Link to home
Start Free TrialLog in

asked on

Access Denied w/ Full Control

We have a user in a Server 2008 domain environment who remotes into the server for desktop & folder access. The user is receiving an Access Denied error when attempting to access any folders for their location/OU, even though they are set with full control. Their folder permissions match the other managers who have no issues.

Any suggestions as to what might cause this?
Avatar of Coralon
Flag of United States of America image

A lot depends on where those folders are..  The system has some built in restrictions that prevent access to certain files, even if you have full control (typically under the Windows directory itself, and portions of the Program Files & Program Files (x86) directories.

Another possibility is UAC.. again, certain areas will block you if UAC is enabled, and you are trying to create/modify/delete files that are in specific areas.  (same as above).  

A 3rd possibility is if the files/folders are remote to their login (not on the machine they are one, is if Access based enumeration is enabled, then it's possible for the NTFS permissions to be correct for the user, but they can't see it because they are not *on* that machine where the file is.  

The last possibility I can think of (right off the top of my head) is if there was a deny on those items, which could cause this (pretty unlikely though).

An important question though - are you assigning individual user permissions to these directories/files? and are they unique to those users?  If you have more than 1 person who will ever access them, there should be a group to assign those permissions.

I'd also look at the ownership of the directories & files to see how they sit.

I think we need more info.
What folders are they trying to get into - local or remote?
What does
cacls x:\the folder location\
return for that user?
Have you checked the effective permissions for that user on the folder (right-click, properties, security, advanced)


This is a group environment where there are separate OUs and security groups based up on their physical locations. Their home folders are designated as the main shared folder for their location. All users have remote logins to the terminal server at the main office where they can access their desktops and shared folders for their locations.

His permissions are the same as every other user as Full Control and not inherited. There are no Deny settings on any parent folders.

No other users are having this issue and his settings match everyone else's.

As far as the cacls command, I will run that and post the results.
Might help to enable security auditing for that user as well.  It will be a lot to funnel through, but it might give some indication of what's causing the issue.
Anything from the cacls command?

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No longer an issue.