none
Bizarre File Permission Issue RRS feed

  • Question

  • We have a Windows Server 2019 file server (virtual) running in a Windows 2019 domain as a member server.  All the users have domain joined Windows 10 Pro PCs (most 1803 a few 1903) running Office 2019.  We have a Word Template running macros that allows users to fill in a form in the template with some sensitive client accounts data so when they click a button in the document it saves the document in a folder that the users only have Write access to and then saves a copy of the form with the sensitive data removed into a Pending folder that the users have Full access to.  Only the SYSTEM, Server Admin user, Accounts Manager, I (as the IT Admin) have Full access to the Secure folder.  Once the Accounts Manage has processed the form she clicks a button in the document and runs a Macro that moves the Secure documents to a storage location and the Pending copy of the file is deleted.  All worked perfectly right up to the point I added some new users.  When they use the template the macro works as expected and the documents are created in the Secure and the Pending folders.  However no-one can access the file in the Secure folder.  Even when logged onto the server as the Domain Admin user I cannot view the Owner through the Security tab when looking at the file's properties, the message is "You must have Read permission to view the properties of this object".  We can take ownership and then the file is accessible but this is weird.  All other users create the files and the ownership of those files shows as the user that created it but the file has inherited the permissions of the Secure folder, so the Accounts Manager, SYSTEM, Server Admin users and I all have Full access.

    As the users do NOT have anything other than Write permission to the Secure folder I cannot log in as the new user to see what permissions the file shows as they are unable to open the folder.  I've tried logging into the server and trying the Effective Permissions tab but as I don't even have READ permission I cannot do anything without taking ownership first....not even view Effective Permissions!  If I take ownership the problem is immediately solved.  

    The new users are in all the same Security and Distribution groups as the pre-existing users are yet it's only the two new users that have this problem.

    I temporarily granted one user Full Access to the Secure folder.  The files they created showed them as the user but with no permissions assigned to the object...

    

    Anyone got any suggestions of where to look to fix this?


    Phil Tyler

    Tuesday, October 8, 2019 11:19 AM

Answers

  • I know that the way Office apps save files requires delete access on the destination folder. 

    One option to learn more would be to run Sysinternals Process Monitor and see what I/O calls are being made.

    Another thought is modify the macro to SaveAs to the local %temp% folder, then do a file copy to the secure folder, and then delete the %temp% copy.  

    • Marked as answer by Gideon-IT Monday, October 14, 2019 10:15 AM
    Thursday, October 10, 2019 7:58 PM

All replies

  • After you take ownership of the secure file, what security permissions are set? Is it only the ID of the user?

    Have one of the 2 users copy a .txt file to the secure folder. (Maybe do a notepad save?) Are the permissions ok for that file? 

    Are you using FSRM or DFS on the target server? 

    Tuesday, October 8, 2019 7:53 PM
  • Thanks for your reply.

    After taking ownership there are NO permissions set on the file.  It's not even inheriting permissions from the parent folder, which it should.  See this image...

    I wrote a plain notepad file into the Secure folder as one of the users and it worked perfectly.  The owner showed that user but all the relevant permissions were correct.  However the Word Macro generated file is inaccessible.  See the image below (on the left the Notepad TXT file on the right the Word Document)...

    Here's the ownership page of the same two files.  The top one is the Notepad TXT file, the bottom one the Word DOCX)...

    This would seem to suggest that Word is doing something incorrectly but the Macro SaveAs2 routine has no options for setting file permissions!

    I've saved a document using Word into the Secure folder, logged on as the Justine user, and this has the same permissions problem!  I've no idea why Word would be doing this.  Mental.

    Not using FSRM or DFS on the server.


    Phil Tyler



    • Edited by Gideon-IT Thursday, October 10, 2019 4:13 PM
    Thursday, October 10, 2019 4:11 PM
  • I know that the way Office apps save files requires delete access on the destination folder. 

    One option to learn more would be to run Sysinternals Process Monitor and see what I/O calls are being made.

    Another thought is modify the macro to SaveAs to the local %temp% folder, then do a file copy to the secure folder, and then delete the %temp% copy.  

    • Marked as answer by Gideon-IT Monday, October 14, 2019 10:15 AM
    Thursday, October 10, 2019 7:58 PM
  • I'll try that but it doesn't explain why only the two newly created users are having the problem.  It's got to be something different about their accounts - although what I don't know.   It's so bloody annoying.

    Phil Tyler

    Friday, October 11, 2019 8:22 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let me know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, October 14, 2019 7:11 AM
    Moderator
  • Well that workaround has worked.  I've amended the macro to do exactly that.  Doesn't answer the question as to why the new users behave differently to the existing 40 or so users.  That is quite vexing!  

    But thanks for the help getting a workaround sorted.


    Phil Tyler

    Monday, October 14, 2019 10:15 AM
  • Michael,

    I'm no nearer to finding out why this problem is happening but MotoX has suggested a workaround that has allowed the new users to work effectively.  I'd like to know why newly created users cannot write into this Secure folder using Word 2019 but other apps are fine.  But I doubt I'll ever get to the bottom of it.

    Phil


    Phil Tyler

    Monday, October 14, 2019 10:18 AM