Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wierd Permission issues with Admin Users + Server 2008


  • Please log in to reply
11 replies to this topic

#1 MasterNe0

MasterNe0

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 17 August 2015 - 01:58 PM

I have a server 2008 with a strange problem.

 

For some reason, any admin users (except for the main Administrator account) cannot access or write into certain folders including C:\Windows and C:\Program Files. When trying to access calculator program, it would say "permission is denied" or "access is denied".

 

When trying to open explorer, it just freeze on a white screen (probably due to the permission). I am unsure what is causing this as the main administrator account is fine but when we create a new user and give him both the administrators group + Domain users group only, the problem still occurs.

 

Any idea what might cause this and how to fix this? this is extremely urgent to resolve on this server as it the primary domain controller and a file share server.



BC AdBot (Login to Remove)

 


#2 mauguilar

mauguilar

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA, CA
  • Local time:01:18 AM

Posted 17 August 2015 - 02:01 PM

Make sure you are add the user to the Domain Administrator Group and not the Local Administrators Group..!

 

Also try adding the user to the Domain Admins group.   :killcomp:



#3 MasterNe0

MasterNe0
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 17 August 2015 - 02:07 PM

Tried that.

 

Still same problem.

 

The  test user I am using has:

Administrators

Domain Admins

Domain Users

 

Still same issue.



#4 MasterNe0

MasterNe0
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 17 August 2015 - 02:08 PM

I tried a cmd prompt and also get access is denied for commands as well such as pinging or gpupdate.


Edited by MasterNe0, 17 August 2015 - 02:09 PM.


#5 mauguilar

mauguilar

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA, CA
  • Local time:01:18 AM

Posted 17 August 2015 - 02:10 PM

Check the sharing and security of those certain folder to find out what's wrong



#6 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 August 2015 - 03:46 PM

No mention of running a RDP server.

 

"C:\Windows and C:\Program Files. When trying to access calculator program..."

 

These are local to the pc not the server.  You would never give permissions to these server folders to users.  You would never make users admin of anything unless you have old applications that require it and then only to the apps folders nothing else.



#7 MasterNe0

MasterNe0
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 17 August 2015 - 06:41 PM

this server is a domain controller and a file server.

 

We have 2-3 other users that can log into the server as a admin using remtoe desktop and do the same thing the user administrator can do.

 

For some reason, that all changed and now when a user with the same permissions as the administrator cannot access a bunch of folders for no reason.

 

They can log into the server but cannot do anything. Explorer windows will try to open but then freeze and a bunch of programs would get "access denied" from everything from "remote desktop connection" to "windows calculator".

 

At first I thought maybe some kind of wierd policy is doing this but I look at the group policies and I dont see any of them doing this.

 

If i open a CMD, I can't run PING or gpupdate, I just get a "access is denied" even thought the user has the same exact rights as the full original administrator account. This wasn't like this a few weeks ago and we are unsure what causing this.


Edited by MasterNe0, 17 August 2015 - 06:42 PM.


#8 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2015 - 10:12 AM

Did you install the TS/RDP server role?

 

Normally you never let users logon using the administration rdp access.  Unless you like rebuilding your domain from scratch.

 

The administrator account is not god mode.  It can be assigned to folders, etc but just because its an admin account doesn't mean automatic access.

 

Since you say this changed suddenly someone had to have made a change to the policies, groups [authorized users/everyone] or folder assignments.

 

Having lots of admins is like having too many cooks in the kitchen.  You don't know who did what and they certainly are not going to tell you even if they knew what they did. You will need to do a side by side comparison between two admin accounts [working and nonworking] to figure out what is different.



#9 MasterNe0

MasterNe0
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 18 August 2015 - 08:51 PM

We checked some files and noticed a huge problem that might explain the issue but not how to fix it.

 

Alot of the files, for some reason were overwritten with different permissions. Instead of trustedinstaller having ownership over a bunch of files and being the full control while users/administrators/systems having read permissions, the group administrators have permission and someone or something overwritten the permissions over hundreds of system files.

 

Is their a way to fix these permissions and reset them back to normal? Whether use a script or some kind of file. Will sfc fix this problem and fix the permissions?

 

Or else someone will need to spend coutnless hours doing the fix manually and compare it to another server permission to make sure it set correctly.



#10 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:10:18 AM

Posted 19 August 2015 - 12:34 AM

The bad news is that the permissions will be practically impossible to correct manually (you could try but I suspect that you may make things worse, or at best be picking bits out of your teeth for the remaining life of the server). It may be more expedient to restore to a backup of that system from before it was affected.

 

I note that this is a DC... If you have other DCs, then changes to AD (made since the good backup) and sysvol can replicate back from another DC after the restore. The backup MUST be less than 60 days old for it to be usable. If you do not have another DC, it may be an idea to temporarily add a second DC to keep the network running and to persist the current AD database and sysvol across the restore. There should not be any need to shift FSMO roles around (and indeed that could complicate things).

 

As the server also contains data (that has no doubt changed since the issue), before the server is restored take a backup of anything that has changed, and restore that (possibly without restoring permissions) once you have the server back.

 

x64



#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 19 August 2015 - 10:03 AM

Doing a repair install would restore all of the default permissions.  I would xfer any fsmo roles to the other DC and then remove it from the domain.  Do the repair install, load all of the patches and rejoin the domain as a DC.  You will have to redo the file share permissions.


Edited by Wand3r3r, 19 August 2015 - 10:03 AM.


#12 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:07:18 PM

Posted 19 August 2015 - 05:46 PM

it sounds like someone has tried to fix an issue and removed trustedinstaller from the ownership, i wouldnmt be suprises if the takeown was used.

It can be handy to dump permissions into a text file for recovery sometimes but its a long process.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users