[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 490
  • Last Modified:

Owner

I've been given a new account that doesn't have any access rights to certain folders/files. If I take the ownership of a folder it keeps the underline security in tact, however if I check the replace owner on subcontainers and objects it clears all security and just adds my ID. Has anyone else experienced this? Is this a microsoft feature?!?
0
chadfran
Asked:
chadfran
  • 12
  • 12
  • 4
  • +1
1 Solution
 
Jason WatkinsIT Project LeaderCommented:
This is expected behavior. Once you replace the owner only that entity typically has access. The key word is "replacing" as opposed to adding or reconfiguring.
0
 
chadfranAuthor Commented:
Really?!!? So how do I take ownership of an entire directory tree without losing all security?
0
 
Jason WatkinsIT Project LeaderCommented:
Leave that checkbox alone. Take ownership of the parent directory and the children will follow.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
chadfranAuthor Commented:
That doesn't work. Every subfolder I click on I get the message. You don't currently have permissions to access this folder. Click continue to permanently get access to this folder. Then I get the message. You have been denied permission to access this folder. To gain access to this folder you will need to use the security tab. Now I can grant my self access but this is a pain.
0
 
Jason WatkinsIT Project LeaderCommented:
Why take ownership, why not just add yourself or some group you are in to the ACL? Those added permissions will propagate down to child objects, giving you the access you need.
0
 
chadfranAuthor Commented:
That works for the most part but then I get access denied on some subfolders. Is this new for 2008? I pretty sure I've replaced ownership of subfolders by clicking on the check box to propagate ownership in 2003 all the time because people moved on to different business units and I wanted to reflect the "owner" of the folder.
0
 
Jason WatkinsIT Project LeaderCommented:
On those folders that you are denied, has the permissions inheritance been broken from parent to child? Sounds as if it has. The biggest change to permissions 2008/2008 R2 introduced was access based enumeration.
0
 
Jason WatkinsIT Project LeaderCommented:
I just tried this on my server (2008 R2). Ownership was passed-down when the replace owners check box was selected whilst preserving the existing permissions that were already in place. I think the inheritance is broken somewhere along the way in your case.
0
 
chadfranAuthor Commented:
That is not enabled by default and I didn't turn it on.

FYI. I just went onto a 2003 server. Took ownership of a folder. Checked the check box "Replace owner on subcontainers and objects" and it left the current security as it currently is. It did however change the "owner" of all subfolders within.
0
 
Jason WatkinsIT Project LeaderCommented:
I just did the same on 2008 R2 and it kept the permissions while replacing the owner.
0
 
chadfranAuthor Commented:
Ok so what is going on here!?! Were you able to get into the folder initially. I think it only happens when you don't have permissions to even look in the folder. It has happened to me twice now. This is causing major grief because putting the security back is sometimes a challenge. I'm getting gun-shy on changing permissions.
0
 
MaheshArchitectCommented:
When you create any shared folder on server, at 1st place you should remove "Creator Owner" Group from NTFS ACL and also need to clear the inheritence.
If this group is there, the user will get automatically ownership for those files and folders which he creates, and there it screwed up.
Also you need to avoid full control permissions as much as posible except local administrators group on server.

This way you can prevent other users from taking ownership of files and folders and to keep permissions inheritence intact.
Now you don't need to take ownership and there is no question of replacing permissions which is default behaviour in MS OS

Mahesh
0
 
Jason WatkinsIT Project LeaderCommented:
I was able to get into the folder initially because the account I used was a member of the domain users group, which has read access to the folders by default. I think your inheritance was broken or the defaults reconfigured down the line.
0
 
chadfranAuthor Commented:
They removed our domain admin rights, so now I'm using an account that doesn't have full admin rights. Can you try with a non-domain account that has access to the server and see if it behaves the same?

Mahesh you are correct, but that isn't my issue in this case.
0
 
Jason WatkinsIT Project LeaderCommented:
Try to replace the owner of a domain-based folder with that of a non-domain user?
0
 
chadfranAuthor Commented:
sorry no. still a domain user but not a domain admin user.  Can you grant that user admin rights to the server. Find a folder that has a bunch of subfolder that that domain user doesn't have access to. Take ownership. See if it clears the current security.
0
 
Jason WatkinsIT Project LeaderCommented:
It does not in the example you provided.
0
 
chadfranAuthor Commented:
Thanks!! Ok so I don't no what the variable is that clears my security...
0
 
chadfranAuthor Commented:
Did you check the check box to propagate down?
0
 
Jason WatkinsIT Project LeaderCommented:
I did. The existing permissions were kept. The test user is a member of the domain users group, that is all.
0
 
chadfranAuthor Commented:
And that is how I remembered this should behave. Any other ideas?
0
 
Jason WatkinsIT Project LeaderCommented:
Still think the inheritance was either broken or changed in your directory structure. Get an admin to restore the default set of permissions and see if you have access.
0
 
MaheshArchitectCommented:
To take ownership of any files and folder explicitly \ forcefully regardless of rights, you domain account must be part of local administrators group of server.The administrators has explicit \ special rights to take ownership of files and folders.
Also If one user has ownership of perticular folder and he logged on to server, then he has rights that he can transfer ownership to another user.In this situation, NTFS permissions will not vanish from ACL.
But this is not the case when domain \ local administrator takes the ownership of any folder for which he don't have full control NTFS permissions (Full control premissions allow you to take ownership without access violation)
Doing so he forcefully (access violation) remove the another user ownership which means he also broke the inheritence and subsequent permissions as well causing all permissions get vanished.

Ideally you could log on to server with each user account (legal way) having perticular folder ownership and then need to transfer ownership to administrator OR need to add administrators with full control permissions.
But this is very time consuming and not practicable since you might have very complex folder structure.

So to avoid this situation, you are taking ownership with administrator which allows you to manage ACL and its inheritence effectively and quickly with losing inheritable ACL.

To avoid such situation, you must follow my earlier comment.

Mahesh
0
 
chadfranAuthor Commented:
Mahesh I've done so numerous time in the past. And Firebar also did it and it did not remove the underline security.  

My ID is part of the local administrators group on the server.  However someone else did have ownership of the folder structure.
0
 
MaheshArchitectCommented:
Do your ID have full control permissions on folder structure from top to bottom?

Mahesh
0
 
chadfranAuthor Commented:
No I do not. This new ID has no security. You saying I need full folder structure permissions from top to bottom or else it clears the underline security of all folders? Anyway around this?
0
 
Jason WatkinsIT Project LeaderCommented:
My tests this morning used a Windows Server R2 domain with a fresh user account.
0
 
MaheshArchitectCommented:
At least in windows GUI, I don't found any twick to preserve permissions after forceful ownership change

But you can try Subinacl tool from Microsoft, which is very powerful tool, it probably should do the job for you.

subinacl /subdirectories "c:\folder\*" /setowner=yourdomain\youraccount
subinacl /subdirectories "c:\folder\*" /grant=yourdomain\youraccount =F

The 1st command should replace owner of all files and folders under C:\folder\ but not root folder
Then you should take normal ownership of folder itself without replace option through Windows GUI

2nd command then grant full control permissions to account you specified

http://www.microsoft.com/en-us/download/details.aspx?id=23510


Hpoe that helps

Mahesh
0
 
Pramod UbheCommented:
chadfran,

can you try this - change the ownership of that folder + sub folders and then go to security tab > advance > select both the check mark for Allow inheritance and Replace permissions > click ok

You can also try testing it on a test dir first which worked fine in my case.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 12
  • 12
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now