File Write Access oddity

We have home Folders for all users with security set as per below
  • Bob (Deny Delete this folder, Modify Files and SubFolders contained within)
  • Bob's Supervisor  (Deny Delete this folder, Read only Files and SubFolders contained within)

Bob is not a member of the supervisors group, nor any of the 12 staff who possess a named folder

The conundrum!!!!

  • When Bob creates a file in Word or Excel or even notepad and tries to save the file, a file is created in the folder with the name chosen of zero bytes in size, then generates an access denied error to Bob.  
  • When Bob wants to print to PDF he can save the "printed" output file to his folder without any access denied error.
  • Bob can delete files in the folder.

There are 12 folders being one for each employee and only some have this issue.  I have trolled thru the security on the files and folders and they are all configured identically.
For those affected by this I have deleted and recreated the Named Folder from scratch and get the same outcome.  This also affects the users whether they are logged on via a domain joined PC or Remote Desktop.

What am I missing here?  Please help put me out of my misery!
LVL 8
mbkitmgrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Can you show the exact security descriptor for Bob's folder, please? E.g. the output of icacls.

Your description looks like creating and deleting items in the folder are allowed (folder permission), but file permissions then deny modification of the created file. Applications writing their files in one go are working, those which first create a file to overwrite it don't.
1
Thomas UCommented:
I'll go with Qlemo. Seems security says "write", but not "modify".
0
mbkitmgrAuthor Commented:
Bob who gets the error
D:\Data\Shared Data\Users>icacls "Bob"
Bob             ACME\Bob:(DENY)(D)
                    ACME\GRP_ACME-Care_Supervisor:(DENY)(D)
                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                    ACME\ACMEadmin:(OI)(CI)(F)
                    ACME\Bob:(OI)(CI)(M)
                    ACME\GRP_ACME_Supervisor:(OI)(CI)(M)
                    BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Alice who doesnt
D:\Data\Shared Data\Users>icacls "Alice"
Alice       ACME\AliceW:(DENY)(D)
                ACME\GRP_ACME-Admin_Supervisor:(DENY)(D)
                NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                ACME\ACMEadmin:(OI)(CI)(F)
                ACME\AliceW:(OI)(CI)(M)
                ACME\GRP_ACME-Admin_Supervisor:(OI)(CI)(M)
                BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
That looks ok that way. Files should be able to get created, changed or deleted, inheriting (M) - which includes R, W, D.
And that works for me. I have created a folder with (Deny)(D) and (OI)(CI)(M) for my user (and nothing else), and can create, overwrite, delete files manually or with NotePad without issues.

Any chance an antivirus is blocking access?
0
mbkitmgrAuthor Commented:
I exported the iCacls to Text for all folders and imported to Excel.

I did find two whose folder permissions that were inconsistent.

BUT I also find that when I:
  1. Choose an affected user
  2. Remove their account from any domain group (i.e ACME-Common-RO)
  3. They suddnely gain the "abilities" as their fellow employees
This only affects accounts that have existed on the domain since its inception (Orginal employees).  Those new to the org on the last 2yrs arent afffected.

I am starting to wonder if there is an issue with a longer term employees GUID that hasnt happened for newer employees
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
At this stage everything you can think of could be the reason :D
If you reverse the change of removing them from groups by adding them back, does that change anything?
0
mbkitmgrAuthor Commented:
I recall in the days of Server 2000 and Systems Management Server 2.0, we had a client where the users were members of a large number of domain groups.

We found that for some users "abilities" granted by being members of certain groups were not granted.  We lodged a support req with MS Support and found that a buffer used to store information about SMS in AD at the time, was preventing GUID's from growing beyond a certain length.

Microsoft Issued a patch that addressed the issue.  While this is an Server 2008R2 domain, the behaviour is similar
.
0
mbkitmgrAuthor Commented:
Thanks Qlemo, I was pondering what to do next...yours sounds like the way to go
0
mbkitmgrAuthor Commented:
Bingo !!!!

Adding them back into a group fails to change the behavior for longer term employees.

Next step is to delete the user account and re-create the account and see what gives.  My test account is affected so this will become my guinea pig
0
Thomas UCommented:
@mbkitmgr
How many groups do your users have? My users  have quite a few and I hope not to have similar problems in the future as you have.

cheers
Thomas
0
mbkitmgrAuthor Commented:
Each user in this case is a member of 8 groups.

In the situation of Server 2000 the users would be members of up to 70 odd groups

My suspicion is that something about the groups is corrupt
0
Thomas UCommented:
ah...ok..my users go up to 20 groups. so you say if you re-create the user OR the group, give permissions to the folder with that NEW group or user, the problem vanished?
0
mbkitmgrAuthor Commented:
HI Thomas, I realised a few hour after posting the results, they were inconsistent.

Since then I have gone thru all staff to dientify who is/isnt affected.  I identified 3 users - all longer term employees,  After managing their data etc, deleting the accounts and recreating from scratch the issue no longer appears.

I built the domain from new when this org formed, but there was a period of 60 days where they discontinued my services as they felt they had staff who could manage the IT systems in-house which to their surprise didnt go well.
1
mbkitmgrAuthor Commented:
With the input of others some potential areas were dismissed as possible causes.  Without their help some of these below would not have been identified either

  • Remember to validate the results some users report - one said she was affacted - later I found she was trying to save to another employees folder and obviously getting denied .... why was she doing this? I am afraid to ask.
  • Dumping iCacls to Text and importing into an Excel worksheet allowed me to identifiy some inconsistencies - the permissions applied were working but not the same for all.
  • GIven the client self managed the system I see where they have tried modifiying certain things related to share and folder security, instead of using the predefined groups I had set up to add remove users access to specific areas
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.