Have you tried assigning permissions via an elevated command line or powershell?
On Wed, Jul 15, 2009 at 12:41 PM, Miller Bonnie L. < mille...@mukilteo.wednet.edu> wrote: > So, I’ve been trying REALLY hard to just get used to UAC with WS08, but > now that we have some actual file servers coming online, using windows > explorer to assign permissions is driving me absolutely batty. > > > > Example: While logged on with a domain admin account on a WS08 SP2 member > server, I create a folder on the root of the hard drive (let’s call it > E:\Files). Then, we remove inherited permissions and strip the list down to > administrators and system full, and sometimes add domain admins with full, > since that is the group here who can work with user files. Then, we assign > the permissions for domain groups who need access. Folder can be shared out > with Everyone Full, but the sharing isn’t really part of the problem. > > > What I’ve listed above, which is fine on WS03, never seems to be enough > permission for UAC, and I’ll get “access denied” errors when trying to apply > permissions. If I add my account explicitly (the domain admin I’m logged on > as), it then works. But if there is a subfolder (let’s say > E:\Files\Butterflies) that I’m not added onto, then applying higher level > permissions will make it stop and bark about permissions for that > subfolder. There can be a lot of subfolders, and it stops on each one. > > > > Leaving the “everyone” permissions or creator owner on there when setting > up the folder seems to help sometimes, but then you end up with more > permissions than we want on something, and with creator owner there seem to > be added permissions. Explorer.exe can’t be run in “compatability mode” so > I can’t set it to run elevated, but I find that if I run it as administrator > I seem to still have problems—it’s almost like each time you change the > focus in explorer it re-evaluates your credentials. > > > > Do other people have this trouble, and if so, *what are you doing to > handle this?* Here are some options I see: > > 1) Assign explicit permissions for administrative accounts on all > files and folders—yikes! Would this work with a domain group, as long as > it’s not domain admins (or something else in administrators)? > > 2) Log on with THE local administrator account when we need to work on > permissions. (Yuk, getting prompted for domain credentials every time we > need to browse the domain to add a group. Also bad having multiple admins > logging on the same account all the time). > > 3) Suck it up and wait for R2, because they’ve made this “better” > somehow? > > 4) When creating a folder, leave permissions at the “default”. Add > groups that need access, and restrict the share-level permissions to just > those groups (another yuk, especially since we are really getting away from > sharing out every folder). > > 5) Something else? I was reading up on UAC on technet ( > http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx), but I’m > not sure if I could gain or lose anything by doing something like disabling > admin approval mode or changing the elevation prompt for administrators. > I’m concerned that this might really negate the security benefit of having > UAC in the first place on a server. > > 6) Turn off UAC—honestly, I really don’t want to do this unless there > is no other option. > > > > -Bonnie > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~