Solved

Network Share permissions work in 2008, but not in 2008 R2

Posted on 2013-11-15
8
578 Views
Last Modified: 2014-01-30
I have a 2008 server that had been working for years. I am moving the programs to a newer machine running 2008 R2. This program doesn't matter. The problem is with Windows permissions. I am a domain admin. On the 2008 server, I can browse to what ever folders I like, but on this 2008 R2 server, it says I must proved permissions to access each folder. Even though domain admins are listed in the security tab. When I click continue, it opens, but adds my user name to the list in the security tab. I need to give read/write permissions to a single folder \\server\group\user\data\share, but not the folders above this "share" folder. In 2008, this was working fine, now in R2 it stopped working. The user had been a member of a group with access to the shared folder, but now even with the user explicitly listed, he does not have access. If it matters \\server\group\ is a shared folder that does show up to "everyone" when you go to \\server.
0
Comment
Question by:akdit1
8 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39653147
From the root folder can you take ownership and then reapply the permissions accordingly? Also are you having any trust issues with this server? Have you tried to remove from the domain and then re-add it back? Also check the event logs to see if there are any errors as well.
0
 
LVL 24

Expert Comment

by:Lionel MM
ID: 39653187
Permissions are one of those things that tend to tedious. Are you saying that on all folders you have to provide permissions on all folders or are we only talking about the folders in this group of folders \server\group\user\data\share. For example if you want to view folders in C:\Windows and below for each new folder you go down it will ask you to provide permissions--this is Microsoft trying to keep files/folders secure. Are you familiar with icacls to manage permissions?
0
 

Author Comment

by:akdit1
ID: 39657021
\\server\group\user\data\share
I was already set as the owner of the parent folder "group".
The local administrators group is the owner of the subfolder "user". Domain admins is in the local admin group. I am a member of domain admins. no groups have any deny permissions.
When I browse to the folder "user" on the "x:" drive on the server, I get a pop-up message saying:
"You don't currently have permissions to access this folder.
click Continue to permanently get access to this folder."
If I click continue, it adds my account to the ACL for this folder. We try really hard not to add individual names, that's why the domain admins group was added to every folder.
If I browse to it as a network share "\\server\group\user\", it doesn't give me any trouble.
The user account that worked fine in 2008, only had permissions at the "share" level, to get it to work from a 2008 R2 server, I had to add explicit read/list contents permissions to every containing folder.

Microsoft said this is just the way it's supposed to work, but I've been lied to by support before just so they could close the ticket.

If it was just one or two users, I wouldn't care, but I've got about 100 user folders. I just finished removing explicit user permissions left from 3 previous IT users with admin rights to these folders, where, over the years, they've been in the same position I'm in. Every time I have to open a user folder, it adds my name to the ACL.

I just want to know if anyone else has/had this problem when moving from 2008 to 2008 R2. I was hoping this was a common problem and someone would just call me a dummy and tell me to disable a secret setting somewhere.
When I browse to \\server\x$\group\user\, from my domain account on Win 7, it doesn't give me any problems. So the domain admins group appears to be working when browsing this way, just not from the local server.
There are two possibly separate problems here, but I think they are the same root problem.
1) my domain admin account has to add explicit permissions to every folder to browse on local server (you say it's to protect the server, but it's not much protection if this "protection" only works when I'm accessing the server directly, but doesn't work when I'm accessing it from a remote machine) I'd like more consistent results in either direction. Either block me every way, or let me in every way.
2) user permissions that were working to access folders on this 2008 R2 server from a 2008 server, requires additional permissions to be added to the server to when accessing from a separate 2008 R2 server.

-I am not familiar with icacls
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 14

Expert Comment

by:BlueCompute
ID: 39704942
0
 

Accepted Solution

by:
akdit1 earned 0 total points
ID: 39809211
This was not an "DOMAIN ERROR", "NORMAL BEHAVIOUR", nor "UAC". It would most likely fall under a misconfiguration. I had given up on the "experts" here helping me with this issue. I received a request for action to close this issue so I reviewed all comments here. It was my detailed explanation that helped ME figure out what the problem was. I'm sure the time I've taken off from dealing with this issue helped me to step back and look at it objectively. The permissions work fine from domain machines (not a domain error). It doesn't do this on other machines (not normal behavior). UAC had been turned off, so that wasn't it either. It only happens on the local machine.
Solution:
Local Machine Admins Group did not have full permission to the folders. Added local admins group to the folders and the problem is resolved. The "contributors" were only helpful in making it clear that I would have to fix it myself. I wish people wouldn't comment as an "Expert" unless they KNEW their comment would be helpful or relevant.  I'm tired of the support calls that start with: Do you have AV on the machine?, Do you have ANY other programs on the machine?, or You'll need to start with a white box.
0
 

Author Closing Comment

by:akdit1
ID: 39820336
It fixes my problem without compromising the design of my system. And most of all, it IS a solution, not just a random suggestion.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39821089
Hi akdit1,  I'm glad you were able to resolve your issue.  I'm sorry that you did not find our comments helpful.

You may refer to the following blogpost outlining how this UAC-related behaviour can be changed: http://clintboessen.blogspot.co.uk/2013/05/you-dont-currently-have-permission-to.html

It is normal behaviour.  It is UAC related.  Have a nice day :-)
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to prioritize LOGONSERVER for clients? 1 55
Windows Server Backup for Exchange incremental 15 90
SQL Server Update Query Streamline 4 28
Remove Extension 3 37
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question