• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

Network Share permissions work in 2008, but not in 2008 R2

I have a 2008 server that had been working for years. I am moving the programs to a newer machine running 2008 R2. This program doesn't matter. The problem is with Windows permissions. I am a domain admin. On the 2008 server, I can browse to what ever folders I like, but on this 2008 R2 server, it says I must proved permissions to access each folder. Even though domain admins are listed in the security tab. When I click continue, it opens, but adds my user name to the list in the security tab. I need to give read/write permissions to a single folder \\server\group\user\data\share, but not the folders above this "share" folder. In 2008, this was working fine, now in R2 it stopped working. The user had been a member of a group with access to the shared folder, but now even with the user explicitly listed, he does not have access. If it matters \\server\group\ is a shared folder that does show up to "everyone" when you go to \\server.
0
akdit1
Asked:
akdit1
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
From the root folder can you take ownership and then reapply the permissions accordingly? Also are you having any trust issues with this server? Have you tried to remove from the domain and then re-add it back? Also check the event logs to see if there are any errors as well.
0
 
Lionel MMSmall Business IT ConsultantCommented:
Permissions are one of those things that tend to tedious. Are you saying that on all folders you have to provide permissions on all folders or are we only talking about the folders in this group of folders \server\group\user\data\share. For example if you want to view folders in C:\Windows and below for each new folder you go down it will ask you to provide permissions--this is Microsoft trying to keep files/folders secure. Are you familiar with icacls to manage permissions?
0
 
akdit1Author Commented:
\\server\group\user\data\share
I was already set as the owner of the parent folder "group".
The local administrators group is the owner of the subfolder "user". Domain admins is in the local admin group. I am a member of domain admins. no groups have any deny permissions.
When I browse to the folder "user" on the "x:" drive on the server, I get a pop-up message saying:
"You don't currently have permissions to access this folder.
click Continue to permanently get access to this folder."
If I click continue, it adds my account to the ACL for this folder. We try really hard not to add individual names, that's why the domain admins group was added to every folder.
If I browse to it as a network share "\\server\group\user\", it doesn't give me any trouble.
The user account that worked fine in 2008, only had permissions at the "share" level, to get it to work from a 2008 R2 server, I had to add explicit read/list contents permissions to every containing folder.

Microsoft said this is just the way it's supposed to work, but I've been lied to by support before just so they could close the ticket.

If it was just one or two users, I wouldn't care, but I've got about 100 user folders. I just finished removing explicit user permissions left from 3 previous IT users with admin rights to these folders, where, over the years, they've been in the same position I'm in. Every time I have to open a user folder, it adds my name to the ACL.

I just want to know if anyone else has/had this problem when moving from 2008 to 2008 R2. I was hoping this was a common problem and someone would just call me a dummy and tell me to disable a secret setting somewhere.
When I browse to \\server\x$\group\user\, from my domain account on Win 7, it doesn't give me any problems. So the domain admins group appears to be working when browsing this way, just not from the local server.
There are two possibly separate problems here, but I think they are the same root problem.
1) my domain admin account has to add explicit permissions to every folder to browse on local server (you say it's to protect the server, but it's not much protection if this "protection" only works when I'm accessing the server directly, but doesn't work when I'm accessing it from a remote machine) I'd like more consistent results in either direction. Either block me every way, or let me in every way.
2) user permissions that were working to access folders on this 2008 R2 server from a 2008 server, requires additional permissions to be added to the server to when accessing from a separate 2008 R2 server.

-I am not familiar with icacls
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
BlueComputeCommented:
0
 
akdit1Author Commented:
This was not an "DOMAIN ERROR", "NORMAL BEHAVIOUR", nor "UAC". It would most likely fall under a misconfiguration. I had given up on the "experts" here helping me with this issue. I received a request for action to close this issue so I reviewed all comments here. It was my detailed explanation that helped ME figure out what the problem was. I'm sure the time I've taken off from dealing with this issue helped me to step back and look at it objectively. The permissions work fine from domain machines (not a domain error). It doesn't do this on other machines (not normal behavior). UAC had been turned off, so that wasn't it either. It only happens on the local machine.
Solution:
Local Machine Admins Group did not have full permission to the folders. Added local admins group to the folders and the problem is resolved. The "contributors" were only helpful in making it clear that I would have to fix it myself. I wish people wouldn't comment as an "Expert" unless they KNEW their comment would be helpful or relevant.  I'm tired of the support calls that start with: Do you have AV on the machine?, Do you have ANY other programs on the machine?, or You'll need to start with a white box.
0
 
akdit1Author Commented:
It fixes my problem without compromising the design of my system. And most of all, it IS a solution, not just a random suggestion.
0
 
BlueComputeCommented:
Hi akdit1,  I'm glad you were able to resolve your issue.  I'm sorry that you did not find our comments helpful.

You may refer to the following blogpost outlining how this UAC-related behaviour can be changed: http://clintboessen.blogspot.co.uk/2013/05/you-dont-currently-have-permission-to.html

It is normal behaviour.  It is UAC related.  Have a nice day :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now