Users removing Administrator from files/folders permissions

windows-server-2008 active-directory windows-server-2003 permissions
5,547

Solution 1

Q1: Is there a way to restore at least read access to all files/folders to the Administrator account in a recursive fashion?

If permissions are inherited (ie. not set separately on different files and folders) then changing the permissions on the root folder and setting the "Replace all child object..." checkbox will replace all the permissions with inherited permissions.

This will of course replace permissions on child items that are supposed to have different permissions.

Q2: Is there a way to prevent users from removing Administrator from files/folders permissions on Windows Server 2003/2008?

No.

While there is a separate flag for "Change Permissions" Windows will ignored this for the owner of the file (the owner can always change the permissions), otherwise an empty ACL (or one with deny everyone everything ACE) wouldn't be reversible.

we can't even backup files manually as we get permission errors.

Why would you want such manual operations? Backup software should be run with and assert the backup (and on restore, the restore) privilege which will bypass ACLs. If the user needs to manually backup some part of their files that they own then they can easily copy.

Perhaps this is really an issue of user training: if you deny administrators access then administrators cannot help you with file management.

Solution 2

Exactly what to do depends on how widespread the problem is - how many people have done this and how the directories affected are structured.

You should have shared directories set up so that personal and group directories inherit permissions. Then, if it's not too many people, you could take control of their directories and reset the permissions. Or you could just tell each person - "no backup for you until you let an admin use your account and change things back."

(And tell them that they'll be sorry if they do it again, with "no backup" being the start of the problems.)

If it's widespread, you could take ownership of everything, set the desired admin permissions (after this, I'd make it "full control" not just read access), then add the appropriate user or group permissions.

Share:
5,547

Related videos on Youtube

Max
Author by

Max

Analytics consultant available for hire. More info: https://maxcorbeau.com

Updated on September 18, 2022

Comments

  • Max
    Max over 1 year

    We're running Windows Server 2003 R2 with Active Directory and are having an issue with network shares whereby users, in an attempt to secure their documents, remove everybody (including the Administrator account) from their files/folders permissions. Since the Administrator no longer has read permission to them, we can't even backup files manually as we get permission errors.

    One solution that we've found is to change the owner of the files and directories to the Administrator account. We can then change the permissions as we wish. The problem is that this has to be done manually so can't really be applied to an entire share.

    Another solution that we've tried is to use cacls as follows:

    cacls d:\path\to\share /C /T /E /G Administrator:F

    The problem with this is that we're still getting an ACCESS DENIED error on files/folders on which Administrator was removed.

    Q1: Is there a way to restore at least read access to all files/folders to the Administrator account in a recursive fashion?

    That would be for the short term. For the long term we're looking for a solution to prevent users from removing Administrator from files/folders permissions. Since we're going to migrate to Windows Server 2008 R2 soon we could wait until we've migrated to implement such solution if need be.

    Q2: Is there a way to prevent users from removing Administrator from files/folders permissions on Windows Server 2003/2008?

  • Max
    Max over 12 years
    The reason we need to do a manual backup is that our backup solution is no longer usable. I know it's bad, but we are implementing a new backup solution on Server 2008 and we will migrate soon, so these manual backups are only a temporary solution. Have you got any recommendations (apart from asking users to add the administrator account back) as to how fixing this temporarily? Thanks.
  • Max
    Max over 12 years
    I'm afraid that the problem is too widespread to attempt any sort of manual fix here. Isn't there a way to automatically and recursively set Administrator as the owner of all files/folders and then add full control permissions for Administrator?
  • Ward - Reinstate Monica
    Ward - Reinstate Monica over 12 years
    Yeah, go to the root directory of your shared directories, take ownership from there and apply it to all child directories.
  • Richard
    Richard over 12 years
    @user64204 No, you are stuck you either use the Backkup privilege or you have access through the ACL. There are no other options. The solution is to get the new backup working ASAP – if you don't have the resources to implement quickly raise the business risk with management.
  • Mitch
    Mitch over 12 years
    I would say never give the user full control. The most they need is Change.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I see all users of domain in this PC?
Windows 2008 server on 2003 Domain failing kerberos pre-auth
How do I grant local administrator rights, but not Domain Administrator Rights?
I can ping server by name but can't map drive to it
Robocopy and permissions
Finding Locked Out Users
Tying together Active Directory Computer Accounts and User Accounts
username.domain profile in AD environment
Exact extent / meaning of "Log on as a service" permission (W2K, W2K3)?
How do I set permissions on network shares to allow SYSTEM account access in server cluster?