Win2008R2 Permissions issue

Hello everyone!

Having reinstalled Win2008R2 several times on my test PC I ran into the problem of NTFS permissions on the volumes not containing the OS exactly the same number of times.

Suppose my PC contains two volumes/disks: C: and D:

When I install a fresh copy of Win2008R2 on disk C: everything works perfect.
By default everyone including administrators are allowed to create the folders only in the root of the volumes (C and D) and Creator Owners are then allowed to create any files and folders in the subfolders of root folders (for example, Administrator can create only a folder in D:\, but he/she can create any file/folder in D:\Subfolder).

Nevertheless, when I reformat the volume C: and install another copy of Win2008R2 I can't create anything but a folder in ANY location of disk/volume D (on disk C: everything works well)! I can neither create anything in already existing folders of disk D: nor in the folders I'm creating on disk D: after reinstalling OS.

As I have found out the problem arises because the permission for the Creator Owner group is not translated to a user account permission for the file or folder.

For example, user TestAdmin tries to create a folder 'Test' in the D:\

By default he/she will be treated as a member of Users group (Administrator token is removed). For the "D:\" members of the Users group are allowed to create folders only, so this operation succeeds. Members of Creator Owner group have Full Controll permissions for "D:\ ", so user account 'TestAdmin' should have Full Control permissions for his newly created folder D:\Test.

But it is here where the strangeness emerges: user account 'TestAdmin' does NOT have any permissions for the folder D:\Test!

It doesn't make any difference if TestAdmin keeps creating subfolders of D:\Test (D:\Test\Test1, D:\Test\Test1\Test2 ...) -

'TestAdmin' user account will not be displayed in the "Security" window for any of these subfolfers.

If I run this test on disk/volume C:\ it works fine: the "Security" window for the D:\Test DOES contain 'TestAdmin' user account (the process of converting "Creator Owner" to the actual user account I called "translating ").


So for the volume D: (E:,...Z) the only option for the 'New' command is "Folder ".

IS IT A BUG ???

Thank you in advance,
Michael

 

As i am reading this i think it is related to the security in server environments
I am not clearly remembering what it was but a "user" if it is a admin or not is actually in the system a id number this id number is lost when you format the system.
Hence you start all over and this unique id gets created again, so there is your problem
The easiest way to solve such issues is take ownership of the drive and reset the wished rights, but to be honest in normal operations this never occurs since an admin will restore this same server setup from a backup hence not loose the id's.
It also has todo with the enhanced security on the newer windows versions "7" , "2k8 ", "2k3 R2 "

 

Bronan, thank you for your reply!

"The easiest way to solve such issues is take ownership of the drive " - yes, you're absolutely right! But I'm completely forgot to mention that it was my first action while investigating the issue.

Taking the ownership of the drive does NOT solve the problem !!!

The situation when an operating system is changed frequently on drive C while drives d, e, f ... are left intact is very common in testing environments, so this issue is very annoying ...