locked
Shared Folder Permissions Not Combining Correctly RRS feed

  • Question

  • Hi Everyone,

    This should be a pretty easy fix but I have no idea why this is happening.  I have a Shared Folder called "G:\Folder" that is not providing correct access over the network.  There are two users (Both in the Administrators group) called 'Administrator' and 'MyUser'.  For some reason, unless I explicitly add Share permissions for 'MyUser', I have no access to the share even though 'MyUser' is a member of the Administrators group.  Only when I add the 'Everyone' group to the share can I access the share with 'MyUser'.

     

    What has happened here? I have cleared and re-added all the permissions from the folder, re-created the share, nothing seems to work.  This same situation has happened with a number of my shares but i'm using this particular one as a test.  NTFS permissions should be fine, the output is shown below: 

    G:\Folder NT AUTHORITY\SYSTEM:(OI)(CI)(NP)F
             BUILTIN\Administrators:(OI)(CI)(NP)F
             BIGBOY\MyUser:(OI)(CI)F

    The only thing that I have done recently is install LogMeIn Hamachi (A VPN client) but i'm not sure this the is culprit since I can still access the shares that I explicitly define MyUser access to.  I have not assigned any Deny share permissions.  

    Where should I start looking?  Just when I thought I understood permissions something like this goes and happens... 
    Tuesday, June 29, 2010 3:23 AM

Answers

  • As I mentioned, all accounts are consider as standard accounts except Administrator account. When an account in Administrators group requests the admin permission, it will do the thing like "Run as Administrator". With UAC enabled, it cannot be done so you will get error.

     

    You can workaround the issue by creating a user, which including all admin accounts, and give them full control permission on the folder you would like to share to administrators. Then you can keep the UAC open.

     

    Note:

     

    On July 1st we will be making Windows Server 2008 R2 General forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the General Forum. So, until July 1st, we will start asking customers to redirect their questions to the General Forum. On June 11th, CSS engineers will move any new threads to the General Forum.

     

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.


    Shaon Shan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

    Wednesday, June 30, 2010 8:38 AM

All replies

  • With permissions, the most restrictive permission applies. If a User is a member of one group which is allowed access, but is a Member of another which is Denied access, the Deny takes effect. This is also the case when mixing Share and NTFS permissions (in the case of accessing shares over the network).

    To understand your problem more can you please list your Share permissions and additionally list your NTFS permissions.

    Can you please also perform an Effective Permissions check on the folder in Question to check NTFS permissions. To do this:

    1. Right click the Folder
    2. Go to Properties
    3. Click Security
    4. Click Advanced
    5. Click Effective Permissions
    6. Click Select
    7. Type the name of the User, press OK

    Cheers

     

     

    Tuesday, June 29, 2010 3:41 AM
  • For Effective Permissions: 'MyUser' has full control.

    Share Permissions:

    • Administrators - Full Control
    • Everyone - Read

    NTFS Permissions:

    • Administrators - Full Control
    • SYSTEM - Full Control
    • Users - Read, List, Execute

    'MyUser' is a member of Administrators and Users. 

    With this setup, MyUser can read but cannot write.  If I remove 'Users' and 'Everyone' then he cannot read or write.  Lastly, if I explicitly add 'MyUser' and give him full control on both then he read and write.

    I guess my question is as a member of 'Administrators' why do I have to add him explicitly? I didn't used to have to do this?

     

    Tuesday, June 29, 2010 3:58 AM
  • Have you tried to disable UAC for a test? It may be caused that UAC blocked the accessing as only Administrator account will be consider as a real Admin.
    Shaon Shan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
    Tuesday, June 29, 2010 9:10 AM
  • Have you tried to disable UAC for a test? It may be caused that UAC blocked the accessing as only Administrator account will be consider as a real Admin.
    Shaon Shan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com


    Okay, this worked but I am still incredibly confused as to how this could be the case.  To summarize, with the LogMeIn Hamachi VPN client installed, I have to explicitly add each user for every permission.  Users are not recognized as part of a group, everything is bonkers.  However, when I turn off UAC everything seems to work correctly again.  How could this possibly be happening?

    Secondly, is it safe to continue to run the server with this VPN client and UAC turned off or should I find another route that works correctly?

    Tuesday, June 29, 2010 1:05 PM
  • As I mentioned, all accounts are consider as standard accounts except Administrator account. When an account in Administrators group requests the admin permission, it will do the thing like "Run as Administrator". With UAC enabled, it cannot be done so you will get error.

     

    You can workaround the issue by creating a user, which including all admin accounts, and give them full control permission on the folder you would like to share to administrators. Then you can keep the UAC open.

     

    Note:

     

    On July 1st we will be making Windows Server 2008 R2 General forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the General Forum. So, until July 1st, we will start asking customers to redirect their questions to the General Forum. On June 11th, CSS engineers will move any new threads to the General Forum.

     

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.


    Shaon Shan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

    Wednesday, June 30, 2010 8:38 AM