Quantcast
Channel: File Services and Storage Forum
Viewing all articles
Browse latest Browse all 1766

Migrated file share shows modify access to folder but access is denied

$
0
0

Hello,

recently we have migrated file share from hardware NAS to windows 2008 R2 server. We have moved files itself and then migrated ACLs with icacls /save icacls /restore, but suddenly found that certain user groups (custom global group, not Domain admins or some other privileged group) doesn't have access to their folders. All ACL looks ok, and effective permissions shows expected rights. But users still can't access folder with access denied error. And of course they could previously access this folder on hardware NAS. I found that if I grant identical rights once again to folder (with icacls /grant), then users can access folders with no problem. I have found difference between ACEs of the folder with subinacl and Scripting guy's powershell script, while icacls shows identical access rights.

ACE of user's group on problem folder:

subinacl:

/pace =domain\groupname     ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2      OBJECT_INHERIT_ACE-0x1 INHERITED_ACE-0x10
    Type of access:
    Special acccess : -Delete
    Detailed Access Flags :
    FILE_READ_DATA-0x1          FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4
    FILE_READ_EA-0x8            FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20            FILE_DELETE_CHILD-0x40
    FILE_READ_ATTRIBUTES-0x80   FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000              READ_CONTROL-0x20000 

sddl strings from script:

A;OICI;CCDCLCSWRPWPDTLOCRSDRC;;;S-1-5-21-3502908216-181598100-2883415322-1472)

And the ACE from regranted directory that works well:

subinacl:

pace =domain\groupname     ACCESS_ALLOWED_ACE_TYPE-0x0
    Type of access:
    Special acccess :  -Read  -Write  -Execute -Delete
    Detailed Access Flags :
    FILE_READ_DATA-0x1          FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4
    FILE_READ_EA-0x8            FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20            FILE_READ_ATTRIBUTES-0x80
    FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000        SYNCHRONIZE-0x100000 

sddl strings from the script:

A;;0x1301bf;;;S-1-5-21-3502908216-181598100-2883415322-1472)
A;OICI;CCDCLCSWRPWPDTLOCRSDRC;;;S-1-5-21-3502908216-181598100-2883415322-1472)

So after I have granted access rights manually, there appeared second ACE record for the user group.

0x1301bf = 100110000000110111111 = CCDCLCSWRPWPLOCRSDRC + Unknown bit 20

So the difference is that OI and CI is absent (I have run icacls /grant without these options), there is no DT right (delete tree) and added some mysterious bit 20.

There are almost 100 000 files and folders, so I can't manually check every directory. Can you please explain why original ACE is not sufficient to access directory and how can I fix existing ACEs to allow windows treat rights as it should be?


Viewing all articles
Browse latest Browse all 1766

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>