Access Denied on Some Subfolders/Files Within a Share

network-sharewindows-server-2008-r2

First thing this morning, I find that users on one of our share drives are all getting "access denied". I tried the same drive and also received "access denied" as a Domain Admin. Previous to this, all specified users and admins could get access.

I checked share permissions
I checked NTFS permissions
I temporarily made both types of permissions read/write to "Everyone"
— This worked for one user
It turns out that this is occurring for only some files/folders. When I try to manually alter the share of that single share, it can't be shared, access denied.
xcacls also gets access denied
rebooted the server (not a big deal – this is a smallish company).

Does anybody have any insight, my google-fu is coming up blank. Thanks.

EDIT: More info, I just ran AccessEnum. There were a lot of "access denied", but I noticed the pattern that all of the access denied had a parent with an owner of "???". When I look at the properties, the "Unable to display owner" message is in the box and I can only make my user account the owner. I can then share the individual file/folder, but it doesn't seem to propogate down to subfolders/files.

Best Answer

Take ownership of the share and the subfolders, then reapply the relevant permissions. Then turn on File Auditing for permissions changes to determine what process is messing with the permissions should this happen again.

Related Solutions

Security groups not allowing domain admin to view files

You have the "Grant the user exclusive rights..." box ticked on the "Settings" tab of the folder redirection settings. Turn that off and the Folder Redirection client-side extension (CSE) will add "Administrators" to the permissions on the folders it creates.

Pesonally, I pre-create the subfolders for the users because the Folder Redirection CSE disables inheritance on the subfolders it creates (which I consider a Bad Thing^TM). If you pre-create the folders and add "The User / Full Control" to the subfolder the Folder Redirection CSE will be happy and will leave the inheritance hierarchy on your folders intact.

If you want to "repair" the folders you already have you can use something like the icacls utility in a script to clean up the permissions. Assuming the subfolders are all named for the users' samAccountNames you could do something like the following:

FOR /D %%d in (E:\Home Directories\*) DO (
  TAKEOWN /f "E:\Home Directories\%%d" /r /d y 
  ICACLS "E:\Home Directories\%%d" /reset /T 
  ICACLS "E:\Home Directories\%%d" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F 
  ICACLS "E:\Home Directories\%%d" /setowner "MYDOMAIN\%userDir%" /T 
)

That'll give you a nice, clean inheritance hierarchy again w/ the user specified w/ "Full Control" permission at each subfolder.

Windows xp cannot access admin share

As their name suggests, admin shares can be accessed only by users that are administrators on that computer.

You need to create the same user in every computer, and that user must be administrator in all of them. It should have a password, because in some occasions users without passwords won't work.

Note use that you if you renamed a user this won't work, since renamed users maintain their original network name.

Related Topic