Solved

Network Share permissions work in 2008, but not in 2008 R2

Posted on 2013-11-15
8
566 Views
Last Modified: 2014-01-30
I have a 2008 server that had been working for years. I am moving the programs to a newer machine running 2008 R2. This program doesn't matter. The problem is with Windows permissions. I am a domain admin. On the 2008 server, I can browse to what ever folders I like, but on this 2008 R2 server, it says I must proved permissions to access each folder. Even though domain admins are listed in the security tab. When I click continue, it opens, but adds my user name to the list in the security tab. I need to give read/write permissions to a single folder \\server\group\user\data\share, but not the folders above this "share" folder. In 2008, this was working fine, now in R2 it stopped working. The user had been a member of a group with access to the shared folder, but now even with the user explicitly listed, he does not have access. If it matters \\server\group\ is a shared folder that does show up to "everyone" when you go to \\server.
0
Comment
Question by:akdit1
8 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
From the root folder can you take ownership and then reapply the permissions accordingly? Also are you having any trust issues with this server? Have you tried to remove from the domain and then re-add it back? Also check the event logs to see if there are any errors as well.
0
 
LVL 24

Expert Comment

by:lionelmm
Comment Utility
Permissions are one of those things that tend to tedious. Are you saying that on all folders you have to provide permissions on all folders or are we only talking about the folders in this group of folders \server\group\user\data\share. For example if you want to view folders in C:\Windows and below for each new folder you go down it will ask you to provide permissions--this is Microsoft trying to keep files/folders secure. Are you familiar with icacls to manage permissions?
0
 

Author Comment

by:akdit1
Comment Utility
\\server\group\user\data\share
I was already set as the owner of the parent folder "group".
The local administrators group is the owner of the subfolder "user". Domain admins is in the local admin group. I am a member of domain admins. no groups have any deny permissions.
When I browse to the folder "user" on the "x:" drive on the server, I get a pop-up message saying:
"You don't currently have permissions to access this folder.
click Continue to permanently get access to this folder."
If I click continue, it adds my account to the ACL for this folder. We try really hard not to add individual names, that's why the domain admins group was added to every folder.
If I browse to it as a network share "\\server\group\user\", it doesn't give me any trouble.
The user account that worked fine in 2008, only had permissions at the "share" level, to get it to work from a 2008 R2 server, I had to add explicit read/list contents permissions to every containing folder.

Microsoft said this is just the way it's supposed to work, but I've been lied to by support before just so they could close the ticket.

If it was just one or two users, I wouldn't care, but I've got about 100 user folders. I just finished removing explicit user permissions left from 3 previous IT users with admin rights to these folders, where, over the years, they've been in the same position I'm in. Every time I have to open a user folder, it adds my name to the ACL.

I just want to know if anyone else has/had this problem when moving from 2008 to 2008 R2. I was hoping this was a common problem and someone would just call me a dummy and tell me to disable a secret setting somewhere.
When I browse to \\server\x$\group\user\, from my domain account on Win 7, it doesn't give me any problems. So the domain admins group appears to be working when browsing this way, just not from the local server.
There are two possibly separate problems here, but I think they are the same root problem.
1) my domain admin account has to add explicit permissions to every folder to browse on local server (you say it's to protect the server, but it's not much protection if this "protection" only works when I'm accessing the server directly, but doesn't work when I'm accessing it from a remote machine) I'd like more consistent results in either direction. Either block me every way, or let me in every way.
2) user permissions that were working to access folders on this 2008 R2 server from a 2008 server, requires additional permissions to be added to the server to when accessing from a separate 2008 R2 server.

-I am not familiar with icacls
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 14

Expert Comment

by:BlueCompute
Comment Utility
0
 

Accepted Solution

by:
akdit1 earned 0 total points
Comment Utility
This was not an "DOMAIN ERROR", "NORMAL BEHAVIOUR", nor "UAC". It would most likely fall under a misconfiguration. I had given up on the "experts" here helping me with this issue. I received a request for action to close this issue so I reviewed all comments here. It was my detailed explanation that helped ME figure out what the problem was. I'm sure the time I've taken off from dealing with this issue helped me to step back and look at it objectively. The permissions work fine from domain machines (not a domain error). It doesn't do this on other machines (not normal behavior). UAC had been turned off, so that wasn't it either. It only happens on the local machine.
Solution:
Local Machine Admins Group did not have full permission to the folders. Added local admins group to the folders and the problem is resolved. The "contributors" were only helpful in making it clear that I would have to fix it myself. I wish people wouldn't comment as an "Expert" unless they KNEW their comment would be helpful or relevant.  I'm tired of the support calls that start with: Do you have AV on the machine?, Do you have ANY other programs on the machine?, or You'll need to start with a white box.
0
 

Author Closing Comment

by:akdit1
Comment Utility
It fixes my problem without compromising the design of my system. And most of all, it IS a solution, not just a random suggestion.
0
 
LVL 14

Expert Comment

by:BlueCompute
Comment Utility
Hi akdit1,  I'm glad you were able to resolve your issue.  I'm sorry that you did not find our comments helpful.

You may refer to the following blogpost outlining how this UAC-related behaviour can be changed: http://clintboessen.blogspot.co.uk/2013/05/you-dont-currently-have-permission-to.html

It is normal behaviour.  It is UAC related.  Have a nice day :-)
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now