I'm looking for help resolving permissions problems with user home directories in Server 2008 R2.
Hello Experts,
This issue really ought to be much simpler to resolve than it has been so far. I've been trying things for long enough that nothing seems to make sense any longer, which is why I'm posting it here even though there are lots of articles on the web regarding user permissions on home folders.
Here's what I know:
I've inherited administration of a Windows Server 2008 R2 file server in a Windows domain (2008 schema). This domain was migrated from an SBS 2003 domain at some point in the past (I can see traces of the SBS structure in AD, as well as the existing group policy objects).
Our user's home folders are created by the system automatically when I create new users in AD. I had not been altering the permissions in any way. In addition, we have an SBS group policy still in effect that redirects the user's 'My Documents' folder to their home folder on the server (for backups).
And here's the problem:
I was recently approached by a new user who stated that she wasn't able to delete some data that she had stored in her home folder. As I looked into it, I found that while she had access to any files that she placed into her home directory, she didn't have access to the redirected 'My Documents' folders and files. As I looked at the security settings for the folder, it looked like she should have had access: she was listed as the folder owner (with full control, which is too much in my opinion, but it should have worked). When I looked at effective permissions for her user account, Windows believed that she should have had access.
This felt like a group policy problem of some sort to me, so I moved her user account to an OU I use for testing (it has inheritance blocked). After logging off and then back on, not only did she still not have access to her folders, but I couldn't view ownership or permissions data from the file server, even when logged on as the domain admin.
I was able to take ownership using 'takeown' and make the permissions look correct, but she still didn't have access. As a part of the troubleshooting, I moved my AD user into the same 'no policys' OU, and am now seeing the same issues with the home folder.
I did some googling and found the following ICACLS script to reset user permissions:
set /p userDir=Enter the login of the user's directory you're modifying permissions for. (i.e. jDoe)
TAKEOWN /f "E:\Home Directories\%userDir%" /r /d y
ICACLS "E:\Home Directories\%userDir%" /reset /T
ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(
ICACLS "E:\Home Directories\%userDir%" /setowner "MYDOMAIN\%userDir%" /T
I modified it to fit my domain and ran it against my user folder. The script completed successfully, but I am still being denied access.
I'm at a loss at this point. So far, only 2 of the 80+ users are being affected, so I'm hesitant to run any scripts or make any changes that would effect the entire parent folder structure. However, it's obvious that I either have a permission issue that is being inherited down and causing problems, or a policy that is causing issues, or both. I'm afraid that the problem will continue to escalate as time goes on.
Does anyone have some advice on how to approach the issue?
Scott
This issue really ought to be much simpler to resolve than it has been so far. I've been trying things for long enough that nothing seems to make sense any longer, which is why I'm posting it here even though there are lots of articles on the web regarding user permissions on home folders.
Here's what I know:
I've inherited administration of a Windows Server 2008 R2 file server in a Windows domain (2008 schema). This domain was migrated from an SBS 2003 domain at some point in the past (I can see traces of the SBS structure in AD, as well as the existing group policy objects).
Our user's home folders are created by the system automatically when I create new users in AD. I had not been altering the permissions in any way. In addition, we have an SBS group policy still in effect that redirects the user's 'My Documents' folder to their home folder on the server (for backups).
And here's the problem:
I was recently approached by a new user who stated that she wasn't able to delete some data that she had stored in her home folder. As I looked into it, I found that while she had access to any files that she placed into her home directory, she didn't have access to the redirected 'My Documents' folders and files. As I looked at the security settings for the folder, it looked like she should have had access: she was listed as the folder owner (with full control, which is too much in my opinion, but it should have worked). When I looked at effective permissions for her user account, Windows believed that she should have had access.
This felt like a group policy problem of some sort to me, so I moved her user account to an OU I use for testing (it has inheritance blocked). After logging off and then back on, not only did she still not have access to her folders, but I couldn't view ownership or permissions data from the file server, even when logged on as the domain admin.
I was able to take ownership using 'takeown' and make the permissions look correct, but she still didn't have access. As a part of the troubleshooting, I moved my AD user into the same 'no policys' OU, and am now seeing the same issues with the home folder.
I did some googling and found the following ICACLS script to reset user permissions:
set /p userDir=Enter the login of the user's directory you're modifying permissions for. (i.e. jDoe)
TAKEOWN /f "E:\Home Directories\%userDir%" /r /d y
ICACLS "E:\Home Directories\%userDir%" /reset /T
ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(
ICACLS "E:\Home Directories\%userDir%" /setowner "MYDOMAIN\%userDir%" /T
I modified it to fit my domain and ran it against my user folder. The script completed successfully, but I am still being denied access.
I'm at a loss at this point. So far, only 2 of the 80+ users are being affected, so I'm hesitant to run any scripts or make any changes that would effect the entire parent folder structure. However, it's obvious that I either have a permission issue that is being inherited down and causing problems, or a policy that is causing issues, or both. I'm afraid that the problem will continue to escalate as time goes on.
Does anyone have some advice on how to approach the issue?
Scott
When that user(s) is logged on do a gpresult and see which GPOs are actually applied to that user. Then the next thing I would check is to look at the directory one-level up from these home folder and see what its permissions are--it could be that the directory these folders are contained in is the cause. Then make sure that inheritance is actually off by running this and just that--it will list the permissions assigned to this directory
ICACLS "E:\Home Directories\%userDir%"
and
gpresult /user user'sname /v
you can also do if you want us to review the results for you
gpresult /user user'sname /v >C:\Logs\gpresult-user1.tx
ICACLS "E:\Home Directories\%userDir%"
and
gpresult /user user'sname /v
you can also do if you want us to review the results for you
gpresult /user user'sname /v >C:\Logs\gpresult-user1.tx
are there any Deny rights being applied and Share is the Sharing Permission set to?
ASKER
@Chris...
Thanks for the advice. I'll look into each of your suggestions. I'm not certain if I'll find an AV issue (on the server, it only seems to be a couple of users affected at this point... I'd think we'd see the problem more widespread if it were a problematic AV client; on the client, it's only the P: drives (home folders) that are being affected).
I thought about UAC as well, and have disabled it on my workstation (it's still on for the other user) with no change.
We don't utilize quotas or have a compliance software, so I'm out of the woods there. I will look through FSRM and see if anything looks amiss and get back to you.
Thanks!
Scott
Thanks for the advice. I'll look into each of your suggestions. I'm not certain if I'll find an AV issue (on the server, it only seems to be a couple of users affected at this point... I'd think we'd see the problem more widespread if it were a problematic AV client; on the client, it's only the P: drives (home folders) that are being affected).
I thought about UAC as well, and have disabled it on my workstation (it's still on for the other user) with no change.
We don't utilize quotas or have a compliance software, so I'm out of the woods there. I will look through FSRM and see if anything looks amiss and get back to you.
Thanks!
Scott
I'm wondering if it could be an inheritance issue. Did you check the permissions of the specific files in the folders that she couldn't delete? When you reset the permissions, did you then go in the force the change down through all files and folders? It really almost sounds as though the ACL for those redirected files and folders is getting corrupted in some way. If you remove the redirection from her account (making sure that you have your policy set to move the contents back to the local drive first), does she then have access to them on her local drive?
ASKER
@lionelmm...
Thanks for the advice.
I ran ICACLS "D:\Users Shared Folders\scottm" from an elevated command prompt and returned the following:
D:\Users Shared Folders\scottm JD\ScottM:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(C
BUILTIN\Administrators:(I)
JD\jullrich:(I)(OI)(CI)(F)
JD\Domain Admins:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
I ran the gpresult as well. The output was a little long, so I attached it as a text file.
Thanks for the help!
sm
RSOP.txt
Thanks for the advice.
I ran ICACLS "D:\Users Shared Folders\scottm" from an elevated command prompt and returned the following:
D:\Users Shared Folders\scottm JD\ScottM:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(C
BUILTIN\Administrators:(I)
JD\jullrich:(I)(OI)(CI)(F)
JD\Domain Admins:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
I ran the gpresult as well. The output was a little long, so I attached it as a text file.
Thanks for the help!
sm
RSOP.txt
ASKER
@yo bee...
I used ICACLS with no switches to display the NTFS permissions for each level of the directories, starting with the drive itself. The results are below:
D:\ Drive
D:\ CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(
BUILTIN\Administrators:(OI
NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
BUILTIN\Users:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
Top-level Share
P:\>icacls "D:\Users Shared Folders"
D:\Users Shared Folders NT AUTHORITY\SYSTEM:(OI)(CI)(
BUILTIN\Administrators:(OI
BUILTIN\Users:(S,RD,REA,X,
JD\jullrich:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(RX)
JD\Domain Admins:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Individual User Home Folder
P:\>icacls "D:\Users Shared Folders\ScottM"
D:\Users Shared Folders\ScottM JD\ScottM:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(C
BUILTIN\Administrators:(I)
JD\jullrich:(I)(OI)(CI)(F)
JD\Domain Admins:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
I don't see any explicit 'Deny' in there, but I'm new to ICACLS, so I might be missing something in the output.
Thanks!
I used ICACLS with no switches to display the NTFS permissions for each level of the directories, starting with the drive itself. The results are below:
D:\ Drive
D:\ CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(
BUILTIN\Administrators:(OI
NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
BUILTIN\Users:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
Top-level Share
P:\>icacls "D:\Users Shared Folders"
D:\Users Shared Folders NT AUTHORITY\SYSTEM:(OI)(CI)(
BUILTIN\Administrators:(OI
BUILTIN\Users:(S,RD,REA,X,
JD\jullrich:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(RX)
JD\Domain Admins:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Individual User Home Folder
P:\>icacls "D:\Users Shared Folders\ScottM"
D:\Users Shared Folders\ScottM JD\ScottM:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(C
BUILTIN\Administrators:(I)
JD\jullrich:(I)(OI)(CI)(F)
JD\Domain Admins:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
I don't see any explicit 'Deny' in there, but I'm new to ICACLS, so I might be missing something in the output.
Thanks!
ASKER
@hypercat...
That's a good call with the inheritance thoughts. I'm a bit hazy as to exactly how the rights propagate down.
When I look at the advanced security settings for the affected user, I see a greyed out checkmark in the box to 'Include inheritable permissions from this object's parent'. However, her permissions are listed as 'Special', and show to be <not inherited>. I've included a screenshot...
I'm confused by this... :)
That's a good call with the inheritance thoughts. I'm a bit hazy as to exactly how the rights propagate down.
When I look at the advanced security settings for the affected user, I see a greyed out checkmark in the box to 'Include inheritable permissions from this object's parent'. However, her permissions are listed as 'Special', and show to be <not inherited>. I've included a screenshot...
I'm confused by this... :)
ASKER
@hypercat...
The permissions on my folder (also having problems) show to be the same as the user screenshot that I showed you, with the exception that I've given myself full control. The entry still shows to be '<not inherited>', with a greyed out checkbox in 'Include inheritable permissions from this object's parent'.
The permissions on my folder (also having problems) show to be the same as the user screenshot that I showed you, with the exception that I've given myself full control. The entry still shows to be '<not inherited>', with a greyed out checkbox in 'Include inheritable permissions from this object's parent'.
ASKER
@hypercat...
Sorry, I didn't respond to all your questions! I'm going to go to her workstation now and move the documents from the home folder back to her my docs folder and see if she regains access. I think she will (it works that way on my machine), but I'll double-check.
sm
Sorry, I didn't respond to all your questions! I'm going to go to her workstation now and move the documents from the home folder back to her my docs folder and see if she regains access. I think she will (it works that way on my machine), but I'll double-check.
sm
All subfolders and files of the home folder for each user should be inheriting the top level permissions. The fact that the user ID shows "Special" instead of "Full" indicates to me that there's something not working right with the permissions and inheritance. BTW, the screen shot is missing. Let's see what you find.
ASKER
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Are the top-level permissions those at the drive level, or those at the parent folder?
I'm going to attach a doc with screenshots of the security settings for Authenticated Users and the Users (MYDOMAIN\Users) groups. They have differences, which is confusing to me... aren't they essentially the same group? It would seem to me that my account belongs in the MYDOMAIN\Users group, and once I log in, I become an Authenticated User, so both sets are being applied to me.
I don't know if this will be helpful, but I'm hopeful!
FolderSecurityScreenCaps.docx
I'm going to attach a doc with screenshots of the security settings for Authenticated Users and the Users (MYDOMAIN\Users) groups. They have differences, which is confusing to me... aren't they essentially the same group? It would seem to me that my account belongs in the MYDOMAIN\Users group, and once I log in, I become an Authenticated User, so both sets are being applied to me.
I don't know if this will be helpful, but I'm hopeful!
FolderSecurityScreenCaps.docx
ASKER
@hypercat...
I'm going to try your last instructions and get back to you shortly.
Thanks!
I'm going to try your last instructions and get back to you shortly.
Thanks!
The reason she has special is because she is set to inherit from the upper level directory AND she is a member of the Users group and the user groups has special permissions as seen in
BUILTIN\Users:(S,RD,REA,X,
BUILTIN\Users:(S,RD,REA,X,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay in closing the question. The problem ended having to do with document redirection as well. I was able to reset her permissions on the server using CACLS, but she was being denied access to her local copy of the redirected 'My Documents' folder.
I logged on as admin to her workstation and reset her local permissions to her profile folders, and she then had access.
I was afraid of some odd issue with our document redirection policy, so I killed it and recreated it from scratch. It seems to be working, except for the fact that all users now have duplicate copies of their My Documents folders. I'm researching that, and writing/testing a powershell script to do a compare and delete the older copies of the documents.
Thanks to all who responded!
I logged on as admin to her workstation and reset her local permissions to her profile folders, and she then had access.
I was afraid of some odd issue with our document redirection policy, so I killed it and recreated it from scratch. It seems to be working, except for the fact that all users now have duplicate copies of their My Documents folders. I'm researching that, and writing/testing a powershell script to do a compare and delete the older copies of the documents.
Thanks to all who responded!
As a starting point for investigation, I have previously seen apparent permissions issues caused by:
This is just a limited list of software with which I've personally experienced similar issues. If I were you I'd be building a list of any software that has the potential to interrupt file access.
Hopefully, this will help. It might turn out to be a red herring but I think it's worth investigation.