Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Permissions New Folders and Files inherritence propogation

Posted on 2015-01-15
8
Medium Priority
?
131 Views
Last Modified: 2015-01-16
Hi,

I have a new Win2008R2 Standard 64X file server, this is on an AD domain.

I have an issue where a user is creating a new folder and a new file within this folder, it would seem the folder first and then the file after are not picking up the correct permissions.

A lot of these folders have custom NTFS permissions that differ from the top folder through to these levels.

For example I have.

-> = new folder

Top level folder Share - Everyone Access -> Team Folder(inherit unchecked, team security group added full control with propogation) -> Usersfolder(inherit ticked) -> User is creating new folder here - User is creating new file here.

The problem looks like when the user is creating the new folder the folder is set to inherit by default but it inherits to "This folder only" It does not inherit to "All Subfolders and Files", which is weird because the folder that the new folder is inheriting its permissions from has the permission to apply to "All Subfolders and Files". When the user creates the new file the NTFS permissions again do not inherit the user is permissioned on the NTFS ACL and the the Administrators group of the file server.

This is a bit of a problem for me, Any ideas?

I need people to be able to create new files with the files inheriting what is actually above , not inheriting permissions to this folder only.
0
Comment
Question by:wannabecraig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40551155
Interesting problem. Is CREATOR OWNER listed in the NTFS permissions with the inheritance set to Subfolders only?

Can you post a screenshot of the Advanced Security Settings of the Users folder?

Right click on the Users folder > PropertiesSecurity tab > Advanced button > screenshot the Permissions tab in this window.
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 40551265
Sorry but im not posting a screenshot because I will have to edit out some sensitive info.

Also because I believe your barking up the wrong tree with this. There are two things in the advanced security permissions. Domain admins sec group and a staff sec group nothing else.

I may have found the problem, I now have the user being able to create files and folders with the permissions automatically inherited.

-------

Top level folder Share - Everyone Access -> Team Folder(inherit unchecked, team security group added full control with propogation) -> Usersfolder(inherit not ticked) -> User is creating new folder here - User is creating new file here.

------

I went to the usersfolder level above, properites advanced, removed the inheritable permissions and blanked all the permissions. I readded the two security groups mentioned above, this time I DID NOT TICK the following box whilst adding the security groups in advanced permissions "Apply these changes to objects and/or containers in this folder only" I also ticked the replace permissions on child objects box and I kept inheritable permissions from above unticked too. I applied and pushed the permissions down.

Then I got the new user to create test folders and files and they seem to be working now and inheriting the correct permissions from the folder above.
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 40551292
"Apply these changes to objects and/or containers in this folder only"

Confirmed this check box being unticked at the top level for this set of permissions and applied through to all child objects resolved this one. What I did in full was.
1. Went to the top level I wanted these permissions to apply from within the share. Did a takeown.exe /f /a /r on this folder. Then went to properties advanced permissions, (I) unticked inheritable (ii) removed anything else in the access list (iii) added the security groups I wanted to have permission and assigned full control on the permissions box but made sure that "Apply these changes to objects and/or containers in this folder only" checkbox was unticked. (iv) ticked replace permissions on child objects and applied. These steps very very quickly and easily reset all files and subfolders in a matter of seconds.

"Apply these changes to objects and/or containers in this folder only" Can anyone clarify what this box is supposed to do.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 1

Author Comment

by:wannabecraig
ID: 40551295
I believe this box sets the inherited permission to this folder only which basically locks everything out.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 1500 total points
ID: 40551309
Sorry, but why do you think I was barking up the wrong tree? A screenshot of the Advanced Permissions on the problem root folder would have said a lot.

Either way, glad you were able to solve your own question. It's always good when you figure out the issue yourself!

As for what the Apply these changes to objects and/or containers in this folder only setting actually does, have a look at this article: http://technet.microsoft.com/en-au/library/cc776140%28v=ws.10%29.aspx

The table in the article should be able to answer your question.
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 40553023
because the creator owner permissions you were looking for were not there, that's why.

cheers for the link.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40553059
Gotcha. I just wanted to rule it out is all. Thanks for the points :)
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 40553120
Just fyi the checkbox we are referring to above will result in locking lower level folders and files with a padlock icon windows server 2008 r2.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question