Announcement

Collapse
No announcement yet.

NTFS Permission denies access for no reason

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NTFS Permission denies access for no reason

    Hi,

    My client has a Server 2008 DC and one shared folder and Everyone has full control on the share permissions. It is called SharedDocs, underneath which is a folder named "Accounts" which does not inherit permissions so that I can explicitly set NTFS permissions on it. (Paul Green can do anything he likes within the SharedDocs folder.)

    Paul Green is a member of the Accounts Dept security group and that security group is the owner of the Accounts folder and has full control (NTFS permissions) on that folder, and all permissions on that folder are inherited by all folders underneath. It's a very simple setup.

    I examine the Effective Permissions for Paul Green on the folder "Accounts\OldLetters" and on the OldLetters folder I can see that Paul Green has full control over it, so every box its ticked including the Delete permission.

    When Paul Green is at his workstation and tries to delete the folder OldLetters he gets an Access Denied error message. Paul Green is a domain user.

    Although Access Based Ennumeration is turned on, I do not think that has a bearing on the problem. Can anyone say why Paul Green cannot delete the OldLetters folder please? It seems a fault to my mind, because the way it is setup is the same I always did things in Server 2003 and it always worked as I expected but has given me this problem in Server 2008.

    Paul Green can create new folders, new files within OldLetters, he can rename them as well. But he cannot delete the OldLetters folder even though his effective permissions tell me he should be able to. Paul Green is not a member of any other security group that I created, and nothing has any "Deny" tick against any folder.

    Thank you.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: NTFS Permission denies access for no reason

    One crucial warning: it is a *very* bad idea to give your average user Full Control permissions on something. Especially in your situation, where a subfolder is being restricted. Any user could easily change the permissions on the Accounts folder. I would strongly recommend that you consider removing the Full Control permission from the users and only grant this to administrators. Everyone else can have Modify, which does not let them take ownership or change permissions.

    You may also want to consider changing Everyone to Authenticated Users for added security, as I believe Everyone on Server 2008 includes anonymous users, and perhaps also separating your data out into separate shares, instead of sharing the root of your data folder.

    Edit: Sorry, didn't see that you said Everyone has Full Control in the share permissions. I'll leave the previous message here though. Could you please tell us what the NTFS permissions are on SharedDocs?
    Last edited by gforceindustries; 17th October 2008, 09:47.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: NTFS Permission denies access for no reason

      Hi,

      I only recently gave him so much power to try and get to the bottom of the problem.

      What do you think is causing the problem?

      I hear your warnings and agree with them, but I am fighting this issue which needs a solution, grateful though I am for your wise words. When I find a cause and a solution, I can then set about fine tuning things to make the security better, once I know that it fundamentally works.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: NTFS Permission denies access for no reason

        Good to know. Too often we see Everyone being granted power that Everyone doesn't need

        It's possible that while Accounts is set up to be deletable by your user, the permissions on SharedDocs do not allow that user to delete its subfolders. Try deleting a different subfolder as that user.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: NTFS Permission denies access for no reason

          on the root SharedDocs,check the sharing tab and the permissions there, as gforce said, u should remove everyone and have authenticated users-full control, in the security tab u should have authenticated users- read % execute, list folder contents, and read selected. Then folders under that assign more specific group permissions to specific folders.

          On the Accounts folder.
          check in the security tab, click advanced, remove everything, deselect allow inheritable permissions and click remove.then make sure that administrators and system have full control.
          add in the security group for paul green.
          It's best to have the permissions all ticked accept
          full control
          delete
          change permissons
          take ownsership
          that means he can not delete the parent folder but can do anything inside it.
          check that inheritance is set to propagate
          Log off paul and log him back on. test again.
          Last edited by uk_network; 17th October 2008, 10:44.
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment


          • #6
            Re: NTFS Permission denies access for no reason

            Originally posted by uk_network View Post
            as gforce said, u should remove everyone and have authenticated users-full control
            Paul has indicated that he has changed from Authenticated Users to Everyone in order to troubleshoot this issue.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: NTFS Permission denies access for no reason

              Thank you GForce & UK_Network - I have already taken those steps in order to try troubleshooting it. I got rid of everything, started all over again, even to the extent of recreating the Accounts security group. The problem remains.

              Let's not get sidetracked by my current over-generous permissions - even with over-generous permissions, he cannot delete the OldLetters folder. He can delete other folders. I will restrict the permissions when it is fixed.

              Another user is reporting the same problem, this time Phil, a member of Directors security group, cannot delete a folder underneath the Directors folder. Effective Permissions says that he does have the Delete permission. Phil and his scenario do have correctly safe permissions, such as Auth Users rather than Everyone, and Modify rather than Full control. That's because I had set him up properly and I have not fiddled with that at all while I try to diagnose Paul Green's problem.

              In both cases, permissions are not inherited from above. Whenever I change anything, I make sure the user logs off and on again.
              Best wishes,
              PaulH.
              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

              Comment


              • #8
                Re: NTFS Permission denies access for no reason

                Originally posted by PaulH View Post
                Although Access Based Ennumeration is turned on, I do not think that has a bearing on the problem
                Can you turn it off to check?
                Have you tried all of this on another machine?
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: NTFS Permission denies access for no reason

                  It might be worth checking that the folder 'attribute' of read is not set in its properties underneath the General tab.

                  With regards to your permisisons, providing you set the NTFS properly, don't worry as much about shared, though the adivce below is good.

                  Comment


                  • #10
                    Re: NTFS Permission denies access for no reason

                    Everyone has not included ANONYMOUS USERS since 2003.

                    Maybe someone has the folder/file open?

                    Comment

                    Working...
                    X