jostafew
asked on
Users create folders in network shares, admin can't change permissions without taking ownership
Hey everyone, I've got a weird issue that I'm running into. I have a server 2012 std box that is acting as a DC and a file server. On there is a DFS share which users connect to. I can assign permissions to the parent share folder and sub folders just fine, until the users create their own folders which they naturally "own". All is fine until I want to change permissions on one of those folders when access is denied from the server side until I manually take ownership of that folder as the administrator, after which it will inherit permissions as expected. Strange thing is that this behaviour only seems to occur in this newly created share; all other network shares (DFS or not) behave as expected. Obviously I'm missing something stupid but it seems that I need someone else to point it out to me. Thanks in advance
ASKER
Thanks for the reply. The only users/groups that have anything more than write and modify permissions on that share are:
CREATOR OWNER - special permissions
SYSTEM - Full control
My admin account - special permissions (I created the share)
Administrators - Full control
Yet if I use an account that is a member of a group with write &Â modify permissions (no special, definitely not full control) to create a folder in that share the admin account I'm using has no access whatsoever until I take control.
I typically don't use the default "administrator" account, and instead use another account that is a member of what I thought was the same list of groups. Just for fun I tried the same action with the administrator account and all worked as expected. The account I use is a member of all the same groups as administrator and is also a member of the users group. I thought that additional membership might somehow have been mucking things up so I removed that membership and tried again, but same result. Then using the administrator account I compared the effective access of the administrator account to the account I normally use and they both reported the same; full access. Despite this report, in practice the account has no access...
CREATOR OWNER - special permissions
SYSTEM - Full control
My admin account - special permissions (I created the share)
Administrators - Full control
Yet if I use an account that is a member of a group with write &Â modify permissions (no special, definitely not full control) to create a folder in that share the admin account I'm using has no access whatsoever until I take control.
I typically don't use the default "administrator" account, and instead use another account that is a member of what I thought was the same list of groups. Just for fun I tried the same action with the administrator account and all worked as expected. The account I use is a member of all the same groups as administrator and is also a member of the users group. I thought that additional membership might somehow have been mucking things up so I removed that membership and tried again, but same result. Then using the administrator account I compared the effective access of the administrator account to the account I normally use and they both reported the same; full access. Despite this report, in practice the account has no access...
ASKER
Update; if I add my specific user account at the top level share with full control privileges (same as my group membership should provide) I can access all files and folders.... I'm starting to think this is something to do with Server 2012 UAC, along the lines of this: http://superuser.com/questions/139841/access-denied-even-though-im-an-administrator
Try running AccessEnum against each share  - the suspect one and a normal one. Compare the results.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thanks for the update 😊 jostafew. Glad you figured it out
ASKER
I've run AccessEnum on the trouble share and another that behaves as expected using both the administrator account and my usual admin account;
Using administrator, both report the expected permissions. On the trouble share, all subfolders list Administrators as having Read &Â Write access as expected.
Using the normal admin account, access is denied unless I run AccessEnum as administrator. Run as administrator it reports the same results as using the administrator account
Aside from the fact that one share works and the other doesn't, everything points to UAC getting in the way.
Using administrator, both report the expected permissions. On the trouble share, all subfolders list Administrators as having Read &Â Write access as expected.
Using the normal admin account, access is denied unless I run AccessEnum as administrator. Run as administrator it reports the same results as using the administrator account
Aside from the fact that one share works and the other doesn't, everything points to UAC getting in the way.
Creating shares in Server 2012 sometimes can get messy.
I have notice particularly problems when you want to limit to certain users a specific folder.
Most likely you have to remove or disable inheritance and start with what you want or copy from inherited rights. Well for you to have access to it you will have to implicitly add yourself to that folder and set all child folders to inherit rights from the parent folder otherwise the new created folders will not allow you access. Â Also, remember if you deny access to a group you are member of, the deny will take priority before the granted access so where ever you are member of get a deny... you'll get it to.
I have notice particularly problems when you want to limit to certain users a specific folder.
Most likely you have to remove or disable inheritance and start with what you want or copy from inherited rights. Well for you to have access to it you will have to implicitly add yourself to that folder and set all child folders to inherit rights from the parent folder otherwise the new created folders will not allow you access. Â Also, remember if you deny access to a group you are member of, the deny will take priority before the granted access so where ever you are member of get a deny... you'll get it to.
ASKER
Doesn't really fix the behavior, but at least I have a reason for it.
To test:
1. Add a user to that folder with Modify rights.
2. If that user is currently logged on, log him off.
3. Log on that user.
4. Confirm issue