asked on

Access Denied w/ Full Control

We have a user in a Server 2008 domain environment who remotes into the server for desktop & folder access. The user is receiving an Access Denied error when attempting to access any folders for their location/OU, even though they are set with full control. Their folder permissions match the other managers who have no issues.

Any suggestions as to what might cause this?
Windows Server 2008Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon

A lot depends on where those folders are..  The system has some built in restrictions that prevent access to certain files, even if you have full control (typically under the Windows directory itself, and portions of the Program Files & Program Files (x86) directories.

Another possibility is UAC.. again, certain areas will block you if UAC is enabled, and you are trying to create/modify/delete files that are in specific areas.  (same as above).  

A 3rd possibility is if the files/folders are remote to their login (not on the machine they are one, is if Access based enumeration is enabled, then it's possible for the NTFS permissions to be correct for the user, but they can't see it because they are not *on* that machine where the file is.  

The last possibility I can think of (right off the top of my head) is if there was a deny on those items, which could cause this (pretty unlikely though).

An important question though - are you assigning individual user permissions to these directories/files? and are they unique to those users?  If you have more than 1 person who will ever access them, there should be a group to assign those permissions.

I'd also look at the ownership of the directories & files to see how they sit.


I think we need more info.
What folders are they trying to get into - local or remote?
What does
cacls x:\the folder location\
return for that user?
Have you checked the effective permissions for that user on the folder (right-click, properties, security, advanced)

This is a group environment where there are separate OUs and security groups based up on their physical locations. Their home folders are designated as the main shared folder for their location. All users have remote logins to the terminal server at the main office where they can access their desktops and shared folders for their locations.

His permissions are the same as every other user as Full Control and not inherited. There are no Deny settings on any parent folders.

No other users are having this issue and his settings match everyone else's.

As far as the cacls command, I will run that and post the results.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Might help to enable security auditing for that user as well.  It will be a lot to funnel through, but it might give some indication of what's causing the issue.

Anything from the cacls command?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

No longer an issue.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.