Announcement

Collapse
No announcement yet.

2k8 NTFS Admin Permission Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2k8 NTFS Admin Permission Issues

    Hello, its been a while since I've posted... I'm gonna try and get back into posting more...

    At work, we just brought up our first 2008 server. It is acting as a member server and we added the Domain Admin's group to the Local Admin Group. We then created an X: Drive for Data and created a folder structure on it for our Sync Software we are implementing. One of our other Admins tried to access the folder and it denied his access. We explicitly added the Domain Admin group to the folder and it still prompted him for access. If he continues with the UAC Prompt, it ends up adding his user account as a user and ignores the Domain Admin Group. Any thoughts other then turning UAC off? When UAC is off, it acts just like a 2k3 server.

    Any suggestions would be greatly appreciated.

    Thanks,

    Nate
    Last edited by nateh; 17th October 2008, 14:13. Reason: Changed Title
    Hope this helps.

    Nate

    My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

  • #2
    Re: 2k8 NTFS Admin Permission Issues

    *** Sorry about this but can an admin please update the Thread Title to 2k8 NTFS Admin Permission Issues. I didn't catch my vague title until I read the thread after submitting.

    Thanks,

    Nate
    Hope this helps.

    Nate

    My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

    Comment


    • #3
      Re: 2k8 NTFS Admin Permission Issues

      How is he accessing it -- locally or via the network?
      Check Share permissions as well as NTFS
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: 2k8 NTFS Admin Permission Issues

        He is accessing the folder through RDP also.
        The X Drive and Sub Folders are "Not Shared" Under the Sharing Properties Tab.

        Thanks,

        Nate
        Hope this helps.

        Nate

        My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

        Comment


        • #5
          Re: 2k8 NTFS Admin Permission Issues

          Does the admin attempt to access via the X drive? I take it the X drive is a separate HDD and not a mapping to another server or folder on the Windows 2008 server?

          Comment


          • #6
            Re: 2k8 NTFS Admin Permission Issues

            Ossian and Virtual,

            Thanks for your replies.

            Ossian, The NTFS and Share permissions are correct.

            Virtual, The X Drive is a local drive to the server. The other Admin is trying to access it locally also when he RDP's into the Server.

            One thing I did try is I disabled UAC. This cleared up the permissions confusion but what functionality are we loosing other then the prompt every time the server tries to run an application with elevated privileges?

            Thanks,

            Nate
            Hope this helps.

            Nate

            My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

            Comment


            • #7
              Re: 2k8 NTFS Admin Permission Issues

              Thanks for the response Nate. You will just reduce the security aspect of UAC. It was put there as a lot of users often don't use the 'Run as' in 2000 and 2003 Server. Best pratice is to use a standard User logon and then use 'Run as' or type your credentials in to UAC, for tasks requiring elevated priveleges. However, some tasks can't be run in this manner, such as setting Network connections and Printers using 'Run As'.

              This further reduces the damage a virus or malware can do on a computer as they are less likely to run in the context of an administrator, so therefore will do less damage.

              With regards to UAC, have you tried setting the option that 'Prompts for a password' when logged in. They are located near the same Local Secuity Policy setting that disables UAC. One will be relevant to a normal User and one to an administrator.

              Comment


              • #8
                Re: 2k8 NTFS Admin Permission Issues

                Virtual, thanks for the information about UAC.

                I re-enabled UAC with the password prompt and it still acted funny with admin permissions on our X drive. So I ran a sanity check test on C and everything worked as it should. After passing that test, I deleted our X Drive since this system is still in test/build mode and recreated X leaving the default permissions in tact. After doing this UAC would prompt when creating a folder at the root of X but not when another admin tried accessing the folder or when creating a folder within our new folder.

                So after discovering that, I started pulling permissions until it started prompting for every click like it was before I deleted X. Turns out for UAC to work properly with NTFS in our setup the Server Users Group needs read access on everything which makes sense since our account is a user until UAC ups it to Admin for a particular task.

                Does that sound correct?

                Thanks,

                Nate
                Hope this helps.

                Nate

                My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

                Comment


                • #9
                  Re: 2k8 NTFS Admin Permission Issues

                  I would have thought you should be ok with that method if it works. It depends which user accounts will be added to that group and whether folders will be shared over the network whereas potentially, others may have read access to sensitive files.

                  Bit of a strange one for you.

                  Comment


                  • #10
                    Re: 2k8 NTFS Admin Permission Issues

                    Thanks for the response Virtual. Sorry about my late response also.

                    I discussed my findings from ty with our other admins and we came to the conclusion of this being a file server only the admins will be using we should be fine with UAC off. However, when we bring our first 2k8 Terminal Server up, we will look at running UAC for another layer of security.

                    As for our Users Group, we prefer to remove this group from everything. I work in the Payment Card Industry and Auditors frown on seeing permissions for Everyone and Default Users Groups.

                    Thanks!

                    Nate
                    Hope this helps.

                    Nate

                    My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

                    Comment

                    Working...
                    X