13. června 2012 9:34
Hi, I have a stange and bewildering problem. I have used robocopy with switches to copy all file and folder ACLs and other file info from 2003 a 2008 box. All seems fine, all files are intact and security rights look good. I create a new test user that is a member of no group except 'users'. I log it in and open up the file system on the new server. I try to access HR, Finance and other sensitive folders and am denied. I then try to access a head of department folder and am let in. I check the ACL - only administrator and the head of department have access to this folder. I try other head of department folders and am denied, I try all other restricted folders and am denied. Ok so I only have an issue with this one folder. I go back and manually remove the rights on the folder and add them in again. I go to test user and again he can get straight in. Time to nuke it, I make a new folder for head of department, copy in the contents, set the ACL again, go to test machine the user jumps right in again! Ok, robocopy could have corrupted the original folder but how can this happen on a new folder??
14. června 2012 10:32
Correction to the above. The user is a member of a group (pcadmin) that gives all users local admin rights on client machines. We have a relatively small user base of around 100 professionals and scientists so we operate a policy of ask before you install. Anyway...This group is use in the Restricted Groups group policy (Computer > Windows Settings > Security Settings > Restricted Groups). The group name is Administrators. This applied to a container that contains all client machines. It contains no member servers and no DCs (the new file server is also a domain controller). How do I find who has local admin rights on a DC. This is controlled though the AD on the DCs but it doesn't help me see who is a local admin is there a tool I can use.
Will post in group policy forum as well.
18. června 2012 4:33Moderátor
>I go back and manually remove the rights on the folder and add them in again. I go to test user and again he can get straight in. Time to nuke it, I make a new folder for head of department, copy in the contents, set the ACL again, go to test machine the user jumps right in again!
When you use robocopy command move them to the new server, it seems like all work fine. But when you remove rights and then add them manually again, issue occurs. Why you remove them and add them again?
All domain admins and enterprise admins are local admins for DCs, we could find out all those Domain Admins with ADUC.
TechNet Community Support
- Označen jako odpověď Yan Li_Microsoft Contingent Staff, Moderator 25. června 2012 10:13