I just had a real strange issue crop up that I've never seen before and I can't explain, so I'm wondering if anyone else has seen this issue and might know what caused it.

I just had a situation where a bunch of random users home folders lost part of their permissions. We make fairly extensive use of redirected folders for all of the special folders including the desktop. In the GPO that redirects the folders, I have the redirected folders set up to not grant the user exclusive rights to the folder to allow for admins to get into the folders without messing with security. As such, when the folders are created, they are created with 'Creator Owner - Special permissions', 'System - Full', That users account with full, and 'Administrators - Full'.

The problem I had is random users lost permission to their folders, so rather than permissions as listed above, the permissions on the folders were 'Creator Owner - Special permissions', 'System - Full' and 'Administrators - Full'.

Does anyone have any ideas what may have done this?

Hi Dave,

The problem I had is random users lost permission to their folders, so rather than permissions as listed above, the permissions on the folders were 'Creator Owner - Special permissions', 'System - Full' and 'Administrators - Full'.

Random issue is pretty difficult to troubleshoot, please try to find a pattern such as timing to better analyze the issue.

In addition, here are a few things I suggest you check:

• Find out whether there is any script running which modifies folder permissions.
• Group Policy can also customize specific folder permissions.
• Try to disable any third party software installed to see whether the issue persists.

You may also enable auditing to find out exactly who/what is changing permissions on corresponding folder.

More information for you:

Folder Redirection

https://technet.microsoft.com/en-us/library/cc781907(v=ws.10).aspx

Auditing File Access on File Servers

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Best Regards,

Amy

It's not random in that it's happening at random times, it's random in that it happened to random folders and seemingly all at once. This is the first time I've ever seen something like this happen in 15+ years working in IT...

There are no scripts modifying permissions. The only GPO modifying permissions would be the one that sets the permissions when the folders are created to add 'Administrators' to the folder (Unchecking the 'Grant the user exclusive rights to {folder}' box in the folder redirection policy), rather than only the user, which is the default. This was on a file server, so there is no 3rd party software other then Trend AV installed on it.

I would not be opposed to having permission changes audited (that would help me in other areas), however, when I last tried to set that up, I got WAY too much information. No matter what I tried to do to filter the auditing, it was auditing EVERYTHING - every time a file was even accessed, an entry was made for the permission check attempt. If you know of a way that I haven't found to enable the auditing, but only have it log actual changes to permissions, not everything including the check to see if a user has permission to access a given file/folder, I'd love to hear it.

• Edited by DaveK1701 Thursday, September 03, 2015 7:35 PM

Hi!

Something to consider, is that someone with full control access to the files/folders may be intentionally or unintentionally changing the folder permissions. Granting a user "Full control" on a folder will allow them to also change the permissions of the folder. I always try to avoid granting users "Full control", and only give them change access to their folders. The reason for this is that your average user will almost never need to change folder permissions, and when they do, they rarely fully understand the implications of folder access changes.

I'd recommend you enable auditing on these folders and keep an eye open for eventID 4670, this log entry will show you who changed the permissions on which object, as well as show you the current and previous security settings on that folder.

This would ensure that you can at least track down the issue.

Good luck! I'll keep an eye on the thread should have any more questions!

Hi Dave,

If you know of a way that I haven't found to enable the auditing, but only have it log actual changes to permissions, not everything including the check to see if a user has permission to access a given file/folder, I'd love to hear it.

When you are enabling auditing for folders, ensure that only Change Permissions checkbox is selected.

Please note that SACLs are also inheritable, check all parent folders to ensure that only Change Permissions auditing is configured for specific folders.

Best Regards,

Amy