could close the ticket.

If it was just one or two users, I wouldn't care, but I've got about 100 user folders. I just finished removing explicit user permissions left from 3 previous IT users with admin rights to these folders, where, over the years, they've been in the same position I'm in. Every time I have to open a user folder, it adds my name to the ACL.

I just want to know if anyone else has/had this problem when moving from 2008 to 2008 R2. I was hoping this was a common problem and someone would just call me a dummy and tell me to disable a secret setting somewhere.
When I browse to \\server\x$\group\user\, from my domain account on Win 7, it doesn't give me any problems. So the domain admins group appears to be working when browsing this way, just not from the local server.
There are two possibly separate problems here, but I think they are the same root problem.
1) my domain admin account has to add explicit permissions to every folder to browse on local server (you say it's to protect the server, but it's not much protection if this "protection" only works when I'm accessing the server directly, but doesn't work when I'm accessing it from a remote machine) I'd like more consistent results in either direction. Either block me every way, or let me in every way.
2) user permissions that were working to access folders on this 2008 R2 server from a 2008 server, requires additional permissions to be added to the server to when accessing from a separate 2008 R2 server.

-I am not familiar with icacls
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 14

Expert Comment

by:BlueCompute
ID: 39704942
0
 

Accepted Solution

by:
akdit1 earned 0 total points
ID: 39809211
This was not an "DOMAIN ERROR", "NORMAL BEHAVIOUR", nor "UAC". It would most likely fall under a misconfiguration. I had given up on the "experts" here helping me with this issue. I received a request for action to close this issue so I reviewed all comments here. It was my detailed explanation that helped ME figure out what the problem was. I'm sure the time I've taken off from dealing with this issue helped me to step back and look at it objectively. The permissions work fine from domain machines (not a domain error). It doesn't do this on other machines (not normal behavior). UAC had been turned off, so that wasn't it either. It only happens on the local machine.
Solution:
Local Machine Admins Group did not have full permission to the folders. Added local admins group to the folders and the problem is resolved. The "contributors" were only helpful in making it clear that I would have to fix it myself. I wish people wouldn't comment as an "Expert" unless they KNEW their comment would be helpful or relevant.  I'm tired of the support calls that start with: Do you have AV on the machine?, Do you have ANY other programs on the machine?, or You'll need to start with a white box.
0
 

Author Closing Comment

by:akdit1
ID: 39820336
It fixes my problem without compromising the design of my system. And most of all, it IS a solution, not just a random suggestion.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39821089
Hi akdit1,  I'm glad you were able to resolve your issue.  I'm sorry that you did not find our comments helpful.

You may refer to the following blogpost outlining how this UAC-related behaviour can be changed: http://clintboessen.blogspot.co.uk/2013/05/you-dont-currently-have-permission-to.html

It is normal behaviour.  It is UAC related.  Have a nice day :-)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question