File Permissions on Shared Directories - Server 2008 sp2
Hi, I'm working for a company that has very restrictive security permissions. So much so infact we have five different Administrator groups that have different access levels etc... Anyway, we're currently in the process of a Pilot scheme of migrating user and public data from Server 2003 to Server 2008. The problem I'm having is: 1. We've added all five of the administrator accounts (with full control) to the data folder, however, administrators do not have administrator access. 2. When an administrator (who is a member of at least 3/5 administrator groups) tries to gain access to the folder (locally from the server via mstsc) he/she is prompted that they do not have permissions to access the destination and is required to replicate their account throughout the security permissions on all sub-folders. With the build version being tailored specifically to my company, the problem caused appears to lie within this. As with the new servers we're currently taking on (we have around 2000 in total that need to have this upgrade) we've found that deleting the directory and recreating it before starting any take on procedures and data migrations fixes the issue. However, with the previous servers (5 or so) that have already had data migrated to them, how can I remove this issue that causes all administrators to replicate permissions to all inheritable sub-folders? Now, we've potentially found the problem... and that's that some administrators weren't added correctly to administrator group 4 (meaning they were directly added, and not added through a global group). This helps fix the issue with the folder deleting/recreating issue as members that couldn't access the directories now can, but the issue still remains on the old directories on the pilot servers. Any thoughts?HP WinTel Server Support
July 5th, 2011 10:05am

I think this might be related to UAC in Server 2008. In fact, explorer.exe is NOT any uac-ready and blames for permission absence and offers you forcibly replace ALCs for what it considers better, that's why I always disable UAC. Try disabling UAC (Control Panel -> User Accounts) and see if this helps.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 10:39am

Unfortunately, we're not permitted. I think the issue is that once we add new permissions(in terms of security groups from AD) to a directory that already has data inside it, even though the group is added, it doesn't actually permit any access to the directory. It's the only link I can connect between the new directories working, and the old directories not working. Either way, it's a damn pain and I think I'll just have to make do with what we have on the first five servers. Live and learn I guess...HP WinTel Server Support
July 6th, 2011 11:13am

Hi, Your current issue should be caused that different permissions are inherited to subfolders so it causes difficulty on adding or change permissions. Whether there is any deny permission set on folders or subfolders? If so then any added permission which violated the denied permission will not be applied. And if it is avaliable you can try to delete some permissions to create. In addition, you can have a try to use psexec to run CMD as SYSTEM to see if it can help set permissions: http://technet.microsoft.com/en-us/sysinternals/bb897553 TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2011 9:51am

Unfortunately, this doesn't rectify the issue. We have no denied permissions active on the parent directories for any inherited permissions to conflict in terms of access levels. As we are trying to permission a top level directory, the permissions should in theory be at the access levels. However, I think it's possibly because when the data was transferred, permissions were also transferred causing a conflict between the parent and the sub-folders although the permissions were actually set to the same. If I find a solution to the problem, I'll post it here for further reference.HP WinTel Server Support
July 11th, 2011 11:59am

I've found the problem to lie within the transferring of permissions. It seems that robocopy doesn't actually transfer many NTFS permissions correctly as I reviewed some transfer logs of a more recent transfer and found nearly every file to have "ERROR 5 ACCESS IS DENIED" under the NTFS permission transfer. This appears to have caused this issue. I also think this is linked to the Share Permissions having what appears to be a group policy object denying external share permission assigning. Even rmtshare can't add share permissions to a newly created share. The Server 2008 shares also appear to grant "Everyone" Full-Control access when doing this as well.HP WinTel Server Support
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2011 5:34pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics