Link to home
Start Free TrialLog in
Avatar of chadfran
chadfran

asked on

Owner

I've been given a new account that doesn't have any access rights to certain folders/files. If I take the ownership of a folder it keeps the underline security in tact, however if I check the replace owner on subcontainers and objects it clears all security and just adds my ID. Has anyone else experienced this? Is this a microsoft feature?!?
Avatar of Jason Watkins
Jason Watkins
Flag of United States of America image

This is expected behavior. Once you replace the owner only that entity typically has access. The key word is "replacing" as opposed to adding or reconfiguring.
Avatar of chadfran
chadfran

ASKER

Really?!!? So how do I take ownership of an entire directory tree without losing all security?
Leave that checkbox alone. Take ownership of the parent directory and the children will follow.
That doesn't work. Every subfolder I click on I get the message. You don't currently have permissions to access this folder. Click continue to permanently get access to this folder. Then I get the message. You have been denied permission to access this folder. To gain access to this folder you will need to use the security tab. Now I can grant my self access but this is a pain.
Why take ownership, why not just add yourself or some group you are in to the ACL? Those added permissions will propagate down to child objects, giving you the access you need.
That works for the most part but then I get access denied on some subfolders. Is this new for 2008? I pretty sure I've replaced ownership of subfolders by clicking on the check box to propagate ownership in 2003 all the time because people moved on to different business units and I wanted to reflect the "owner" of the folder.
On those folders that you are denied, has the permissions inheritance been broken from parent to child? Sounds as if it has. The biggest change to permissions 2008/2008 R2 introduced was access based enumeration.
I just tried this on my server (2008 R2). Ownership was passed-down when the replace owners check box was selected whilst preserving the existing permissions that were already in place. I think the inheritance is broken somewhere along the way in your case.
That is not enabled by default and I didn't turn it on.

FYI. I just went onto a 2003 server. Took ownership of a folder. Checked the check box "Replace owner on subcontainers and objects" and it left the current security as it currently is. It did however change the "owner" of all subfolders within.
I just did the same on 2008 R2 and it kept the permissions while replacing the owner.
Ok so what is going on here!?! Were you able to get into the folder initially. I think it only happens when you don't have permissions to even look in the folder. It has happened to me twice now. This is causing major grief because putting the security back is sometimes a challenge. I'm getting gun-shy on changing permissions.
Avatar of Mahesh
When you create any shared folder on server, at 1st place you should remove "Creator Owner" Group from NTFS ACL and also need to clear the inheritence.
If this group is there, the user will get automatically ownership for those files and folders which he creates, and there it screwed up.
Also you need to avoid full control permissions as much as posible except local administrators group on server.

This way you can prevent other users from taking ownership of files and folders and to keep permissions inheritence intact.
Now you don't need to take ownership and there is no question of replacing permissions which is default behaviour in MS OS

Mahesh
I was able to get into the folder initially because the account I used was a member of the domain users group, which has read access to the folders by default. I think your inheritance was broken or the defaults reconfigured down the line.
They removed our domain admin rights, so now I'm using an account that doesn't have full admin rights. Can you try with a non-domain account that has access to the server and see if it behaves the same?

Mahesh you are correct, but that isn't my issue in this case.
Try to replace the owner of a domain-based folder with that of a non-domain user?
sorry no. still a domain user but not a domain admin user.  Can you grant that user admin rights to the server. Find a folder that has a bunch of subfolder that that domain user doesn't have access to. Take ownership. See if it clears the current security.
It does not in the example you provided.
Thanks!! Ok so I don't no what the variable is that clears my security...
Did you check the check box to propagate down?
I did. The existing permissions were kept. The test user is a member of the domain users group, that is all.
And that is how I remembered this should behave. Any other ideas?
Still think the inheritance was either broken or changed in your directory structure. Get an admin to restore the default set of permissions and see if you have access.
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Mahesh I've done so numerous time in the past. And Firebar also did it and it did not remove the underline security.  

My ID is part of the local administrators group on the server.  However someone else did have ownership of the folder structure.
Do your ID have full control permissions on folder structure from top to bottom?

Mahesh
No I do not. This new ID has no security. You saying I need full folder structure permissions from top to bottom or else it clears the underline security of all folders? Anyway around this?
My tests this morning used a Windows Server R2 domain with a fresh user account.
At least in windows GUI, I don't found any twick to preserve permissions after forceful ownership change

But you can try Subinacl tool from Microsoft, which is very powerful tool, it probably should do the job for you.

subinacl /subdirectories "c:\folder\*" /setowner=yourdomain\youraccount
subinacl /subdirectories "c:\folder\*" /grant=yourdomain\youraccount =F

The 1st command should replace owner of all files and folders under C:\folder\ but not root folder
Then you should take normal ownership of folder itself without replace option through Windows GUI

2nd command then grant full control permissions to account you specified

http://www.microsoft.com/en-us/download/details.aspx?id=23510


Hpoe that helps

Mahesh
chadfran,

can you try this - change the ownership of that folder + sub folders and then go to security tab > advance > select both the check mark for Allow inheritance and Replace permissions > click ok

You can also try testing it on a test dir first which worked fine in my case.