Users create folders in network shares, admin can't change permissions without taking ownership

Hey everyone, I've got a weird issue that I'm running into. I have a server 2012 std box that is acting as a DC and a file server. On there is a DFS share which users connect to. I can assign permissions to the parent share folder and sub folders just fine, until the users create their own folders which they naturally "own". All is fine until I want to change permissions on one of those folders when access is denied from the server side until I manually take ownership of that folder as the administrator, after which it will inherit permissions as expected. Strange thing is that this behaviour only seems to occur in this newly created share; all other network shares (DFS or not) behave as expected. Obviously I'm missing something stupid but it seems that I need someone else to point it out to me. Thanks in advance
jostafewSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
On that folder, make sure they only have the default Modify rights, which does not set the "Change permissions" permission.

To test:
1. Add a user to that folder with Modify rights.
2. If that user is currently logged on, log him off.
3. Log on that user.
4. Confirm issue
jostafewSystems AdministratorAuthor Commented:
Thanks for the reply. The only users/groups that have anything more than write and modify permissions on that share are:

CREATOR OWNER - special permissions
SYSTEM - Full control
My admin account - special permissions (I created the share)
Administrators - Full control

Yet if I use an account that is a member of a group with write & modify permissions (no special, definitely not full control) to create a folder in that share the admin account I'm using has no access whatsoever until I take control.

I typically don't use the default "administrator" account, and instead use another account that is a member of what I thought was the same list of groups. Just for fun I tried the same action with the administrator account and all worked as expected. The account I use is a member of all the same groups as administrator and is also a member of the users group. I thought that additional membership might somehow have been mucking things up so I removed that membership and tried again, but same result. Then using the administrator account I compared the effective access of the administrator account to the account I normally use and they both reported the same; full access. Despite this report, in practice the account has no access...
jostafewSystems AdministratorAuthor Commented:
Update; if I add my specific user account at the top level share with full control privileges (same as my group membership should provide) I can access all files and folders.... I'm starting to think this is something to do with Server 2012 UAC, along the lines of this:
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

NVITEnd-user supportCommented:
Try running AccessEnum against each share  - the suspect one and a normal one. Compare the results.
jostafewSystems AdministratorAuthor Commented:
Looks like this is a function of UAC in server 2012; all domain admin accounts (except administrator) behave as standard users in windows explorer and receive UAC prompts to continue doing whatever you're doing. Unfortunately simply moving the UAC slider to off doesn't completely disable it as some UAC functions are required for the "apps" in the metro UI (still called that?). You can go into the registry and kill it completely, but you can also simply create a new security group, add your admin accounts to that, and give that group full control privileges on the share and then everything works as expected without disabling UAC. Of course you'll need to do this using the administrator account in order for the changes to be properly inherited through all files and folders, including ones the users create. This is what I've done for the moment.

More reading here including some helpful links if anyone's interested:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITEnd-user supportCommented:
Thanks for the update 😊 jostafew. Glad you figured it out
jostafewSystems AdministratorAuthor Commented:
I've run AccessEnum on the trouble share and another that behaves as expected using both the administrator account and my usual admin account;

Using administrator, both report the expected permissions. On the trouble share, all subfolders list Administrators as having Read & Write access as expected.

Using the normal admin account, access is denied unless I run AccessEnum as administrator. Run as administrator it reports the same results as using the administrator account

Aside from the fact that one share works and the other doesn't, everything points to UAC getting in the way.
Creating shares in Server 2012 sometimes can get messy.

I have notice particularly problems when you want to limit to certain users a specific folder.

Most likely you have to remove or disable inheritance and start with what you want or copy from inherited rights. Well for you to have access to it you will have to implicitly add yourself to that folder and set all child folders to inherit rights from the parent folder otherwise the new created folders will not allow you access.  Also, remember if you deny access to a group you are member of, the deny will take priority before the granted access so where ever you are member of get a deny... you'll get it to.
jostafewSystems AdministratorAuthor Commented:
Doesn't really fix the behavior, but at least I have a reason for it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.