NTFS Permissions

Similar Messages

• Can't rename a single file to autorun.inf even all ntfs permissions are correct

  I have this odd problem:
  Logged in as Domin Administrator I couldn't  rename or open for editing an existing file "autorun.inf" even though all the ntfs permissions were correct. Every other files in the same directory (mainly .swf, .docx, .js and .htm files)
  are both editable and can be renamed.
  When I deleted the file "autorun.inf" from the folder and tried to create a new one with the same name, OS (Windows Server 2008 R2) notifies me that I "need permission to perform this action". Furthermore OS notifies me that "You
  require special permission from Administrators to make changes to this file". Neither can I copy a file named "autorun.inf" from another location to this folder. This is in spite of being logged in as Domain Admin.
  In short: I can't create a file called autorun.inf in a folder!
  Could  there be some kind of extra locking concerning files named autorun.inf i.e. some protective mechanism in this particular folder's permissions or SRV2008R2 itself that I've missed. All the other folders allow me to create whatever files i like
  into them.
  I would very much appreciate if anybody can help me with this.

  Yes, by default that will block any access to autorun.ini files. We use the same, so the issue sounded familiar, and of that I asked specificly to that :)
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Unexpected NTFS permissions behavior

  I am administering a home server running Windows 2008 R2 (accessed by several Windows 8.1 clients) and have run into an NTFS permissions issue I do not understand.
  On this server there is a S drive that contains all the online storage for our network.
  The structure of the S drive looks like this:
  Files
    Public
      VariousPublicFolders
    Private
      Person1
        Person1sStuff
      Person2
        Person1sStuff
  Temp
  Before any security modifications were made, the root of the S drive had the following permissions:
  SYSTEM : Full Control
  Administrators : Full Control
  Users : Read and Execute
  Also, all the above folders on this drive are owned by the Administrators group.
  Then I started changing permissions in order to satisfy my security requirements.
  For example, I disinherited permissions on Temp and allowed "Everyone" Full Control there.
  That works fine.
  What doesn't work fine is the permissions I am trying to set on the personal folders under the Private tree.
  I want to make sure no one else (other than administrators) has access to anyone's personal data  (the data in the Person1, Person2, etc folders).
  So I disinherted permissions on each of those folders and then explicity set the following:
  SYSTEM : Full Control
  Administrators : Full Control
  PersonX : Full Control
  This, I thought should work beautifully.
  I thought it should give each person full control of what happens in their personal folder, and also allow administrators and the system to get in there.
  But it is giving people in the Administrators group problems.
  I have a user called Custodian which is part of the Administrators group, and I use this user to do administrative tasks.
  As Custodian, when I try to access someone's personal folder in Explorer I am greeted with a message that says "You don't currently have permission to access this folder."
  Whaaaaat?
  I am offered "Click continue to permanently get access to this folder."
  If I say YES then Custodian is explicitly added to the folder ACL, and I can proceed to access the files there.
  But I don't want this.
  Custodian is already an Administrator, and Administrators already have full control of the folder.  Why should I even be prompted, and even worse, have my user unnecessarily added to the ACL?
  This is bad bad bad.
  I think what is going on is that UAC is coming into play.  I read somewhere that Administrators normally do not use their administrative token until they hit something that requires it, then UAC kicks in and asks to elevate them.  This would be
  fine if it happened.  I guess I wouldn't mind having to click OK to enter a folder that requires admin access.  But this is not what is happening.  I am just blanket denied until I explicitly add the Custodian account to the ACL.
  Can someone explain why an admin user is denied access to a folder having full control given to admins?  What is going on here?
  Can someone suggest a way to rig permissions so that my admin user doesn't have to be added explicity?
  I just want to be able to browse and alter the entire drive with ANY administrative user without being bothered to alter permissions.  I don't even mind being prompted for elevation, although honestly I'd prefer not to have that happen either.

  Thank you, Milos, for taking the time to look at this.
  RE: Making the post shorter, I'm not sure I could.  It's not an easy problem to state, and I tried to do so in as few words as possible, any less and I would be leaving out critical info.
  Here are your questions, answered.
  (2) Yes, I am using a workgroup.
  (3) An example calcs output
  S:\Files\Private\Scott DATABANK\Scott:(OI)(CI)F
                         BUILTIN\Administrators:(OI)(CI)F
                         NT AUTHORITY\SYSTEM:(OI)(CI)F
  (4) The share permissions are full, yes, but this is immaterial.  I suffer the problem accessing the files locally/directly on the server.  I probably shouldn't have mentioned anything about the share.  It's just that the problem came to light
  while I WAS accessing the files through the share, but then I tried locally and still had the problem.
  I am unsure of what you mean in (5) (6) (7).  Could you elaborate?

• NTFS permissions - Only access to folders created by the user himself

  Hi,
  I once came by an TechNet article explaining how to set up the NTFS permission on a shared folder, so the users would have rights to create a subfolder, and then only have access to this folder, and none of the co-existing folders on the same level, created
  by similiar users.
  So in details, I have shared a folder called backup$, where the users needs access to create their own subfolder (will be done automatically by a script). And in case they would need to browse their way to the full path, I need to make sure, they won't be
  able to access folders created by other users.
  Any help is much appreciated.
  Martin Bengtsson | www.imab.dk

  Hi,
  I am not clear what are the rights you will set through the script for each sub-folder. You can verify, your settings using
  Effective Permission tool.
  You can more about Effective Permissions from the below URLs.
  http://technet.microsoft.com/en-us/library/cc772184.aspx
  http://technet.microsoft.com/en-us/magazine/2006.01.howitworksntfs.aspx
  <hr/>
  <br/>
  Regards,<br/>
  Jack<br/>
  <a href=http://www.jijitechnologies.com>JiJi Technologies</a>
  I'm sorry if my question is not clear. I'm looking for the correct NTFS permissions to set on the shared folder. No permissions are being set in the script.
  Martin Bengtsson | www.imab.dk

• Defining NTFS Permissions for High Volume Security

  The default NTFS file permissions for the boot volume in Windows 8.1 appear to give Modify access to "Authenticated Users".   That is really permissive.   I have a lot of folders I do not want anyone not authenticated as Administrator
  to touch.   Of course I could change every folder manually and test for side effects, but I am hoping someone has already tested this and has published a document.   I am looking for a detailed description of how to secure the volume so that ordinary
  users cannot modify attributes, filenames, or data for most files on the volume.
  Will

  Ronald, thanks for your reply.  Now we are talking the right topic.    
  1) How did you modify the root permissions?  One way to do that might be to remove Modify and Create authority for the "Authenticated Users" entity and replace that with just Read & Execute.
  2) I understand that Microsoft tightened things to prevent normal users from having modify access inside subfolders.   This works fine for well behaved applications that use things like the "Program Files" subfolder.   Unfortunately, many
  applications are badly behaved and put themselves directly under the root of the boot volume.  AMD for example puts its video drivers in c:\amd by default.     Since that folder inherits from the root, and the root gives permissive access to
  users to create and modify files, now many sensitive DLLs in this install folder could be easily modified by any user.
  One of the worst viruses I ever had was a denial of service virus that acted simply by hiding every single file on your file system.   We had locked down NTFS permissions but had forgotten to lock down file attributes.   It took forever to recover
  from that.   
  So, bottom line, I like to run as tight a file security as possible, and I like to stay logged in as a normal user and greatly restrict what normal users can change.    
  Microsoft definitely tightened things up in Windows 8 and that's great.
  Will

• Local NTFS permissions needed for Palm software?

  Does anyone know the NTFS permissions needed on the local computer for a standard user to run the Palm software?
  Post relates to: Palm TX

  Hello Cajuntank and welcome to the Palm forums.
  Palm Desktop needs to be installed with the local administrator priviledge during the install of Palm Desktop, the HotSync Manager, the first HotSyn sync, and the installation of any third-party conduits on the desktop.
  After that, the local admin rights can be revoked.
  Alan G

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Renaming folder resets NTFS permissions

  Hi
  I have installed a new file server, running Server 2012 R2. I have created a shared folder and set the NTFS permissions. I then renamed the folder and noticed that the NTFS permissions had ben removed and reset.
  I have never seen this behavior before, and I find it a bit worrying???
  Lasse
  /Lasse

  Hi Amy
  The steps I initially did:
  1. Create folder in the root of D:
  2. Disabled inheritance
  3. Added the necessary permissions (The user I use is a domain admin, and is also added)
  4. Shared the folder to Everyone with full control
  5. Right click on the shared folder and selected rename and gave the folder a different name
  6. Vupti dupti, the permissions has changed to the following:
  SYSTEM
  MY USERNAME
  Administrators (LocalServer\Administrators)
  I have just done the same thing on a different server, and it's the exact same behavior, both servers running Server 2012 R2.
  I have also tested it on a Server 2008 R2, and it gives me the same warning as you and if I press continue the folder is renamed and the permissions has NOT been changed.
  So it seems to be a Server 2012 R2 "issue".
  /Lasse

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• Coldfusion ignoring NTFS permissions

  I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
  CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 
  Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
  I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
  Thanks!
  Tanya

  Tanya,
  This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.
  I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.
  -Carl V.

• Cisco NSS4000 NTFS Permissions Issue

  Hi guys,
  I have a Cisco NSS4000 4-Bay Gigabit Network Storage System with a RAID5 array and a 2.75TB volume. I have also created a CIFS share, configured the NAS on the domain and given all users full access to the share. My issue is that the subfolders under inside the volume don’t inherit the NTFS permissions from the parent folders. No matter how many times I check the “Allow inheritable permissions from the parent…” option, it always seems to get unchecked. As a result of that, any new files the users create will only be editable by the person who created it, until I manually change the permissions. I don’t see any errors reported on my DC or the NAS logs.
  Any help or guidance would be highly appreciated.

  Nathan Guinle wrote:
  What extra software do I need to install?
  you don't need any extra software to be able to read NTFS drives, you only need it to be able to write to them but that's not what you are trying to do.
  You asked, "where exactly are you trying to move the files?"
  I am trying to move them anywhere on my mac.
  I created an empty folder in my documents to be exact.
  I have tried moving files/folders one at a time but I keep getting that permissions error thing.
  This is just crazy..... I can't believe I can't move my files from my windows to my mac....!!
  How do other people (switchers) do this?
  other people don't have this problem.
  what you see is not normal. NTFS drives are readable by OS X and you should normally be able to copy anything you want from that drive. something is wrong with your drive but since it's NTFS there is not much you can do from OS X. try hooking up the drive to windows and repairing it from windows with [chkdisk|http://support.microsoft.com/kb/315265].

• Changing ntfs permissions

  This is a basic question.
  I have a windows 2012 server standard with a windows 8 client.On the server is a share AfdelingProductie. This share is on the client mapped to the drive S: for the user Flo_Fli. The user creates a document test.txt in the drive.I file explorer on the client
  I open properties of the document. Then i choose tab security, button advanced. There I want to change the ntfs permissions by disabling inheritance, removing group and adding a group with adapting the permissions. When I click apply: I get the message:access
  denied. Is it normal that I cannot change the ntfs permissions as owner with full control on the client?

  Hi,
  Please give the everyone group full control for share permission and then to change the NTFS permission.
  Regards.
  Vivian Wang

• Can't apply NTFS permissions - Access denied

  When I am trying to change NTFS permissions on shared folder I get the error:
  An error occurred while applying security information to:
  \\fileserver2\etc
  Failed to enumerate objects in the container. Access is denied.
  fileserver2 is Server 2012R2.
  Folder "etc" is shared with full control permissions to
  everyone.
  My user has "Full control" NTFS permissions on that folder.
  P.S. If I login to fileserver2 via Remote desktop, I am able to change permissions for that folder, but not when doing same action via share.

  Hi Aurimas,
  Based on my test , if you want to "everyone" to change NTFS permission of root file share  you need to change "everyone" to be the owner of the share folder .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Hello,
  I do not want "everyone" to be able to change NTFS permissions, I want those with "Full Control" to be able to change NTFS permissions as currently they can't.

• Big IP Strips NTFS Permissions?

  Looking for a little guidance here... I have heard multiple reports
            of NTFS permissions being stripped when passing through an F5
            appliance.
            My company is considering implementing this tool, and if this rumor is
            true, it would cause mayhem in an almost biblical proportion (trench
            warfare, water balloon fights, general discomfort, etc.)
            Has anyone experienced this behavior?
            

  The JWS Developer's Pack comes with a Servlet that allows you to type:
  codebase="$$codebase"
  in your JNLP. This way, the codebase gets automatically inserted into the JNLP, and you don't need to worry what machine it's being served from. This is probably a good solution for your cluster? Check out downloadservletguide.html in the JWS Developer's Pack download.

• Ntfs permissions on forest trusted share

  We have a two way forest trust. Consider this example:
  Forest A has:
  Domain Controller A
  Server A
  Forest B has:
  Domain Controller B
  Server B
  \\shareB (on Server B)
  I am a domain admin on Forest A, and my account has been given full permissions to Share B.  We have a two way forest trust, and have firewalled everything except communication between Domain Controllers A and B.
  The issue:
  If I log on to Server A, I am able to open \\shareB, but if I attempt to add/change ntfs permissions, I only see 'server B' when I click the 'Locations' button (I do not see either domain).
  If we allow on our firewall port 445 between Server A and Domain Controller B, it works.
  Is this working as designed?  Or is there a way to keep the firewall up and retain this functionality?
  Thanks,
  Jaime

  Hi Jaime,
  >If I log on to Server A, I am able to open \\shareB, but if I attempt to add/change ntfs permissions, I only see 'server B' when I click the 'Locations' button (I do not see either domain).
  How did you add/change NTFS permissions? In addition, would you please post a screenshot of the Locations?
  >If we allow on our firewall port 445 between Server A and Domain Controller B, it works.
  Port 445 has to be open, because User and Computer Authentication, Trusts require it to be.
  More information for you:
  Active Directory and Active Directory Domain Services Port Requirements
  http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
  Best Regards,
  Amy

• Search and Replace NTFS permissions by SID

  About to pick up a file server out of an SBS domain and drop it into a new domain.
  When I drop the server into the new domain it will break all the permissions and they will just be SIDs
  Are there any tools or scripts (paid or not) that let me do something like a SID based search and replace within NTFS permissions? 
  Cheers
  Andrew
  This topic first appeared in the Spiceworks Community

  Try this:
  Turn on Show Invisibles in the View menu.
  Select (highlight) the double para breaks.
  Use Command-E  (Find using selected text).
  Open the Find dialogue box (Command-F) and select Find & Replace.The selected para breaks will be in the Find text entry box, but will not be visible!
  Click in the Replace text entry box.
  Select (highlight) a single para break.
  Go to the Edit menu / Find and select 'Use selection for replace' (it will not show in the Replace entry box).
  In the Find & Replace dialogue box, click on the Forward or Back arrows to highlight the selected items (e.g. double para break) where you wish to start replacing in the document.
  Use the Replace All / Replace & Find / Replace buttons as per usual.
  Not a nice solution, but I hope it gets you going until Apple restores the previous functionality!