Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 4, 2018 3:05 PM
The ACL for some files seems corrupt. The end-user who manages the network folder contents can't manage their files and I, as a domain administrator, can't help them clean up this mess.
Client is Windows 10.
Server is Windows 2012r2.
Folder is shared.
Share permissions are Everyone Full Control.
NTFS permissions are corrupt/missing/unknown.
TAKEOWN.EXE /A /D Y /R /F d:\folderpath
Same access denied failure results when:
-- run from non-elevated and elevated PowerShell prompt on server, fails.
-- run from non-elevated and elevated explorer.exe on server, fails (Elevation of File Explorer: use task manager to end explorer.exe process, then start explorer.exe with elevated administrative privileges).
-- run from non-elevated but connection is alternate creditials (domain admin) CMD prompt mapped drive on client, fails.
Run from non-elevated and elevated PowerShell prompt on server, fails.
PS E:\home02\242488> takeown /r /f e:\home02\242488
SUCCESS: The file (or folder): "e:\home02\242488" now owned by user "DOMAIN\myadminaccnt".
SUCCESS: The file (or folder): "e:\home02\242488\Cr Review List.xlsx" now owned by user "DOMAIN\myadminaccnt".
INFO: Access is denied. ( "e:\home02\242488\D&B Ch Ent Assoc.pdf" )
Run from non-elevated and elevated explorer.exe on server, fails.
PS E:\home02\242488> takeown /a /d Y /r /f e:\home02\242488
SUCCESS: The file (or folder): "e:\home02\242488" now owned by the administrators group.
SUCCESS: The file (or folder): "e:\home02\242488\Cr Review List.xlsx" now owned by the administrators group.
INFO: Access is denied. ( "e:\home02\242488\D&B Ch Ent Assoc.pdf" )
Run from non-elevated PowerShell prompt but connection is alternate credentials (domain admin) mapped drive on client, fails.
PS Z:\home02\242488> takeown /a /d Y /r /f z:\home02\242488
SUCCESS: The file (or folder): "z:\home02\242488" now owned by the administrators group.
SUCCESS: The file (or folder): "z:\home02\242488\action-br-llc_2018-10-04.pdf" now owned by the administrators group.
INFO: Access is denied. ( "z:\home02\242488\action-fs_2018-10-03.pdf" )
PS Z:\home02\242488> takeown /d Y /r /f z:\home02\242488
SUCCESS: The file (or folder): "z:\home02\242488" now owned by user "DOMAIN\myadminaccnt".
SUCCESS: The file (or folder): "z:\home02\242488\action-br-llc_2018-10-04.pdf" now owned by user "DOMAIN\myadminaccnt".
INFO: Access is denied. ( "z:\home02\242488\action-fs_2018-10-03.pdf" )
I've (of course) tried searching for an answer, and find many useful suggestions, but none work. I am still blocked from taking ownership of a file. Any assistance appreciated.
George Perkins
All replies (18)
Thursday, October 25, 2018 1:20 PM ✅Answered
I am posting an 'answer' to this thread, the problem I was experiencing is solved, although I do not know why and what, if any, action corrrected the NTFS ownership and permissions.
Solution: After applying October 2018 cumulative security updates (and restart) on the Win2012r2 file server hosting the user's home folder, the ownership and permissions returned to normal. Was it the restart? Was there some cached information or pending file system repair operation that required a restart? Anyway, all is well that ends well!
George Perkins
Thursday, October 4, 2018 3:15 PM
This is not a scripting question. I have moved this tot eh Win10 Security forum.
\(ツ)_/
Friday, October 5, 2018 9:27 AM
Hi George,
Please refer to this similar thread:
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, October 5, 2018 1:35 PM
Karen,
Thank you for the reply, but I am unclear what solution in the link you provided is supposed to answer my question? I also opened the referenced links to other forum questions from within the forum question you reference. None offer any help in my case. There is a suggestion to turn on audit to gather some additional information, I could do that, is that what you were implying?
In one of the articles you refer, there is a recommendation not to allow Full Control to end users (which I agree is wise) and in this case, the end user having the problem does NOT have Full Control, so shouldn't be able to modify the owner attribute - but that is what seems to be happening. And once modified -- whether ACL, or owner, or missing ACL -- it seems as if even an administrator can't reset owner again (which is the problem I'm having). The main question is: as administrator, how do I regain management control over these broken ACLs?
Here is some additional symptom information (these results are the same whether I run the get-acl command from an elevated administrator command prompt or from a normal, non-elevated):
PS E:\home02\242488> get-acl | fl
Path : Microsoft.PowerShell.Core\FileSystem::E:\home02\242488
Owner : DOMAIN\myadminacct
Group : DOMAIN\Domain Users
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DOMAIN\Domain Admins Allow FullControl
DOMAIN\myadminacct Allow FullControl
DOMAIN\L_Folder_Security_Admins Allow FullControl
DOMAIN\242488 Allow Modify, Synchronize
Audit :
Sddl : O:S-1-5-21-21782756-810711520-1745900225-136852G:DUD:PAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;O
ICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-21782756-810711520-1745900225-136852)(A;OICI;FA;;;S-1-5-21-21782756-81071152
0-1745900225-141913)(A;OICI;0x1301bf;;;S-1-5-21-21782756-810711520-1745900225-170813)
PS E:\home02\242488> get-acl '.\action-fastenings-inc_2018-10-03.pdf' | fl
get-acl : Access is denied
At line:1 char:1
+ get-acl '.\action-fastenings-inc_2018-10-03.pdf' | fl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Acl], UnauthorizedAcce
ssException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetAclCommand
get-acl : Cannot find path '.\action-fastenings-inc_2018-10-03.pdf' because it does not exist.
At line:1 char:1
+ get-acl '.\action-fastenings-inc_2018-10-03.pdf' | fl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
+ FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
PS E:\home02\242488>
George Perkins
Friday, October 5, 2018 1:38 PM
Do the following test:
Get-Item .\action-fastenings-inc_2018-10-03.pdf -force | Get-Acl
Note the existing error:
FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
The file may be hidden or be protected by the system or it may have hidden illegal characters in the name.
\(ツ)_/
Friday, October 5, 2018 1:44 PM
Thank you for your continued interest. First gci command to demonstrate that the file action-fastenings-inc_2018-10-03.pdf does exist. Here is the result:
PS E:\home02\242488> gci
Directory: E:\home02\242488
Mode LastWriteTime Length Name
d-r-- 9/13/2018 1:20 PM Desktop
d-r-- 9/13/2018 1:20 PM Downloads
d-r-- 9/13/2018 1:21 PM Music
d-r-- 9/24/2018 8:12 AM My Documents
d-r-- 9/13/2018 1:21 PM Pictures
d 9/13/2018 1:21 PM SapWorkDir
d 10/1/2018 8:38 AM Training
d-r-- 9/13/2018 1:21 PM Videos
-a 10/3/2018 4:49 PM 591551 action-fastenings-inc_2018-10-03.pdf
-a 10/4/2018 2:46 PM 599311 buydbest-incorporated_2018-10-04.pdf
PS E:\home02\242488> Get-Item .\action-fastenings-inc_2018-10-03.pdf -force | Get-Acl
Get-Item : Access is denied
At line:1 char:1
+ Get-Item .\action-fastenings-inc_2018-10-03.pdf -force | Get-Acl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], UnauthorizedAcc essException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
Get-Item : Cannot find path 'E:\home02\242488\action-fastenings-inc_2018-10-03.pdf' because it does not exist.
At line:1 char:1
+ Get-Item .\action-fastenings-inc_2018-10-03.pdf -force | Get-Acl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
PS E:\home02\242488>
George Perkins
Friday, October 5, 2018 1:57 PM
So your file is not owned by you and your account has no permissions on the file. You cannot even read the files exisitence.
It is possible that the file is both denied and that it is open in a process. This would block "takeown" even if you are an admin.
If the file is owned by the "Installer" then you will not be able to own it and the file can be a system protected file and you will also not be able to change it.
It is also possible that there is disk corruption. Run "chkdsk" to check this.
chkdsk <full path>\action-fastenings-inc_2018-10-03.pdf
from an elevated prompt and on the system. You cannot run this on a share.
\(ツ)_/
Friday, October 5, 2018 2:00 PM
Also try this:
Get-Item *.pdf | Where{$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
\(ツ)_/
Friday, October 5, 2018 2:21 PM
chkdsk appears to only allow a path and filename argument for FAT/FAT32 volumes, and this is an NTFS volume. It is over 5TB with over 1M files. So not trivial to run chkdsk. The NTFS dirty bit is not set. I don't think it is disk corruption. See below.
PS E:\home02\242488> chkdsk e:\home02\242488\action-fastenings-inc_2018-10-03.pdf
The drive, the path, or the file name is not valid.
PS E:\home02\242488> fsutil dirty query E:
Volume - E: is NOT Dirty
PS E:\home02\242488> chkdsk e:\home02\242488
The drive, the path, or the file name is not valid.
PS E:\home02\242488> cd ..
PS E:\home02> cd ..
PS E:\> chkdsk e:\home02\242488\action-fastenings-inc_2018-10-03.pdf
The drive, the path, or the file name is not valid.
PS E:\> chkdsk e:\home02\242488
The drive, the path, or the file name is not valid.
PS E:\> chkdsk /?
Checks a disk and displays a status report.
CHKDSK [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]] [/B] [/scan] [/spotfix]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
filename FAT/FAT32 only: Specifies the files to check for
fragmentation.
/F Fixes errors on the disk.
/V On FAT/FAT32: Displays the full path and name of every
file on the disk.
On NTFS: Displays cleanup messages if any.
/R Locates bad sectors and recovers readable information
(implies /F, when /scan not specified).
/L:size NTFS only: Changes the log file size to the specified
number of kilobytes. If size is not specified, displays
current size.
/X Forces the volume to dismount first if necessary.
All opened handles to the volume would then be invalid
(implies /F).
/I NTFS only: Performs a less vigorous check of index
entries.
/C NTFS only: Skips checking of cycles within the folder
structure.
/B NTFS only: Re-evaluates bad clusters on the volume
(implies /R)
/scan NTFS only: Runs a online scan on the volume
/forceofflinefix NTFS only: (Must be used with "/scan")
Bypass all online repair; all defects found
are queued for offline repair (i.e. "chkdsk /spotfix").
/perf NTFS only: (Must be used with "/scan")
Uses more system resources to complete a scan as fast as
possible. This may have a negative performance impact on
other tasks running on the system.
/spotfix NTFS only: Runs spot fixing on the volume
/sdcleanup NTFS only: Garbage collect unneeded security descriptor
data (implies /F).
/offlinescanandfix Runs an offline scan and fix on the volume.
The /I or /C switch reduces the amount of time required to run Chkdsk by
skipping certain checks of the volume.
George Perkins
Friday, October 5, 2018 2:23 PM
ok, here you go:
PS E:\home02\242488> get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248...e Ent Assoc.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248... Friend LLC.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248...Head & Neck.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248...l Equipment.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
get-item : Access is denied
At line:1 char:1
+ get-item *.pdf | where {$_.Name -match 'action-fastenings-inc_2018-10-03.pdf'}
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\home02\24248..._2018-10-03.pdf:String) [Get-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetItemCommand
PS E:\home02\242488>
George Perkins
Friday, October 5, 2018 2:30 PM
So you cannot access any files on that folder.
You will have to contact MS support or find out if the disk is corrupt. The dirty bit will not tell you if the security descriptors are corrupt.
Have you tried to read them with ICACLS?
ICACLS can, at times, reorder and repair an SD.
\(ツ)_/
Friday, October 5, 2018 2:31 PM
Were these files downloaded from the Internet?
\(ツ)_/
Friday, October 5, 2018 2:34 PM
There are no remote sessions with open files in the directory in question (user is not connected to server presently).
Server itself is just a simple Win2012r2 file server, so if there were processes holding the file open (antivirus, for example) it is just mainstream, typical stuff. Nothing unusual. I'm not ruling it out, just saying not likely. There is something strange about this particular user's process. User explains:
- Browse to website using Firefox
- Download pdf from website to local Downloads folder on Win10 computer
- File Explorer "drag and drop" from File Explorer to make copy of file to mapped drive on server file share
- Performs some process that reads the file into a Hyland Onbase application
- Later wants to delete file, but cannot
- Sysadmin (me) can't take ownership of file and can't delete file
How would a user file owner attribute change to 'installer'? And why or how can I reset it back to administrators if that were to mysteriously happen?
No hidden, system, etc. attributes. As you see these are just ordinary user files (PDF reports). The only attribute set is the 'A' (archive bit).
Not all files have his behavior. Just some random number of files.
George Perkins
Friday, October 5, 2018 2:35 PM
help unblock-file -online
\(ツ)_/
Friday, October 5, 2018 2:45 PM
PowerShell cmdlet 'unblock-file' has the same problem as all other attempts to reference this file, namely, because the ACL is broken, missing, or set to Deny, I can't reference the file. Here is an example of a normal file without broken ACL, followed by another file with a broken ACL:
PS E:\home02\242488> unblock-file -Path e:\home02\242488\buydbest-incorporated_2018-10-04.pdf
PS E:\home02\242488> unblock-file -Path e:\home02\242488\action-fastenings-inc_2018-10-03.pdf
unblock-file : Cannot find path 'E:\home02\242488\action-fastenings-inc_2018-10-03.pdf' because it does not exist.
At line:1 char:1
+ unblock-file -Path e:\home02\242488\action-fastenings-inc_2018-10-03.pdf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (e:\home02\24248..._2018-10-03.pdf:String) [Unblock-File], ItemNotFoundException
+ FullyQualifiedErrorId : FileNotFound,Microsoft.PowerShell.Commands.UnblockFileCommand
PS E:\home02\242488>
George Perkins
Friday, October 5, 2018 3:12 PM
Are you trying to run this under the users account? You will need too run as the user who created the file which should allow access.
\(ツ)_/
Friday, October 5, 2018 3:15 PM
Full circle here. I have attempted to use ICACLS to verify and reset the permissions, but I am blocked because there is a missing or deny ACL set on some files. The user will continue to create new files with broken ACLs randomly, sometimes the new files have a normal ACL, sometimes broken. ICACLS help indicates to use TAKEOWN to replace owner when ICACLS cannot perform a reset. Which is where I started this thread. TAKEOWN is not taking ownership.
PS E:\home02\242488> icacls e:\home02\242488\* /verify /T /C
e:\home02\242488\action-fastenings-inc_2018-10-03.pdf: The handle is invalid.
processed file: e:\home02\242488\buydbest-incorporated_2018-10-04.pdf
e:\home02\242488\D&B Charlotte Eye Ent Assoc.pdf: The handle is invalid.
e:\home02\242488\D&B Friend 2 Friend LLC.pdf: The handle is invalid.
e:\home02\242488\D&B Santa Rosa Head & Neck.pdf: The handle is invalid.
e:\home02\242488\D&B Tenaquip Industiral Equipment.pdf: The handle is invalid.
processed file: e:\home02\242488\Desktop
processed file: e:\home02\242488\Downloads
e:\home02\242488\smith-maintenance-company_2018-10-03.pdf: The handle is invalid.
e:\home02\242488\surplus-giant,-inc._2018-10-03.pdf: The handle is invalid.
e:\home02\242488\traffic-safety-supplies,-inc._2018-10-03.pdf: The handle is invalid.
-[snip removed some lines for brevity]-
Successfully processed 35 files; Failed processing 8 files
PS E:\home02\242488> icacls e:\home02\242488\* /reset /T /C
e:\home02\242488\action-fastenings-inc_2018-10-03.pdf: The handle is invalid.
processed file: e:\home02\242488\buydbest-incorporated_2018-10-04.pdf
e:\home02\242488\D&B Charlotte Eye Ent Assoc.pdf: The handle is invalid.
e:\home02\242488\D&B Friend 2 Friend LLC.pdf: The handle is invalid.
e:\home02\242488\D&B Santa Rosa Head & Neck.pdf: The handle is invalid.
e:\home02\242488\D&B Tenaquip Industiral Equipment.pdf: The handle is invalid.
processed file: e:\home02\242488\Desktop
processed file: e:\home02\242488\Downloads
e:\home02\242488\smith-maintenance-company_2018-10-03.pdf: The handle is invalid.
e:\home02\242488\surplus-giant,-inc._2018-10-03.pdf: The handle is invalid.
e:\home02\242488\traffic-safety-supplies,-inc._2018-10-03.pdf: The handle is invalid.
-[snip removed some lines for brevity]-
Successfully processed 35 files; Failed processing 8 files
PS E:\home02\242488>
George Perkins
Wednesday, October 10, 2018 6:14 PM
Anyone? Ideas?
George Perkins