I'm looking for help resolving permissions problems with user home directories in Server 2008 R2.

Hello Experts,

This issue really ought to be much simpler to resolve than it has been so far.  I've been trying things for long enough that nothing seems to make sense any longer, which is why I'm posting it here even though there are lots of articles on the web regarding user permissions on home folders.

Here's what I know:

I've inherited administration of a Windows Server 2008 R2 file server in a Windows domain (2008 schema).  This domain was migrated from an SBS 2003 domain at some point in the past (I can see traces of the SBS structure in AD, as well as the existing group policy objects).

Our user's home folders are created by the system automatically when I create new users in AD.  I had not been altering the permissions in any way.  In addition, we have an SBS group policy still in effect that redirects the user's 'My Documents' folder to their home folder on the server (for backups).


And here's the problem:

I was recently approached by a new user who stated that she wasn't able to delete some data that she had stored in her home folder.  As I looked into it, I found that while she had access to any files that she placed into her home directory, she didn't have access to the redirected 'My Documents' folders and files.  As I looked at the security settings for the folder, it looked like she should have had access:  she was listed as the folder owner (with full control, which is too much in my opinion, but it should have worked).  When I looked at effective permissions for her user account, Windows believed that she should have had access.

This felt like a group policy problem of some sort to me, so I moved her user account to an OU I use for testing (it has inheritance blocked).  After logging off and then back on, not only did she still not have access to her folders, but I couldn't view ownership or permissions data from the file server, even when logged on as the domain admin.

I was able to take ownership using 'takeown' and make the permissions look correct, but she still didn't have access.  As a part of the troubleshooting, I moved my AD user into the same 'no policys' OU, and am now seeing the same issues with the home folder.

I did some googling and found the following ICACLS script to reset user permissions:

set /p userDir=Enter the login of the user's directory you're modifying permissions for. (i.e. jDoe)
TAKEOWN /f "E:\Home Directories\%userDir%" /r /d y
ICACLS "E:\Home Directories\%userDir%" /reset /T
ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F
ICACLS "E:\Home Directories\%userDir%" /setowner "MYDOMAIN\%userDir%" /T

I modified it to fit my domain and ran it against my user folder.  The script completed successfully, but I am still being denied access.

I'm at a loss at this point.  So far, only 2 of the 80+ users are being affected, so I'm hesitant to run any scripts or make any changes that would effect the entire parent folder structure.  However, it's obvious that I either have a permission issue that is being inherited down and causing problems, or a policy that is causing issues, or both.  I'm afraid that the problem will continue to escalate as time goes on.

Does anyone have some advice on how to approach the issue?

Scott
Scott MilnerApplication AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisCommented:
If the permissions look correct and you're pretty sure you've exhausted your options in that regard, then it could be worth considering other software which could be causing the problem.

As a starting point for investigation, I have previously seen apparent permissions issues caused by:

AV on the server
AV on the client
UAC issues
File Server Resource Manager
Quota software
Security Software (user monitoring etc)

This is just a limited list of software with which I've personally experienced similar issues. If I were you I'd be building a list of any software that has the potential to interrupt file access.

Hopefully, this will help. It might turn out to be a red herring but I think it's worth investigation.
Lionel MMSmall Business IT ConsultantCommented:
When that user(s) is logged on do a gpresult and see which GPOs are actually applied to that user. Then the next thing I would check is to look at the directory one-level up from these home folder and see what its permissions are--it could be that the directory these folders are contained in is the cause. Then make sure that inheritance is actually off by running this and just that--it will list the permissions assigned to this directory
ICACLS "E:\Home Directories\%userDir%"
and
gpresult /user user'sname /v
you can also do if you want us to review the results for you
gpresult /user user'sname /v >C:\Logs\gpresult-user1.txt
yo_beeDirector of Information TechnologyCommented:
are there any Deny rights being applied and Share is the Sharing Permission set to?
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

Scott MilnerApplication AdministratorAuthor Commented:
@Chris...

Thanks for the advice.  I'll look into each of your suggestions.  I'm not certain if I'll find an AV issue (on the server, it only seems to be a couple of users affected at this point... I'd think we'd see the problem more widespread if it were a problematic AV client; on the client, it's only the P: drives (home folders) that are being affected).

I thought about UAC as well, and have disabled it on my workstation (it's still on for the other user) with no change.

We don't utilize quotas or have a compliance software, so I'm out of the woods there.  I will look through FSRM and see if anything looks amiss and get back to you.

Thanks!

Scott
Hypercat (Deb)Commented:
I'm wondering if it could be an inheritance issue. Did you check the permissions of the specific files in the folders that she couldn't delete? When you reset the permissions, did you then go in the force the change down through all files and folders?  It really almost sounds as though the ACL for those redirected files and folders is getting corrupted in some way.  If you remove the redirection from her account (making sure that you have your policy set to move the contents back to the local drive first), does she then have access to them on her local drive?
Scott MilnerApplication AdministratorAuthor Commented:
@lionelmm...

Thanks for the advice.

I ran ICACLS "D:\Users Shared Folders\scottm" from an elevated command prompt and returned the following:

D:\Users Shared Folders\scottm JD\ScottM:(OI)(CI)(F)
                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                               JD\jullrich:(I)(OI)(CI)(F)
                               JD\Domain Admins:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

I ran the gpresult as well.  The output was a little long, so I attached it as a text file.

Thanks for the help!

sm
RSOP.txt
Scott MilnerApplication AdministratorAuthor Commented:
@yo bee...

I used ICACLS with no switches to display the NTFS permissions for each level of the directories, starting with the drive itself.  The results are below:

D:\ Drive
D:\ CREATOR OWNER:(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
    BUILTIN\Users:(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files

Top-level Share
P:\>icacls "D:\Users Shared Folders"
D:\Users Shared Folders NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                        BUILTIN\Administrators:(OI)(CI)(F)
                        BUILTIN\Users:(S,RD,REA,X,RA)
                        JD\jullrich:(OI)(CI)(F)
                        NT AUTHORITY\Authenticated Users:(RX)
                        JD\Domain Admins:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


Individual User Home Folder
P:\>icacls "D:\Users Shared Folders\ScottM"
D:\Users Shared Folders\ScottM JD\ScottM:(OI)(CI)(F)
                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                               JD\jullrich:(I)(OI)(CI)(F)
                               JD\Domain Admins:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


I don't see any explicit 'Deny' in there, but I'm new to ICACLS, so I might be missing something in the output.

Thanks!
Scott MilnerApplication AdministratorAuthor Commented:
@hypercat...

That's a good call with the inheritance thoughts.  I'm a bit hazy as to exactly how the rights propagate down.

When I look at the advanced security settings for the affected user, I see a greyed out checkmark in the box to 'Include inheritable permissions from this object's parent'.  However, her permissions are listed as 'Special', and show to be <not inherited>.  I've included a screenshot...

I'm confused by this...  :)
Scott MilnerApplication AdministratorAuthor Commented:
@hypercat...

The permissions on my folder (also having problems) show to be the same as the user screenshot that I showed you, with the exception that I've given myself full control.  The entry still shows to be '<not inherited>', with a greyed out checkbox in 'Include inheritable permissions from this object's parent'.
Scott MilnerApplication AdministratorAuthor Commented:
@hypercat...

Sorry, I didn't respond to all your questions!  I'm going to go to her workstation now and move the documents from the home folder back to her my docs folder and see if she regains access.  I think she will (it works that way on my machine), but I'll double-check.

sm
Hypercat (Deb)Commented:
All subfolders and files of the home folder for each user should be inheriting the top level permissions.  The fact that the user ID shows "Special" instead of "Full" indicates to me that there's something not working right with the permissions and inheritance.  BTW, the screen shot is missing.  Let's see what you find.
Scott MilnerApplication AdministratorAuthor Commented:
@hypercat
Sorry... I'll try to attach the screenshot again.
PermissionScreenCap.JPG
Hypercat (Deb)Commented:
OK, so at that level, the "not inherited" would be correct, but the "special" should be "full."  Users must have ownership and full access to the folder where their Documents are redirected.  So, after you redirect her documents back to her local drive, I would go back and reset the folder permissions for her Home folder making sure that she has ownership and Full NTFS permissions, and force down inheritance.  Also make sure that her DOMAIN user account has Full NTFS permissions to her local documents folder, and make sure to force down inheritance to all subfolders and files here too.  Then try the redirection again and see what happens.
Scott MilnerApplication AdministratorAuthor Commented:
Are the top-level permissions those at the drive level, or those at the parent folder?  

I'm going to attach a doc with screenshots of the security settings for Authenticated Users and the Users (MYDOMAIN\Users) groups.  They have differences, which is confusing to me... aren't they essentially the same group?  It would seem to me that my account belongs in the MYDOMAIN\Users group, and once I log in, I become an Authenticated User, so both sets are being applied to me.

I don't know if this will be helpful, but I'm hopeful!

FolderSecurityScreenCaps.docx
Scott MilnerApplication AdministratorAuthor Commented:
@hypercat...

I'm going to try your last instructions and get back to you shortly.

Thanks!
Lionel MMSmall Business IT ConsultantCommented:
The reason she has special is because she is set to inherit from the upper level directory AND she is a member of the Users group and the user groups has special permissions as seen in
BUILTIN\Users:(S,RD,REA,X,RA) so you need to remove inheritance and/or remove her from the Users group for that folder -- you can do that through the GUI or by using icacls
Lionel MMSmall Business IT ConsultantCommented:
this is the scheme I follow (not hard and  fast rules--just a basic framework)
1. any root permissions (like c:\ or d:\) I leave as is due to Windows operating requirements
2. in directories under the root I remove inheritance from the root and apply specific NTFS permissions
3. add permissions by groups rather than users so can add and remove users to and from groups
4. decide which permissions I want to go all the way to any future files and folders and add permissions with or without inheritance as deemed necessary

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott MilnerApplication AdministratorAuthor Commented:
Sorry for the delay in closing the question.  The problem ended having to do with document redirection as well.  I was able to reset her permissions on the server using CACLS, but she was being denied access to her local copy of the redirected 'My Documents' folder.

I logged on as admin to her workstation and reset her local permissions to her profile folders, and she then had access.

I was afraid of some odd issue with our document redirection policy, so I killed it and recreated it from scratch.  It seems to be working, except for the fact that all users now have duplicate copies of their My Documents folders.  I'm researching that, and writing/testing a powershell script to do a compare and delete the older copies of the documents.

Thanks to all who responded!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.