Solved

Issues applying security permissions on 2008 Server folders

Posted on 2016-08-02
15
68 Views
Last Modified: 2016-08-06
I am applying new security permissions to folders on a Windows 2008 R2 file server.  Using Remote Desktops, I receive access denied errors - seemingly at random.  Some folders accept the changes without issue, but others generate the errors.

Alternatively, I've applied the permissions across the LAN via Windows Explorer.  This process stops periodically with "unexpected network error occurred" messages. Clicking OK resumes the process until the next error comes up.

I am an administrator on the server. Ownership of the folders is with the server's Administrators group. The folders are on a partition separate from the boot partition.

I appreciate any help.
0
Comment
Question by:cmmcginn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
15 Comments
 
LVL 22

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 150 total points
ID: 41740460
Hi,
Assuming you mean that you have a share on your server with folders below.  That you want different security settings for some of the folders in that tree where Security Group A has access to Folder1 and Security Group B has access to Folder2 and so on.

Have you first given the admin full control of the entire tree, then removed inherited permissions from the tree but left the default permissions applied?  After that your should be able to work through the tree, removing the inherited permissions from each folder and applying the ones you want.  Be sure and tick the box to apply to files, folders and sub-folders in each case..
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 41740529
The main question is what do you want to end up with, once we know that we can advise you what to do. For instance if you want the directory d:\test-folder to have ownership by admin group then you can run TAKEOWN /F d:\test-folde /R /A which will make the admin group owner of that directory and all files and folders under it. If you want to change permissions we can similar using icacls
0
 

Author Comment

by:cmmcginn
ID: 41740856
Thank you both for offering to help.

Yes, I am trying to revise permissions on folders under a network share.  The Administrators group has full control on all folders and owns the folders.

The real challenge here is that these errors appear to be quite random.  Sometimes, setting permission via Remote Desktop works fine. Other times, the process immediately stumbles with access denied errors.  I am logged in as full administrator every time.

The same is true when setting permissions across the LAN with Windows Explorer, but the error is different.  If I set permissions on a folder with few files, the process likely will succeed.  If there are many files and the process takes a while, the error is likely to occur.  Usually 1 to 3 "network" errors occur in succession, then the process resumes for a while.

Thanks again.
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 25

Expert Comment

by:Lionel MM
ID: 41740869
This is likely due to inconsistent ownership and/or permission in the subfolder and files. The most reliable way of resolve this is not using Windows Explore but the two command line tools I gave you. I would run the takeown command I gave you first and see if that resolves it for you. If not I would then move onto the icacls -- it will tell you specifically which files/folders failed and then you can fix those individually.
0
 

Author Comment

by:cmmcginn
ID: 41740900
Okay, I'll give them a try. Thanks.
0
 

Author Comment

by:cmmcginn
ID: 41741374
TAKEOWN seems to have worked quite well.  The only "access denied" responses involved System Volume Information folders which, I gather, is expected.
0
 

Author Comment

by:cmmcginn
ID: 41741379
Do you know what the proper permissions are for System Volume Information folders?  Is it Administrators or SYSTEM?

Thanks again
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 41741423
that is normal to get access denied and the normal owner is SYSTEM
SYSTEM:(OI)(CI)(F)
0
 

Author Comment

by:cmmcginn
ID: 41741444
Yes, I noticed that shadow copies was not configured on this server. Enabling it changed Sys Vol folder permissions from Administrators to SYSTEM (couldn't do it manually).

I'll get to using iCACLS in a while.  I'm sure that will be very helpful, too.

Thanks very much for your help.
0
 

Author Comment

by:cmmcginn
ID: 41741448
Thank you both very much.
0
 
LVL 25

Accepted Solution

by:
Lionel MM earned 350 total points
ID: 41741484
Glad to help but this makes no sense to me--you accepted my answer as the best answer and in your comments you say that takeown resolved the issue yet you give me 150 points and the assisted solution 350? Why is that -- if my answer is the best shouldn't it be the other way around? or at least equal?
0
 

Author Comment

by:cmmcginn
ID: 41741492
Yes, I meant to apply the points the other way around. Thanks for letting me know. I'll fix it.
0
 

Author Comment

by:cmmcginn
ID: 41741519
I've left an inquiry with Support for how to fix the points award.
0
 

Author Closing Comment

by:cmmcginn
ID: 41745530
Points corrected
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question