server 2008 / vistax64 client shared folder permissions issue

Hello,

I am having issues with shared file permissions using server 2008 and vista
x64 clients.

Here is my setup.

Server: 2008 Std 64-bit
Client: Vista Business SP1 64-bit

I only have 3 clients connected to the server. Server is setup in a
workgroup, is only used for file/print server.

I have a directory shared, which has different types of media, movies,
music, etc. There are thousands of folders inside of it. I have the
security permissions set as the following:

Administrators: Full
Users / Power Users: Read Only
( I haven't specified any DENY attributes)

I then have a sub folder which I need full access to set as the following:

Administrators: Full
Users / Power Users: Full
Do no inherit permissions

This is where I am having issues. I can access all the files on the share
as a user/admin from client/local. I can read them and browse directories.
I cannot create, delete, modify, etc. which is correct. Now on the sub
folder, I can browse, read, create and modify. I can't however delete with
any of the clients - even when connecting with an admin account. I can
delete when logged in locally with any of the accounts.

I had this exact setup on my Win2003 Server, the only different was that was
a 32-bit OS, but the clients are the same.

I have reset and changed permissions dozens of times, I have rebooted, I
have recreated user accounts, I have triple checked share permissions and
security permissions. I'm stuck. The only thing I haven't done is to try to
connect to the share from a client with a different OS (WinXP for example).
I just thought or this. I will try it when I get to my laptop which has XP
SP3 installed as a virtual machine. I will follow-up with my results.

If anyone has any ideas, I would be greatly appreciated.

Thanks

UPDATE: I logged in to my windows XP virtual machine and connected to the
share. All of the permissions worked as they are suppose to un XP SP3
32-bit. Is there a setting in Vista that would restrict my access to a
shared folder?

Thanks again for any help.



"gatestoo" wrote:

> Hello,
>
> I am having issues with shared file permissions using server 2008 and vista
> x64 clients.
>
> Here is my setup.
>
> Server: 2008 Std 64-bit
> Client: Vista Business SP1 64-bit
>
> I only have 3 clients connected to the server. Server is setup in a
> workgroup, is only used for file/print server.
>
> I have a directory shared, which has different types of media, movies,
> music, etc. There are thousands of folders inside of it. I have the
> security permissions set as the following:
>
> Administrators: Full
> Users / Power Users: Read Only
> ( I haven't specified any DENY attributes)
>
> I then have a sub folder which I need full access to set as the following:
>
> Administrators: Full
> Users / Power Users: Full
> Do no inherit permissions
>
> This is where I am having issues. I can access all the files on the share
> as a user/admin from client/local. I can read them and browse directories.
> I cannot create, delete, modify, etc. which is correct. Now on the sub
> folder, I can browse, read, create and modify. I can't however delete with
> any of the clients - even when connecting with an admin account. I can
> delete when logged in locally with any of the accounts.
>
> I had this exact setup on my Win2003 Server, the only different was that was
> a 32-bit OS, but the clients are the same.
>
> I have reset and changed permissions dozens of times, I have rebooted, I
> have recreated user accounts, I have triple checked share permissions and
> security permissions. I'm stuck. The only thing I haven't done is to try to
> connect to the share from a client with a different OS (WinXP for example).
> I just thought or this. I will try it when I get to my laptop which has XP
> SP3 installed as a virtual machine. I will follow-up with my results.
>
> If anyone has any ideas, I would be greatly appreciated.
>
> Thanks
>

"gatestoo" <(E-Mail Removed)> wrote in message news:04998ADA-EA9E-4651-8F86-(E-Mail Removed)...
> UPDATE: I logged in to my windows XP virtual machine and connected to the
> share. All of the permissions worked as they are suppose to un XP SP3
> 32-bit. Is there a setting in Vista that would restrict my access to a
> shared folder?
>
> Thanks again for any help.


I'm a little confused the way you posted the permissions in the previous post. I believe you only posted the Security tab permissions (the NTFS permissions), but you did not post the Share tab permissions.

The system will combine the Share permissions and the Security (NTFS) permissions resulting in the Most Restrictive (the least of the two) permissions. However if you are l ogged on locally on the machine itself, only the NTFS permissions apply.

So if the Share permissions are Read Only, and you have full control on the NTFS permissions, and you connect through the share from another machine, you will only get Read Only.

Nothing's really different the way this works since Windows NT 3.1/3.5 days. However the default Share permissions on the newer operatings systems when you first share it, are set to Read Only and need to be adjusted accordingly.

A good rule of thumb is on the Share permissions, allow:
Administrators: FC
Auth Users: Change

Then lock down the NTFS permissions as needed. This way the permissions work the same exact way whether connecting through the share or locally.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay

Ace,

Thanks for the response. I'm sorry for the confusing post, let me clarify.

Share Permissions
Admins: FC
Auth Users(User1): FC

NTFS Permissions
Main Shared Folder
Admins: FC
Auth Users(User1): Read-Only
SYSTEM: FC
CREATOR OWNER: FC

Sub Folder
Admins: FC
Auth Users(User 1): FC
SYSTEM: FC
CREATOR OWNER: FC
Do not inherit

I don't use any Deny permissions.

I have the share permissions and NTFS permissions setup to use a specific
user (user1) and the administrators group. User1 is part of the Power Users
group. I had the shares set to use Power Users, but changed everything
because it wasn't working and thought I had maybe incorrectly adjusted the
power users permissions somewhere.

The weird thing is that when I log onto the share on a windows xp box, all
of the shares act how they should, but when accessing via vista, the sub
folder - which i should have full control, denies me delete. Otherwise I can
create and modify in the subfolder. I can delete from the xp client.

Thanks

RG

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "gatestoo" <(E-Mail Removed)> wrote in message news:04998ADA-EA9E-4651-8F86-(E-Mail Removed)...
> > UPDATE: I logged in to my windows XP virtual machine and connected to the
> > share. All of the permissions worked as they are suppose to un XP SP3
> > 32-bit. Is there a setting in Vista that would restrict my access to a
> > shared folder?
> >
> > Thanks again for any help.
>
>
> I'm a little confused the way you posted the permissions in the previous post. I believe you only posted the Security tab permissions (the NTFS permissions), but you did not post the Share tab permissions.
>
> The system will combine the Share permissions and the Security (NTFS) permissions resulting in the Most Restrictive (the least of the two) permissions. However if you are l ogged on locally on the machine itself, only the NTFS permissions apply.
>
> So if the Share permissions are Read Only, and you have full control on the NTFS permissions, and you connect through the share from another machine, you will only get Read Only.
>
> Nothing's really different the way this works since Windows NT 3.1/3.5 days. However the default Share permissions on the newer operatings systems when you first share it, are set to Read Only and need to be adjusted accordingly.
>
> A good rule of thumb is on the Share permissions, allow:
> Administrators: FC
> Auth Users: Change
>
> Then lock down the NTFS permissions as needed. This way the permissions work the same exact way whether connecting through the share or locally.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> (E-Mail Removed)
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>

"gatestoo" <(E-Mail Removed)> wrote in message news:F34F7882-D1F6-43FF-956D-(E-Mail Removed)...
> Ace,
>
> Thanks for the response. I'm sorry for the confusing post, let me clarify.
>
> Share Permissions
> Admins: FC
> Auth Users(User1): FC
>
> NTFS Permissions
> Main Shared Folder
> Admins: FC
> Auth Users(User1): Read-Only
> SYSTEM: FC
> CREATOR OWNER: FC
>
> Sub Folder
> Admins: FC
> Auth Users(User 1): FC
> SYSTEM: FC
> CREATOR OWNER: FC
> Do not inherit
>
> I don't use any Deny permissions.
>
> I have the share permissions and NTFS permissions setup to use a specific
> user (user1) and the administrators group. User1 is part of the Power Users
> group. I had the shares set to use Power Users, but changed everything
> because it wasn't working and thought I had maybe incorrectly adjusted the
> power users permissions somewhere.
>
> The weird thing is that when I log onto the share on a windows xp box, all
> of the shares act how they should, but when accessing via vista, the sub
> folder - which i should have full control, denies me delete. Otherwise I can
> create and modify in the subfolder. I can delete from the xp client.
>
> Thanks
>
> RG


I assume you mean by indicating "Auth Users(User1): FC" means that you actually added "Authenticated Users" and not really "User1" in the Share ACL and the NTFS ACL. But then you said, " I have the share permissions and NTFS permissions setup to use a specific user (user1)." I'm trying to understand what you mean here. It is either you have User1 or Authenticated Users. Authenticated Users of course, would include User1 and all accounts that are Authenticated in the domain, machine, groups, and user accounts.

Either way, User1 should be able to have the same exact access no matter where you are connecting to the share from, whether locally or remotely, the way you have it setup. I assume Administrator works the same on Vista and XP. And it shouldn't be different whether it is a 32bit or 64bit system.

It sounds like Vista is not enumerating the subfolder's NTFS ACLs. I found this link, but not sure if it totally relates, but it appears to be similar. The one poster indicates it worked with using a specific user and not a group. See if it helps.

Accessing Win2k8 Shares from Vista -- Access Denied (same usernames/passwords)
http://social.technet.microsoft.com/...5-b7d311fc49ae

Ace

Ace,

I should have better explained. I have had User1 in various user groups,
including authenticated users, admins, power users and users, and as it is
now, by itself.

I looked at the suggestions and responses in the thread you provided. Since
my share is already setup with User1 instead of a group containing User1 and
I have SP1 installed, I don't know. I also tried disabling UAC on the client
machine with no change.

I also verified my registry settings were the same as suggested,
"RestrictAnonymous is set to 0".

I'm stumped. I appreciate you help though. I might try to create a
different setup. I know that If I share the sub folder in question as its
own share, I have no problems deleting files. This creates a bunch of
configuration issues, but at this point, I don't know what else to do.

Thanks again.



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "gatestoo" <(E-Mail Removed)> wrote in message news:F34F7882-D1F6-43FF-956D-(E-Mail Removed)...
> > Ace,
> >
> > Thanks for the response. I'm sorry for the confusing post, let me clarify.
> >
> > Share Permissions
> > Admins: FC
> > Auth Users(User1): FC
> >
> > NTFS Permissions
> > Main Shared Folder
> > Admins: FC
> > Auth Users(User1): Read-Only
> > SYSTEM: FC
> > CREATOR OWNER: FC
> >
> > Sub Folder
> > Admins: FC
> > Auth Users(User 1): FC
> > SYSTEM: FC
> > CREATOR OWNER: FC
> > Do not inherit
> >
> > I don't use any Deny permissions.
> >
> > I have the share permissions and NTFS permissions setup to use a specific
> > user (user1) and the administrators group. User1 is part of the Power Users
> > group. I had the shares set to use Power Users, but changed everything
> > because it wasn't working and thought I had maybe incorrectly adjusted the
> > power users permissions somewhere.
> >
> > The weird thing is that when I log onto the share on a windows xp box, all
> > of the shares act how they should, but when accessing via vista, the sub
> > folder - which i should have full control, denies me delete. Otherwise I can
> > create and modify in the subfolder. I can delete from the xp client.
> >
> > Thanks
> >
> > RG
>
>
> I assume you mean by indicating "Auth Users(User1): FC" means that you actually added "Authenticated Users" and not really "User1" in the Share ACL and the NTFS ACL. But then you said, " I have the share permissions and NTFS permissions setup to use a specific user (user1)." I'm trying to understand what you mean here. It is either you have User1 or Authenticated Users. Authenticated Users of course, would include User1 and all accounts that are Authenticated in the domain, machine, groups, and user accounts.
>
> Either way, User1 should be able to have the same exact access no matter where you are connecting to the share from, whether locally or remotely, the way you have it setup. I assume Administrator works the same on Vista and XP. And it shouldn't be different whether it is a 32bit or 64bit system.
>
> It sounds like Vista is not enumerating the subfolder's NTFS ACLs. I found this link, but not sure if it totally relates, but it appears to be similar. The one poster indicates it worked with using a specific user and not a group. See if it helps.
>
> Accessing Win2k8 Shares from Vista -- Access Denied (same usernames/passwords)
> http://social.technet.microsoft.com/...5-b7d311fc49ae
>
> Ace
>
>
>

"gatestoo" <(E-Mail Removed)> wrote in message news:C9907955-0B8B-45F9-B697-(E-Mail Removed)...
> Ace,
>
> I should have better explained. I have had User1 in various user groups,
> including authenticated users, admins, power users and users, and as it is
> now, by itself.
>
> I looked at the suggestions and responses in the thread you provided. Since
> my share is already setup with User1 instead of a group containing User1 and
> I have SP1 installed, I don't know. I also tried disabling UAC on the client
> machine with no change.
>
> I also verified my registry settings were the same as suggested,
> "RestrictAnonymous is set to 0".
>
> I'm stumped. I appreciate you help though. I might try to create a
> different setup. I know that If I share the sub folder in question as its
> own share, I have no problems deleting files. This creates a bunch of
> configuration issues, but at this point, I don't know what else to do.
>
> Thanks again.

Sorry I couldn't be more helpful. Maybe setting up another share and try it again to see if it happens to that, as well?

Ace

Update: So I recently updated my laptop with SP2 for Vista and now the share
works perfectly as it should. I have full access to the sub folder. I'm not
entirely sure that SP2 fixed the issue though, as updating my workstation to
SP2 did not yield the same results. I thought I had tried accessing the
shared subfolder with my laptop in the past and it didn't work, but now I
cannot be certain.

At this point I am assuming there is some issue with Vista on my workstation
not dealing with the permissions properly. I'm hoping when I do a fresh
install of Windows 7 when it ships that this issue will disolve. In the
meantime if I find an answer I will update this post.

Thanks everyone for their help.


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "gatestoo" <(E-Mail Removed)> wrote in message news:C9907955-0B8B-45F9-B697-(E-Mail Removed)...
> > Ace,
> >
> > I should have better explained. I have had User1 in various user groups,
> > including authenticated users, admins, power users and users, and as it is
> > now, by itself.
> >
> > I looked at the suggestions and responses in the thread you provided. Since
> > my share is already setup with User1 instead of a group containing User1 and
> > I have SP1 installed, I don't know. I also tried disabling UAC on the client
> > machine with no change.
> >
> > I also verified my registry settings were the same as suggested,
> > "RestrictAnonymous is set to 0".
> >
> > I'm stumped. I appreciate you help though. I might try to create a
> > different setup. I know that If I share the sub folder in question as its
> > own share, I have no problems deleting files. This creates a bunch of
> > configuration issues, but at this point, I don't know what else to do.
> >
> > Thanks again.
>
> Sorry I couldn't be more helpful. Maybe setting up another share and try it again to see if it happens to that, as well?
>
> Ace
>
>
>

"gatestoo" <(E-Mail Removed)> wrote in message news3087FF3-BFD9-4282-9824-(E-Mail Removed)...
> Update: So I recently updated my laptop with SP2 for Vista and now the share
> works perfectly as it should. I have full access to the sub folder. I'm not
> entirely sure that SP2 fixed the issue though, as updating my workstation to
> SP2 did not yield the same results. I thought I had tried accessing the
> shared subfolder with my laptop in the past and it didn't work, but now I
> cannot be certain.
>
> At this point I am assuming there is some issue with Vista on my workstation
> not dealing with the permissions properly. I'm hoping when I do a fresh
> install of Windows 7 when it ships that this issue will disolve. In the
> meantime if I find an answer I will update this post.
>
> Thanks everyone for their help.

You are welcome, and thank you for the update. It is always nice to know if something worked or didn't work. If you do figure it out, let me know.

For comparison, if you have the opportunity and one is available, please try it from a different laptop with Vista SP1 or SP2 and see if it is behaving the same way.

Ace