I have couple of shared folders created on the server and some permissions set on this folder. When the specific user tries for example execute some of the permission..most of them works and some does not work regardless whatever i give that user from privileged access to complete ownership of the folder.

real example

Shared folder on windows 2012 r2 accessed by a user from win8.1 with full control and full ownership ( share permissions, everyone full control ) and still the user can not delete or add any file or folder, the user can save opened documents or rename.

steps tried:

created another user --> same problem

user logged on the server --> no problem

as a reminder user has full control and ownership but still cannot delete files and folder from win 8.1 on a shared folder exist on windows 2012 r2

Thanks

thanks for replying..the user is in the only group of Domain user group

This is insane

I logged with the user account on the server, created a folder by the user, I set all groups ( users, Domain users, everyone, the user himself ) full control over the folder and still the user can not on his win 8.1 add any new folder or documents ( restarting the computer did not do any better ). What the heck is blocking the user from editing a folder that he created himself on the server ( logged on the server directly ) meanwhile, even all groups existed on the folder permission are given full control whether he is included in that group or not. 

• Edited by REWESHHEMESH Wednesday, July 29, 2015 4:20 AM

thanks for replying..the user is in the only group of Domain user group

This is insane

I logged with the user account on the server, created a folder by the user, I set all groups ( users, Domain users, everyone, the user himself ) full control over the folder and still the user can not on his win 8.1 add any new folder or documents ( restarting the computer did not do any better ). What the heck is blocking the user from editing a folder that he created himself on the server ( logged on the server directly ) meanwhile, even all groups existed on the folder permission are given full control whether he is included in that group or not. 

• Edited by REWESHHEMESH Wednesday, July 29, 2015 4:20 AM

Hi,

If the user can rename a file, he should also able to delete that file.

From the description, the user cannot delete or create file or subfolder. He can edit or rename existing files however. And the issue only occur when he remotely access the shared folder. 

Though you mentioned Share permission is set as Full Control, please again check if Full Control is checked.

Also please find a specific file which cannot be deleted by the user. Check its NTFS permission and make sure there is no DENY permission, and the user do have full control permission on that file. A quick test is to remove all NTFS permissions, and give the specific user Full Control to see if he can delete the file. 

Also what's the error when failing to delete or create a file?

please check the parent drive permission, like c: security permission

and check the subfolder permissions..

if parent security permission is set to read only, and sub folders you set to full control.. 

sub folders will still inherit the parent security permission..which is read only.

I disabled the inheritance from these folders and still the same thing

how about do some testing first,

1. share a folder (just a test folder)

2. set the permissions everyone to full control (set it at the root drive)

3. check the shared folder from another workstation 

4. if its work then slowly set the permissions

or check out  link below:

http://blogs.technet.com/b/keithmayer/archive/2012/10/21/ntfs-shared-folders-a-whole-lot-easier-in-windows-server-2012.aspx

Thanks for your reply

It is still the same stubborn error.

I had a dual boot on that pc, so I booted windows 7 and tried to access the folder to delete a folder inside using the user credentials, but it is the same error.

I setup the permissions on that folder for everyone ( sharing and security ) to have full control and still the user or any other user can not delete the folder or any folder.....

can you post the output of this:

icacls c:

if the shared folder is on c drive, just change the drive letter if the shared folder is on a different drive.

have you enabled encryption on the drive?

I don't know what it can be, but I've had "fun" with running scripts from shares.  Perhaps some of the same things are affecting you.  Is UAC on or sort of "off"?  Is the share available from both the normal command prompt and an elevated (run as admin) command prompt?  Can the file be deleted in either command prompt?  Has IE on the client been used to add the share as either a trusted site or from the local intranet? 

I have had scripts run from a share until elevated access was required.  However, once the elevation was done, it failed because it no longer had access to the share.  The elevated user and the normal user are different.  There is a registry setting that can be set that will let the elevated user have access to the share as the non-elevated user. 

There might be other odd things too, like the need to add permissions for the non-elevated user in addition to the elevated user.  It has to elevate to do this. 

Another thing to check is the owner of the files.  You might have to take ownership.  

Just rambling.  I do feel your pain.  Prozac helps. 

sorry for replying late, had some time off.

here is the output of the shared folder in question ( i changed the domain name to DomaiName )

• Edited by REWESHHEMESH 7 hours 44 minutes ago

should the UAC be off or on...

the user has ownership and I added everyone --> full access

Prozac does not help either...took the whole bottle.

sorry for replying late, had some time off.

here is the output of the shared folder in question ( i changed the domain name to DomaiName )

• Edited by REWESHHEMESH Saturday, August 15, 2015 11:16 PM

Does this happens with different shared folder on same server ?

Also can you get SDDL output on the folder ? this can be obtained either using get-acl <Folder name> | format-list or using icalcs

SDDL stores - Owner SID, Primary Group SID, DACL information, SACL.

yes it happen on all folders

• Edited by REWESHHEMESH 6 hours 56 minutes ago

Hi, your settings is working perfectly fine.

The users definitely will not be able to add, delete or create folders.

See this line:  DomainName\Domain Users Allow  ReadAndExecute, Synchronize

Domain users is read only.

If you allow domain users the "modify" rights, then they will be able to delete or create folders. But make sure you have backup system in place or else anything deleted means gone forever.

yes it happen on all folders

• Edited by REWESHHEMESH Monday, August 17, 2015 12:04 AM

Perhaps the Prozac was not taken while elevated?  I doubt it's a UAC issue, but here is the link for the curious.  

https://technet.microsoft.com/en-us/library/Ee844140(v=WS.10).aspx

The most restricted group sounds confusing to me.  However, any deny access defined will take precedence.  So perhaps that what was meant.  I would look for any "deny" permissions set any place, as they do count first.  Looks like all allow to me, but there might be another unexpected group. 

(I'm a DBA.  A deny on the public database role will affect everybody that's affected by object security, even members of the db_owner role.  Security is not checked for sysadmin and the one "true" db owner.  It can be very confusing.  Might be the same thing here.) 

where to change this because it also says DomainName\Domain Users Allow  FullControl and in the Secuirty properties Domain users have full control...so I do not know where the ReadAndExecute, Synchronize is tocahnge it..

Perhaps the Prozac was not taken while elevated?   

in the SDDL output - above - for the same folder there is conflicting permission, one time it says  

DomainName\Domain Users Allow  FullControl

and another time it says 

DomainName\Domain Users Allow  ReadAndExecute, Synchronize

How come, there are two different security permission..I can see the Allow FullControl ( all of them are checked ), but I can not see where is the ReadAndExcute, Synchronize si only checked....

in the SDDL output - above - for the same folder there is conflicting permission, one time it says  

DomainName\Domain Users Allow  FullControl

and another time it says 

DomainName\Domain Users Allow  ReadAndExecute, Synchronize

How come, there are two different security permission..I can see the Allow FullControl ( all of them are checked ), but I can not see where is the ReadAndExcute, Synchronize si only checked....

Who is the owner of the root?  Can you check the effective permissions at the root for yourself?  Is there any group policy for file access?  Maybe an inconsistent permission state - can you try a new share on a new drive? 

i found the culprit which it in a way does not make any sense but it solved the problem.

There are two permissions -  Share and  Security  

Regardless of the full permission setting on the security tab, the share permission will override. So the solution is to give Everyone group on the share permission, write permission. And voila 

Maybe Microsoft changed the default sharing permissions from read and write to read only as I do not recall having to do this on 2003 and 2008 server.

Any ways...thanks for everyone who helped in trying to find a solution ..specially the Prozac solution  

• Marked as answer by REWESHHEMESH 12 hours 13 minutes ago

Glad it finally worked.  It appeared to us that you already gave full control on the share. 

I know it is common to use Everybody.  If access needs to be restricted, take care that local users on the server don't have access to the files.  The group will likely have authenticated users as a member. 

i found the culprit which it in a way does not make any sense but it solved the problem.

There are two permissions -  Share and  Security  

Regardless of the full permission setting on the security tab, the share permission will override. So the solution is to give Everyone group on the share permission, write permission. And voila 

Maybe Microsoft changed the default sharing permissions from read and write to read only as I do not recall having to do this on 2003 and 2008 server.

Any ways...thanks for everyone who helped in trying to find a solution ..specially the Prozac solution  

Thanks for updating the thread and glad to know you finally nailed it.