Users create folders in network shares, admin can't change permissions without taking ownership

Hey everyone, I've got a weird issue that I'm running into. I have a server 2012 std box that is acting as a DC and a file server. On there is a DFS share which users connect to. I can assign permissions to the parent share folder and sub folders just fine, until the users create their own folders which they naturally "own". All is fine until I want to change permissions on one of those folders when access is denied from the server side until I manually take ownership of that folder as the administrator, after which it will inherit permissions as expected. Strange thing is that this behaviour only seems to occur in this newly created share; all other network shares (DFS or not) behave as expected. Obviously I'm missing something stupid but it seems that I need someone else to point it out to me. Thanks in advance
LVL 3
jostafewSystems AdministratorAsked:
Who is Participating?
 
jostafewSystems AdministratorAuthor Commented:
Looks like this is a function of UAC in server 2012; all domain admin accounts (except administrator) behave as standard users in windows explorer and receive UAC prompts to continue doing whatever you're doing. Unfortunately simply moving the UAC slider to off doesn't completely disable it as some UAC functions are required for the "apps" in the metro UI (still called that?). You can go into the registry and kill it completely, but you can also simply create a new security group, add your admin accounts to that, and give that group full control privileges on the share and then everything works as expected without disabling UAC. Of course you'll need to do this using the administrator account in order for the changes to be properly inherited through all files and folders, including ones the users create. This is what I've done for the moment.

More reading here including some helpful links if anyone's interested: https://social.technet.microsoft.com/Forums/windowsserver/en-US/fedbb110-556d-4d2f-83bb-fb679c125cc3/windows-server-2012-uac-folder-problem?forum=winserverfiles
0
 
NVITCommented:
On that folder, make sure they only have the default Modify rights, which does not set the "Change permissions" permission.

To test:
1. Add a user to that folder with Modify rights.
2. If that user is currently logged on, log him off.
3. Log on that user.
4. Confirm issue
0
 
jostafewSystems AdministratorAuthor Commented:
Thanks for the reply. The only users/groups that have anything more than write and modify permissions on that share are:

CREATOR OWNER - special permissions
SYSTEM - Full control
My admin account - special permissions (I created the share)
Administrators - Full control

Yet if I use an account that is a member of a group with write & modify permissions (no special, definitely not full control) to create a folder in that share the admin account I'm using has no access whatsoever until I take control.

I typically don't use the default "administrator" account, and instead use another account that is a member of what I thought was the same list of groups. Just for fun I tried the same action with the administrator account and all worked as expected. The account I use is a member of all the same groups as administrator and is also a member of the users group. I thought that additional membership might somehow have been mucking things up so I removed that membership and tried again, but same result. Then using the administrator account I compared the effective access of the administrator account to the account I normally use and they both reported the same; full access. Despite this report, in practice the account has no access...
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
jostafewSystems AdministratorAuthor Commented:
Update; if I add my specific user account at the top level share with full control privileges (same as my group membership should provide) I can access all files and folders.... I'm starting to think this is something to do with Server 2012 UAC, along the lines of this: http://superuser.com/questions/139841/access-denied-even-though-im-an-administrator
0
 
NVITCommented:
Try running AccessEnum against each share  - the suspect one and a normal one. Compare the results.
0
 
NVITCommented:
Thanks for the update 😊 jostafew. Glad you figured it out
0
 
jostafewSystems AdministratorAuthor Commented:
I've run AccessEnum on the trouble share and another that behaves as expected using both the administrator account and my usual admin account;

Using administrator, both report the expected permissions. On the trouble share, all subfolders list Administrators as having Read & Write access as expected.

Using the normal admin account, access is denied unless I run AccessEnum as administrator. Run as administrator it reports the same results as using the administrator account

Aside from the fact that one share works and the other doesn't, everything points to UAC getting in the way.
0
 
hecgomrecCommented:
Creating shares in Server 2012 sometimes can get messy.

I have notice particularly problems when you want to limit to certain users a specific folder.

Most likely you have to remove or disable inheritance and start with what you want or copy from inherited rights. Well for you to have access to it you will have to implicitly add yourself to that folder and set all child folders to inherit rights from the parent folder otherwise the new created folders will not allow you access.  Also, remember if you deny access to a group you are member of, the deny will take priority before the granted access so where ever you are member of get a deny... you'll get it to.
0
 
jostafewSystems AdministratorAuthor Commented:
Doesn't really fix the behavior, but at least I have a reason for it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.