Users suddenly missing write permissions to the root drive c within an active directory domain

5

I'm managing an active directory single domain environment on some Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 machines.

Since a few weeks I got a strange issue. Some users (not all!) report that they cannot any longer save, copy or write files to the root drive c, whether on their clients (vista, win 7) nor via remote desktop connection on a Windows Server 2008 machine. Even running programs that require direct write permissions to the root drive without administrator permissions fail to do so since then.

The affected users have local administrator permissions.

The question I'm facing now is: What caused this change of system behavior? Why did this happen? I didn't find out yet.

What was the last thing I did before it happened?

  • The last action that was made before it happened was the rollout of a GPO containing network drive mappings for the users depending on their security group membership. All network drives are located on a linux server with samba enabled.

  • We did not change any UAC settings, and they have always been activated.

  • However I can't imagine that rolling out this GPO caused the problem. Has anybody faced an issue like that?

Just in case:

  • I know that it is for a specific reason that an user without administrative privileges is prevented from writing to the root drive since windows vista and the implementation of UAC. I don't think that those users should be able to write to drive c, but I try to figure out why this is happening and a few weeks ago this was still working.

  • I also know that a user who is a member of the local administrators group does not execute anything with administrator permissions per default unless he or she executes a program with this permissions.

What did I do yet?

  • I checked the permissions of the affected programs, the affected clients/server. Didn't find something special.

  • I checked ALL of our GPOs if there exist any restrictions that could prevent the affected users from writing to the root drive. Did not find any settings.

  • I checked the UAC settings of the affected users and compared those to other users that still can write to the root drive. Everything similar.

  • I googled though the internet and tried to find someone who had a similar problem. Did not find one.

Has anybody an idea? Thank you very much.

Edit:

The GPO that was rolled out does the following (Please excuse if the settings are not named exactly like that, I translated the settings into english):


**Windows Settings --> Network Drive Mappings --> Drive N: --> General:**
Action: Replace

**Properties:**
Letter: N
Location: \\path-to-drive\drivename
Re-Establish connection: deactivated
Label as: Name_of_the_Share
Use first available Option: deactivated

**Windows Settings --> Network Drive Mappings --> Drive N: --> Public:
Options:**
On error don't process any further elements for this extension: no
Run as the logged in user: no
remove element if it is not applied anymore: no
Only apply once: no

**Securitygroup:**
Attribute --> Value
bool --> AND
not --> 0
name --> domain\groupname
sid --> sid-of-the-group
userContext --> 1
primaryGroup --> 0
localGroup --> 0

**Securitygroup:**
Attribute --> Value
bool --> OR
not --> 0
name --> domain\another-groupname
sid --> sid-of-the-group
userContext --> 1
primaryGroup --> 0
localGroup --> 0

Edit: The Error-Message of an affected users says the following:


Due to an unexpected error you can't copy the file.
Error-Code 0x80070522: The client is missing a required permission.

The command icacls C: shows the following:


NT-AUTORITY\SYSTEM:(OI)(CI)(F)
PRE-DEFINED\Administrators:(OI)(CI)(F)
computername\username:(OI)(CI)(F)

A college just told me that also the primary domain-controller (PDC) changed from Windows Server 2008 to Windows Server 2012. That also may be a reason. Any suggestions?

windows-server-2008
windows-server-2008-r2
windows-7
windows-server-2012
permissions
asked on Server Fault Nov 7, 2013 by Kevin • edited Nov 7, 2013 by Kevin

1 Answer

1

I'm not allowed to comment yet and this isn't a solution as such, but I have noted the same sort of behavior on Windows 7 and 8 in addition to Server 2012 and Server 2012 R2. On top of that, this happens from the Administrator account even after changing the ownership and full permissions of the drives root directory to the Administrator account. Also, this experience was observed on the local account with machines in a workgroup, so networking and the being in a domain is not part of the issue.

For example, Administrator is not allowed to copy a file from the D: drive to the E:\ root, but can copy to E:\temp and then move the file to E:\. Copying is not allowed, but moving on the same drive is.

If you really have users that are allowed to do these functions:

Some users (not all!) report that they cannot any longer save, copy or write files to the root drive c

I would suggest studying closely what is unique about their accounts compared to the others. As far as why the behavior changed, I just assumed that it was something that got applied with Microsoft update. (Sort of an answer :-)

answered on Server Fault Jul 20, 2014 by ZuberFowler • edited Jul 21, 2014 by ZuberFowler

User contributions licensed under CC BY-SA 3.0