Windows Server 2016 - permissions get lost at different subfolder levels

Fabian 21 Reputation points
2020-11-16T12:49:22.047+00:00

Hi all,

we have a Windows Server 2016 with IIS 10.
There we have a disk D:, 450 GB in size, ~300 GB free. We also have a local user "ABC".

User "ABC" was granted Modify permissions on D: by right-clicking > Properties > Security > Edit > Add.

Now this user should have been permissions on all subfolders and files.
But unfortunately for some paths this is not the case.
I cannot recognize any patterns. Some paths where the user loses permissions are quite deep down in the hierarchical folder structure. Other paths are within the first few levels of subfolders.

The only thing I noticed is that the lost permissions are always somewhere in the D:\inetpub\web\docs folder structure.
D:\inetpub\web\docs is exactly the path where we have a website configured. The website runs with IIS and ColdFusion.

How can I fix this?

As it's on a production server I'm not able to do much of trial and error.
I tried to fix the permissions with icacls. This at least sometimes works.
e.g. when we received a complaint that folder D:\inetpub\web\docs\application\sources\foo\bla\bar is not accessible we ran:

icacls D:\inetpub\web\docs\application\sources\foo\bla\bar /grant "SERVERNAME\ABC":M /t

If there are not many files in the subfolders of D:\inetpub\web\docs\application\sources\foo\bla\bar then this usually works. If there are a lot of files it does not work reliably and some folders and/or files just get ignored.
I've also tried to run icacls on D: directly without much success.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,505 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
650 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 33,556 Reputation points
    2020-11-17T15:30:04.323+00:00

    Use this Powershell script to analyze the folders to find out which folders do not inherit permissions from their parent folder.

    Then you can fix the permissions manually, or use the folder names to build icacls commands to add the desired access.

     cls
    $target = 'C:\Temp\'
    $folders = Get-ChildItem -path $target -Directory -Recurse
    "These folders do not inherit permissions from their parent folder."
    foreach ($f in $folders){
        $acl = get-acl $f.FullName 
        $aces = $acl.Access
        $FoundInherited = $false 
        foreach ($ace in $aces) {
            if ($ace.IsInherited -eq $true) {
                $FoundInherited = $true
            }
        }
        if ($FoundInherited -eq $false) {
            $f.fullname
        }
     }
    

    I don't like granting access to individual users on server file systems. In my case, when those users quit the company, their accounts got deleted. Then I would get a request for the new employee to have the same access as the terminated employee. I would have dead SID's on the file system and I had to try to figure out where to grant access to the new account.

    Always grant access by a group. Then you can just add/remove users from the group as their roles change.

    Also check to see if the application support team has the ability to change permissions on the file system. If they publish the web site, that might overwrite the permissions. When I defined a new site in IIS I also created local security groups to allow the web site owners to manage their groups using a security web site that I built. Only server administrators were allowed to modify file permissions. The application team could only add/remove users from their groups.

    Before I implemented that policy, I spent entirely too many hours troubleshooting the exact same problem that you are facing.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Leon Laude 85,786 Reputation points
    2020-11-16T13:18:09.903+00:00

    Hi @Fabian ,

    In general permissions do not get changed unless someone changed them, as this is a folder structure that belongs to IIS, it's possible that it could be IIS itself modifying these. You could ask the more subject matter experts in the dedicated IIS forum below if they might know what's going on.
    https://forums.iis.net/

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon


  2. Mico Mi 1,926 Reputation points
    2020-11-17T09:14:20.567+00:00

    Hi FabianJ,
    You can try the following commands and see if it works.
    To enable the inherited permissions on a file or folder object:
    icacls "full path of folder or drive" /grant UserName:(oi)(ci)f /inheritance:e

    Or you can try the solution if you wish to reset the permissions on the child objects to match the permissions on the parent object:
    Right click the parent folder, choose Properties>Security> Advanced
    Check the following checkbox and press Apply:
    Replace all child object permission entries with inheritable permission entries from this object.
    Every subfolder will now get their permissions reset.

    For more information, you can check the following link:
    https://www.tenforums.com/tutorials/88305-enable-disable-inherited-permissions-objects-windows.html
    https://theitbros.com/using-icacls-to-list-folder-permissions-and-manage-files/
    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Thanks for your time!
    Best Regards,
    Mico Mi

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.