Windows Server 2008 Permissions issues

[ohio_grad_06]

Been a while since I posted, but as the title says, at my day job, we have some systems, a few servers, one of which is running Windows Server 2008 R2 on a Dell poweredge of some type or other, I'd have to look up the model name. We are running Active Directory btw.

Anyway, what we have is we have multiple users who have documents placed on this server. So the setup is we have our main shares mapped out on the server. Then below that, there are sub folders. For example, you might have a file path like Administration->Users->User1, User2 etc.

What happens is for example, yesterday, and I've had this happen before, I had a user saying she could not get to some files that she knew she'd placed in her documents folder on the server. Quick investigation reveals that she can't see the files, but looking on the server as the admin user reveals the files are indeed there.

We are set up by letting a group of users have access to the main users folder, but then for each individual user folder, we use the properties and security tab, advanced permissions, and stop the permissions from being pushed from the parent folder, and grant IT and the user access to the individual user's folder, and use the option to give each full control, and use the option to replace permission on all child objects below their top level folder etc.

However, the situation like in my example from yesterday gets strange. The system will go through as though it's applying all permissions, and will apply permissions to the files in the folder, but if they have sub folders inside their main user folder, then it will not propogate into those folders and to those files.

I ended up in this case for example, having to go into the user's folder, and go to properties->security where it shows admin and her user as well in the security tab, but shows her user as having no permissions(this is on sub folders of the user's root folder). Since I'm in the Security tab, if I hit the edit button, and give her full control of that folder for example, and click apply, then it propogates and works fine. But when the user has say 25 or 50 sub folders, this can take a while. It seems like either I'm not doing something correctly or that something is strange there.

A little background as well, many of these files were originally transferred from an older Windows 2000 server. Should not make any difference I don't guess but they were copied to this server before the old one was decommissioned. Any thoughts or links? I'm good with computers, servers I don't know all there is to know, but when talking about Windows and file sharing, it's still Windows basically. However, if I'm not doing something correctly, I can appreciate that as well.

Thanks in advance.

 

[ohio_grad_06]

As I'm thinking of it, would it be simpler when I set these up to simply stop the inheritance of permissions on the top level folder only and check to see if the other folders still had the permissions pushed downward? Maybe I'm over complicating it

 

[YeOldeStonecat]

I always allow the "Full share to all" on the "share" tab...and I only get granular with the Security tab (this is the NTFS part).

That said, I'm sure that's not your issue.
When you drill into the advanced security, ...you found that checkbox to propagate to sub files and sub folders right? I'm assuming so since you said it can take a while..which is normal if there's a ton-o-stuff under there.

 

[ohio_grad_06]

Yes, did find that. I used that to actually try to have it push the permissions all the way down, and what ends up happening is it works on files, but then subfolders and files under those do not have the correct permission.

Even if I take ownership of the folder and replace the ownership on all objects as the admin user, and then attempt to repropogate permissions, I get the same results.

 

[ohio_grad_06]

So to help out anyone else. I think when I originally set up the share, I may have done it wrong.

My mistake was allowing users to have full control of their own folders. What that means is that they or whatever apps they use, could take ownership of folders and files, which over time made a mess of permissions.

What I ended up having to do, was go to the top level folders, make sure that people only had modify access, and that the admin was the only one to actually have full control over the folder.

However, this didn't fix my issue even when trying to push the permissions into all subfolders. So I ended up going to almost every user folder, doing a screenshot of their current permissions. Then for user A for example, stop it from inheriting any permissions from the parent folder, remove ALL users from the permissions window in an attempt to try to strip off all permissions on that folder. Go to the owner tab, and take ownership as the admin, replacing all permissions in subfolders with admin as owner. Note that sometimes for larger folders, I had to do this 2-3 times before it would actually fully do it for some reason.

Once I had taken ownership, then I went back to the Security tab, added on the groups/users that needed access, giving only admins full control of the folder, everyone else including the user, modify access. That way they should be able to work with their files, copy, create new items, etc, but shouldn't be able to take ownership of anything.

Finally, maybe I'm doing this overkill, but after that, go back to the permissions tab, and tell it to push the permissions to all subfolders and files.

Where I was really seeing errors as well was in my backup program. I'll probably get growled at over this, but for a basic file backup, we use cobian in some instances. At my day job, I don't think they want to spend the money for a better program at this time anyway, but on some of these systems, I'll try to use maybe windows server backup for an image of the OS, then something like cobian for the data. One nice thing cobian does do, though I'm sure many other programs do this too, is that if it can't read a file, it will give an error and show the file path in the log, and show the file name too, which I could then use to determine where I had permissions issues and was able to try to hunt down many of those issues.

I'm hopeful that doing this will solve most of my issues, and using the backup program as a barometer of sorts, I can try to track down any lingering issues.

Thought this might help any of those as well who had this issue. I've been a tech for a few years now, and admit I don't know everything, and am still learning more about server side etc as I was mostly on the end user side of things.

An interesting thing to note, before people say I should not have needed to remove all permissions and should have just told the system to push permissions back through single folders at a time, I did try that a few times. But in my case, the easier thing was to take all permissions completely from the folder in many cases, take ownership of the folder and all of it's files, and then to set the users up with modify access or lower and to push that back through the folder.