Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 9, 2016 4:18 PM
This has happened a few times in the last month. All of my shares have different permissions, and those permissions are all propagated down to all children. However, sometimes I will get a call saying that a user can't access a file. When I look at the Security tab on that file (sometimes a whole folder), there are no permissions. All I see instead of a list of users is a note that reads, "No groups or users have permission to access this object". I know inheritance is enabled, because the "Disable inheritance" button is there. When I click that and then click the "Enable Inheritance" button that shows up in its place, all of the correct permissions show up again. So it seems that files are simply losing all ACL information. Any thoughts as to why?
All replies (6)
Thursday, March 10, 2016 6:35 AM ✅Answered
Hi,
In order to find out how/by whom file permissions were altered, I suggest you enable file access auditing to get specific events logged.
More specifically, SACL for Change permissions must be configured from folder Properties->Security->Advanced->Auditing.
More information for you:
Auditing File Access on File Servers
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 10, 2016 3:50 PM ✅Answered
IIS_IUSRS - Read & Execute (this folder needs to be viewed over the web)
<server computer name> - Read & Execute
My account - Full control
User Group A - Full Control
Creator Owner - Full Control
Domain Admins - Full control
System - Full Control
As a troubleshooting step, change "Full Control" to "Modify" for User Group A and Creator Owner. With Full, they can change/remove permissions, with Modify they can't do that. They can of course, modify files with both, which is really all you want. As a general rule, the only place I use Full Control is on user's My Documents that have been redirected to a server. If files/folders are shared among different users, giving them the ability to change permissions is usually a bad idea. I'm not saying for certain that's what's going on here, but I would try this just to eliminate that possibility.
Wednesday, March 9, 2016 6:42 PM
It would be interesting to see who has ownership of that file or folder at the time you see the message "No groups or users have permission to access this object".
When you say "All of my shares have different permissions", are you referring to NTFS permissions? Or Share permissions?
So whatever permission you have set at the root folder, that's what should be on all child objects? Or at least, is that your intention? If that's the case, what are the permissions on the root? Modify for everyone? Full for everyone?
Wednesday, March 9, 2016 6:49 PM
It is NTFS permissions that are disappearing . The file in question this time is 3 levels deep from the share. The share permissions are not affected.
My account is the owner, and showed up correctly as such even when all the permissions were lost. I am in the Domain Admins group.
The NTFS permissions on the "root" folder (the shared folder) are below. Access to view the folder is limited, so the Everyone group has been removed.
IIS_IUSRS - Read & Execute (this folder needs to be viewed over the web)
<server computer name> - Read & Execute
My account - Full control
User Group A - Full Control
Creator Owner - Full Control
Domain Admins - Full control
System - Full Control
Thursday, March 10, 2016 9:02 PM
Thanks, Amy & John. I'll try both of those and let you know how it works out.
Thursday, March 24, 2016 11:13 AM
Hi,
Is further assistance required at the moment?
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].