Solved

Owner

Posted on 2013-12-02
29
401 Views
Last Modified: 2014-01-02
I've been given a new account that doesn't have any access rights to certain folders/files. If I take the ownership of a folder it keeps the underline security in tact, however if I check the replace owner on subcontainers and objects it clears all security and just adds my ID. Has anyone else experienced this? Is this a microsoft feature?!?
0
Comment
Question by:chadfran
  • 12
  • 12
  • 4
  • +1
29 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690007
This is expected behavior. Once you replace the owner only that entity typically has access. The key word is "replacing" as opposed to adding or reconfiguring.
0
 

Author Comment

by:chadfran
ID: 39690011
Really?!!? So how do I take ownership of an entire directory tree without losing all security?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690019
Leave that checkbox alone. Take ownership of the parent directory and the children will follow.
0
 

Author Comment

by:chadfran
ID: 39690047
That doesn't work. Every subfolder I click on I get the message. You don't currently have permissions to access this folder. Click continue to permanently get access to this folder. Then I get the message. You have been denied permission to access this folder. To gain access to this folder you will need to use the security tab. Now I can grant my self access but this is a pain.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690065
Why take ownership, why not just add yourself or some group you are in to the ACL? Those added permissions will propagate down to child objects, giving you the access you need.
0
 

Author Comment

by:chadfran
ID: 39690076
That works for the most part but then I get access denied on some subfolders. Is this new for 2008? I pretty sure I've replaced ownership of subfolders by clicking on the check box to propagate ownership in 2003 all the time because people moved on to different business units and I wanted to reflect the "owner" of the folder.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690084
On those folders that you are denied, has the permissions inheritance been broken from parent to child? Sounds as if it has. The biggest change to permissions 2008/2008 R2 introduced was access based enumeration.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690117
I just tried this on my server (2008 R2). Ownership was passed-down when the replace owners check box was selected whilst preserving the existing permissions that were already in place. I think the inheritance is broken somewhere along the way in your case.
0
 

Author Comment

by:chadfran
ID: 39690118
That is not enabled by default and I didn't turn it on.

FYI. I just went onto a 2003 server. Took ownership of a folder. Checked the check box "Replace owner on subcontainers and objects" and it left the current security as it currently is. It did however change the "owner" of all subfolders within.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690123
I just did the same on 2008 R2 and it kept the permissions while replacing the owner.
0
 

Author Comment

by:chadfran
ID: 39690142
Ok so what is going on here!?! Were you able to get into the folder initially. I think it only happens when you don't have permissions to even look in the folder. It has happened to me twice now. This is causing major grief because putting the security back is sometimes a challenge. I'm getting gun-shy on changing permissions.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39690170
When you create any shared folder on server, at 1st place you should remove "Creator Owner" Group from NTFS ACL and also need to clear the inheritence.
If this group is there, the user will get automatically ownership for those files and folders which he creates, and there it screwed up.
Also you need to avoid full control permissions as much as posible except local administrators group on server.

This way you can prevent other users from taking ownership of files and folders and to keep permissions inheritence intact.
Now you don't need to take ownership and there is no question of replacing permissions which is default behaviour in MS OS

Mahesh
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690178
I was able to get into the folder initially because the account I used was a member of the domain users group, which has read access to the folders by default. I think your inheritance was broken or the defaults reconfigured down the line.
0
 

Author Comment

by:chadfran
ID: 39690188
They removed our domain admin rights, so now I'm using an account that doesn't have full admin rights. Can you try with a non-domain account that has access to the server and see if it behaves the same?

Mahesh you are correct, but that isn't my issue in this case.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690205
Try to replace the owner of a domain-based folder with that of a non-domain user?
0
 

Author Comment

by:chadfran
ID: 39690211
sorry no. still a domain user but not a domain admin user.  Can you grant that user admin rights to the server. Find a folder that has a bunch of subfolder that that domain user doesn't have access to. Take ownership. See if it clears the current security.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690223
It does not in the example you provided.
0
 

Author Comment

by:chadfran
ID: 39690229
Thanks!! Ok so I don't no what the variable is that clears my security...
0
 

Author Comment

by:chadfran
ID: 39690232
Did you check the check box to propagate down?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690246
I did. The existing permissions were kept. The test user is a member of the domain users group, that is all.
0
 

Author Comment

by:chadfran
ID: 39690297
And that is how I remembered this should behave. Any other ideas?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39690386
Still think the inheritance was either broken or changed in your directory structure. Get an admin to restore the default set of permissions and see if you have access.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39690823
To take ownership of any files and folder explicitly \ forcefully regardless of rights, you domain account must be part of local administrators group of server.The administrators has explicit \ special rights to take ownership of files and folders.
Also If one user has ownership of perticular folder and he logged on to server, then he has rights that he can transfer ownership to another user.In this situation, NTFS permissions will not vanish from ACL.
But this is not the case when domain \ local administrator takes the ownership of any folder for which he don't have full control NTFS permissions (Full control premissions allow you to take ownership without access violation)
Doing so he forcefully (access violation) remove the another user ownership which means he also broke the inheritence and subsequent permissions as well causing all permissions get vanished.

Ideally you could log on to server with each user account (legal way) having perticular folder ownership and then need to transfer ownership to administrator OR need to add administrators with full control permissions.
But this is very time consuming and not practicable since you might have very complex folder structure.

So to avoid this situation, you are taking ownership with administrator which allows you to manage ACL and its inheritence effectively and quickly with losing inheritable ACL.

To avoid such situation, you must follow my earlier comment.

Mahesh
0
 

Author Comment

by:chadfran
ID: 39690841
Mahesh I've done so numerous time in the past. And Firebar also did it and it did not remove the underline security.  

My ID is part of the local administrators group on the server.  However someone else did have ownership of the folder structure.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39690865
Do your ID have full control permissions on folder structure from top to bottom?

Mahesh
0
 

Author Comment

by:chadfran
ID: 39690880
No I do not. This new ID has no security. You saying I need full folder structure permissions from top to bottom or else it clears the underline security of all folders? Anyway around this?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39691181
My tests this morning used a Windows Server R2 domain with a fresh user account.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39691260
At least in windows GUI, I don't found any twick to preserve permissions after forceful ownership change

But you can try Subinacl tool from Microsoft, which is very powerful tool, it probably should do the job for you.

subinacl /subdirectories "c:\folder\*" /setowner=yourdomain\youraccount
subinacl /subdirectories "c:\folder\*" /grant=yourdomain\youraccount =F

The 1st command should replace owner of all files and folders under C:\folder\ but not root folder
Then you should take normal ownership of folder itself without replace option through Windows GUI

2nd command then grant full control permissions to account you specified

http://www.microsoft.com/en-us/download/details.aspx?id=23510


Hpoe that helps

Mahesh
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39692169
chadfran,

can you try this - change the ownership of that folder + sub folders and then go to security tab > advance > select both the check mark for Allow inheritance and Replace permissions > click ok

You can also try testing it on a test dir first which worked fine in my case.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now