Link to home
Create AccountLog in
Avatar of jostafew
jostafewFlag for Canada

asked on

Users create folders in network shares, admin can't change permissions without taking ownership

Hey everyone, I've got a weird issue that I'm running into. I have a server 2012 std box that is acting as a DC and a file server. On there is a DFS share which users connect to. I can assign permissions to the parent share folder and sub folders just fine, until the users create their own folders which they naturally "own". All is fine until I want to change permissions on one of those folders when access is denied from the server side until I manually take ownership of that folder as the administrator, after which it will inherit permissions as expected. Strange thing is that this behaviour only seems to occur in this newly created share; all other network shares (DFS or not) behave as expected. Obviously I'm missing something stupid but it seems that I need someone else to point it out to me. Thanks in advance
Avatar of NVIT
NVIT
Flag of United States of America image

On that folder, make sure they only have the default Modify rights, which does not set the "Change permissions" permission.

To test:
1. Add a user to that folder with Modify rights.
2. If that user is currently logged on, log him off.
3. Log on that user.
4. Confirm issue
Avatar of jostafew

ASKER

Thanks for the reply. The only users/groups that have anything more than write and modify permissions on that share are:

CREATOR OWNER - special permissions
SYSTEM - Full control
My admin account - special permissions (I created the share)
Administrators - Full control

Yet if I use an account that is a member of a group with write & modify permissions (no special, definitely not full control) to create a folder in that share the admin account I'm using has no access whatsoever until I take control.

I typically don't use the default "administrator" account, and instead use another account that is a member of what I thought was the same list of groups. Just for fun I tried the same action with the administrator account and all worked as expected. The account I use is a member of all the same groups as administrator and is also a member of the users group. I thought that additional membership might somehow have been mucking things up so I removed that membership and tried again, but same result. Then using the administrator account I compared the effective access of the administrator account to the account I normally use and they both reported the same; full access. Despite this report, in practice the account has no access...
Update; if I add my specific user account at the top level share with full control privileges (same as my group membership should provide) I can access all files and folders.... I'm starting to think this is something to do with Server 2012 UAC, along the lines of this: http://superuser.com/questions/139841/access-denied-even-though-im-an-administrator
Try running AccessEnum against each share  - the suspect one and a normal one. Compare the results.
ASKER CERTIFIED SOLUTION
Avatar of jostafew
jostafew
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks for the update 😊 jostafew. Glad you figured it out
I've run AccessEnum on the trouble share and another that behaves as expected using both the administrator account and my usual admin account;

Using administrator, both report the expected permissions. On the trouble share, all subfolders list Administrators as having Read & Write access as expected.

Using the normal admin account, access is denied unless I run AccessEnum as administrator. Run as administrator it reports the same results as using the administrator account

Aside from the fact that one share works and the other doesn't, everything points to UAC getting in the way.
Creating shares in Server 2012 sometimes can get messy.

I have notice particularly problems when you want to limit to certain users a specific folder.

Most likely you have to remove or disable inheritance and start with what you want or copy from inherited rights. Well for you to have access to it you will have to implicitly add yourself to that folder and set all child folders to inherit rights from the parent folder otherwise the new created folders will not allow you access.  Also, remember if you deny access to a group you are member of, the deny will take priority before the granted access so where ever you are member of get a deny... you'll get it to.
Doesn't really fix the behavior, but at least I have a reason for it.