rights misteriously changed

Discussion in 'Windows Server' started by Bonno Bloksma, Jan 18, 2010.

  1. Hi,

    As of a while ago suddenly file rights for the Administrators group have disapeared on one of our
    file servers. Tracking the problem it looks as if something inside Windows is wrong but... before I
    start calling MS I would realy like to see if there is any possible explanation.

    D:\Samen\Cijferverwerking\
    Group Administrators (all, except special) inherited
    Group Cijferverwerking (all but FC) this level and below
    Group Directeur (R&E, List, Read) inherited

    D:\Samen\Cijferverwerking\FAT1 en BFT S0809\
    Group Cijferverwerking (all but FC)
    Group Directeur (R&E, List, Read)
    User t.hendriks (deny all, except special)

    All rights at the directory FAT1.... seem to be inherited but that is impossible for that
    subdirectory as the level above it has different rights.
    It seems the allow rights for the group Administrators has misteriously changed into a deny right
    for one user.

    Is this something that can be done any way by whichever Administrator or should I start to inform MS
    about this?

    Bonno Bloksma
     
    Bonno Bloksma, Jan 18, 2010
    #1
    1. Advertisements


  2. I believe what you are seeing is the action of the AdminSDHolder, which
    protects protected groups from permissions being changed on resources. Here
    are a couple of links you can read up on what this thing does.

    AdminSDHolder - or where did my permissions go? - Directory ...May 29, 2005
    .... The AdminSdHolder-Thread assures that such an administrative roles ...
    AdminSdHolder also applies the permissions to accounts which are ...
    http://msmvps.com/ulfbsimonweidner/archive/2005/05/29/49659.aspx

    Description and Update of the Active Directory AdminSDHolder ObjectThe
    information in this article applies only to upgrading from Windows 2000 RC2
    (or earlier builds) to the released version of Windows 2000.
    http://support.microsoft.com/kb/232199

    The "Send As" right is removed from a user object after you configure the
    "Send As" right in the Active Directory Users and Computers snap-in in
    Exchange Server
    http://support.microsoft.com/kb/907434/en-us

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 19, 2010
    #2
    1. Advertisements

  3. Hi Ace,
    All the links you provided talk about rights within the Active Directory. However my case is about
    rights on the filesystem. Here is a cacls output:
    ----------<quote>-------------------------------
    D:\Samen>cacls Cijferverwerking
    D:\Samen\Cijferverwerking STAF\Cijferverwerking:(OI)(CI)C
    BUILTIN\Administrators:(OI)(CI)F
    STAF\Directeur:(OI)(CI)R


    D:\Samen>cacls "Cijferverwerking\FAT1 en BFT S0809"
    D:\Samen\Cijferverwerking\FAT1 en BFT S0809 STAF\Cijferverwerking:(OI)(CI)C
    STAF\t.hendriks:(OI)(CI)N
    STAF\Directeur:(OI)(CI)R
    ----------<quote>-------------------------------
    As you can see it flipped the second line from full rights by Administrators to deny all for user
    t.hendriks
    It claims the rights for user t.hendriks are container inherited and object inherited. This has
    happened on several folders on the filesystem.

    Overhere I do not have the right to look at the folder rights for
    D:\Samen\Onderwijs\Tentamenbureau\jaarplanning tentamens
    In the example above I have at least made myself owner of the folder in order to see what's going
    on. Below I have not done even that.
    I am also a bit weary about the <Account Domain not found> errors. They may be old user accounts but
    seeing what else has happened .....
    ----------<quote>-------------------------------
    D:\Samen>cacls Onderwijs\Tentamenbureau
    D:\Samen\Onderwijs\Tentamenbureau <Account Domain not found>(OI)(CI)R
    <Account Domain not found>(CI)R
    <Account Domain not found>(OI)(CI)R
    STAF\Onderwijskunde:(OI)(CI)C
    BUILTIN\Administrators:(OI)(CI)F
    STAF\Directeur:(OI)(CI)R


    D:\Samen>cacls "Onderwijs\Tentamenbureau\jaarplanning tentamens"
    D:\Samen\Onderwijs\Tentamenbureau\jaarplanning tentamens
    Access is denied.
    ----------<quote>-------------------------------

    Should I talk to Microsoft about this or might there be a logical explanation?

    Bonno Bloksma
     
    Bonno Bloksma, Jan 21, 2010
    #3
  4. I believe the "Account Domain not found" is either a non-existant (deleted)
    user or a typo, if typed in manually. It's similar to "NtUser_" that you
    would see in a Mailbox permissions list.

    More info on calcs and xcals and its output:
    http://articles.techrepublic.com.com/5100-10878_11-1050976.html

    I know you've been referring to the term, "rights," but the actual term is,
    "permissions." "Rights" is how Novell described a permission to access a
    resource. Windows and Unix uses the term "Permissions" to access a resource,
    wheras a "Right" is the ability to alter a setting on a machine, such as the
    time, change the desktop, etc.

    As far as what you are seeing, if a user account is in the Domain
    Administrators group, and you are correct, if it has been denied or changed
    on an AD object, the AdminSDHolder will correct it back to default. As for
    on a member server, I am not sure what is going on, unless I am misreading
    your explanation

    It could also depend on a number of things going on. Matter of fact domain
    FFL can be a factor, such as Domain Local Group will not be available for
    use on a member server resource until the domain level has been bumped up.
    It could also depend on how the file/folder permissions were set, such as
    using xcalcs, calcs or not.

    It may be a good idea to call PSS to get a definitive answer. I would be
    curious as to an explanation as well.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 21, 2010
    #4
  5. Bonno Bloksma

    DaveMills Guest

    It may be the rather quirky behaviour (up to W2003) when "moving" a folder/file
    from one folder to another on the same drive. The explicit permissions move with
    the folder/file but the inherited permission are NOT re-evaluated after the
    move. Thus they still show as inherited but the ACL is inherited from the old
    parent folder. If you then do anything to the permissions the inherited
    permissions are updated from the new parent folder. This can cause a radical
    change in the permissions which is totally unrelated to the permissions change
    that triggered the update.

    You can see this in action if you create two folders F! and F2 and set quite
    different permissions. Then create a file in F1 (it will inherit F1's
    permissions) then move the file to F2. Now look at its permissions and you will
    see they are still inherited from F1. Now make any change to the permissions on
    the file (add Admins = F/C for example) and then remove this new permission and
    watch the inherited permissions switch to those of F2.
     
    DaveMills, Jan 21, 2010
    #5
  6. Hi,
    Hmm, years ago I transferred all files and permissions (thanks Ace I am indeed an old Novell guy ;-)
    via Robocopy to a second server, changed drive configuration and reinstalled Windows on the
    fileserver and then transferred it back. However the problems did not start until over a year after
    that as far as I can remember. Also the t.hendriks user account is definitely jonger then teh move,
    is was an account for a temp last august.
    But.... it might have something to do with it as the reason for the transfer a year ago was that the
    old server had temporarily been used as DC as well and downgrading it back to a member server
    produced some errors. So maybe some strange user IDs got assigned then.
    Thanks for the explanation, I thought it was me going crazy. ;-)

    Ok, I will just asume there may be all kinds of problems so it seems best to simply reset all
    persissions on the directories where there may be a problem.
    Unfortunately there are over 200.000 files in just one directory tree on that server so I had better
    be carefull. :-(

    All permissions are set at the first, second or third directory level below the root directory.
    Anything below that should simply be inherited. So I simply want to wipe all permissions below the
    third level and check the rest via a report file.
    As I don't do anything with file/directory ownership I might as well set Administrator as the owner
    for each file/directory.
    Do you know of any smart way to do this, maybe a powershell script with cacls?

    [...]
    I do. ;-)

    Bonno Bloksma'
     
    Bonno Bloksma, Jan 21, 2010
    #6

  7. Dave's explanation of moving folders/files on the same volume surely
    indicates why it may have occured. I didn't realize that when I was trying
    to think about how it could happen. Thanks Dave for pointing that out. :)
    Robocopy does the same thing since it follows Windows rules regarding what
    happens to permissions when either copying or moving files/folders either on
    the same volume or different volumes. Moving on same volume will preserve
    original permissions, whereas any other action inherits the target parent
    folder (copying to same volume or different volume or moving to a different
    volume). So that surely explains what you are seeing.

    So if you move something on the same volume, and you want it to pick up the
    target parent's permissions, you will have to force inheritance at the
    parent level. But then again, that may disturb other permissions in place in
    the child structure that's been made different than the parent. Difficult
    situation.

    I'm not sure exactly how the 20,000 folders and files are organized, but if
    I may suggest to organize them in a way that reflects organizational access
    (based on department or function), may be easier, since 20,000 is quite a
    large number and if something goes awry (as you're seeing), it becomes
    difficult to troubleshoot, besides the fact you may see performance
    degradation.

    As for programmatically fixing it, I'm not sure what to suggest due to the
    large number of files and folders and the complexity. That was why I suggest
    to try to simplify it a bit.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 21, 2010
    #7
  8. Hi Ace,

    [....]
    It's 200.000 (extra zero) file in one directory TREE, not in one directory. ;-) The 200.000 files
    are distributed over around 45.000 directories, about max 10 levels deep.
    It's the directory tree being used to store files for our webservers which also store files uploaded
    by our students.
    Other directory trees have less files but overall the number of files per directory is not exessive.
    Everything is pretty wel simplified, like I wrote, permissions are handed out up until the third
    level, after that it should only be inherited.
    Like D:\Samen is the root for all directories with group shared permissions and the root for the
    share.
    Below that is the level where each group has it's own directory with it's own permissions en in some
    cases there is one level below that where some groups will get aditional rights when for instance
    group1 is only alowed to read an group 2 can also change the content.

    I probably need to create a batch file (maybe powershell script) which only goed three levels deep
    and at the fourth level simply set all permissions to only the inherited permissions.
    All have a look or ask around in the powershell group.

    Bonno Bloksma
     
    Bonno Bloksma, Jan 22, 2010
    #8

  9. I understand now. Maybe Powershell will help in your case. Sure beats doing
    it manually for 45,000 folders wtih 200,000 files.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 22, 2010
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.