Users suddenly missing write permissions to the root drive c within an active directory domain
Posted
by
Kevin
on Server Fault
See other posts from Server Fault
or by Kevin
Published on 2013-11-07T14:27:27Z
Indexed on
2013/11/07
15:57 UTC
Read the original article
Hit count: 524
windows-server-2008
|windows-server-2008-r2
|windows-7
|windows-server-2012
|permission-denied
I'm managing an active directory single domain environment on some Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 machines.
Since a few weeks I got a strange issue. Some users (not all!) report that they cannot any longer save, copy or write files to the root drive c, whether on their clients (vista, win 7) nor via remote desktop connection on a Windows Server 2008 machine. Even running programs that require direct write permissions to the root drive without administrator permissions fail to do so since then.
The affected users have local administrator permissions.
The question I'm facing now is: What caused this change of system behavior? Why did this happen? I didn't find out yet.
What was the last thing I did before it happened?
The last action that was made before it happened was the rollout of a GPO containing network drive mappings for the users depending on their security group membership. All network drives are located on a linux server with samba enabled.
We did not change any UAC settings, and they have always been activated.
However I can't imagine that rolling out this GPO caused the problem. Has anybody faced an issue like that?
Just in case:
I know that it is for a specific reason that an user without administrative privileges is prevented from writing to the root drive since windows vista and the implementation of UAC. I don't think that those users should be able to write to drive c, but I try to figure out why this is happening and a few weeks ago this was still working.
I also know that a user who is a member of the local administrators group does not execute anything with administrator permissions per default unless he or she executes a program with this permissions.
What did I do yet?
I checked the permissions of the affected programs, the affected clients/server. Didn't find something special.
I checked ALL of our GPOs if there exist any restrictions that could prevent the affected users from writing to the root drive. Did not find any settings.
I checked the UAC settings of the affected users and compared those to other users that still can write to the root drive. Everything similar.
I googled though the internet and tried to find someone who had a similar problem. Did not find one.
Has anybody an idea? Thank you very much.
Edit:
The GPO that was rolled out does the following (Please excuse if the settings are not named exactly like that, I translated the settings into english):
**Windows Settings --> Network Drive Mappings --> Drive N: --> General:**
Action: Replace
**Properties:**
Letter: N
Location: \\path-to-drive\drivename
Re-Establish connection: deactivated
Label as: Name_of_the_Share
Use first available Option: deactivated
**Windows Settings --> Network Drive Mappings --> Drive N: --> Public:
Options:**
On error don't process any further elements for this extension: no
Run as the logged in user: no
remove element if it is not applied anymore: no
Only apply once: no
**Securitygroup:**
Attribute --> Value
bool --> AND
not --> 0
name --> domain\groupname
sid --> sid-of-the-group
userContext --> 1
primaryGroup --> 0
localGroup --> 0
**Securitygroup:**
Attribute --> Value
bool --> OR
not --> 0
name --> domain\another-groupname
sid --> sid-of-the-group
userContext --> 1
primaryGroup --> 0
localGroup --> 0
Edit: The Error-Message of an affected users says the following:
Due to an unexpected error you can't copy the file.
Error-Code 0x80070522: The client is missing a required permission.
The command icacls C: shows the following:
NT-AUTORITY\SYSTEM:(OI)(CI)(F)
PRE-DEFINED\Administrators:(OI)(CI)(F)
computername\username:(OI)(CI)(F)
A college just told me that also the primary domain-controller (PDC) changed from Windows Server 2008 to Windows Server 2012. That also may be a reason. Any suggestions?
© Server Fault or respective owner