Server shares users cant see some files but Admin can

[computertechguy]

I have one client with a DC and a secondary DC. I can create shares for certain users or mutliple users. They can place files on the shares but sometimes can't see the files they place in the shares. This is happening on a 2012 R2 as well as a 2019 R2, when I look at the shares as the admin I can see the files, but the users can't always see them.

I know this has to be an ownership situation (?) Are the users copying files from their desktops and in turn that is copying the local permissions? But if that was the cause shouldn't they (the users that added the files) be able to see them? I am reluctant to change or inherit permissions until I can figure out what is going on.

One particular file in question says "You must have read permissions to view the properties of this object click on advanced to continue"

As I have said I am reluctant to inherit or take ownership randomly until I figure out what is going on, I would hate to deny the admin access and be totally screwed.

Also, when I add new users and give them full permissions it goes through file by file and I get a "Failed to enumerate" error periodically, I bet those are the files that are hidden as well.

Since this is happening on two OS's must be something in common.

Thanks..

 

[putz]

Sounds like messed up permissions on the folders. Also if you have access based enumeration enabled on the share, users wont see files or folders they don't have permissions to. If you're worried about messing things up on the existing share, create a new share with the correct permissions and copy some of the data to the new share. If the users dont have issues with the new share - make plans to migrate the remaining old share data to the new share and disable the old one when done.

 

[computertechguy]

Sounds like messed up permissions on the folders. Also if you have access based enumeration enabled on the share, users wont see files or folders they don't have permissions to. If you're worried about messing things up on the existing share, create a new share with the correct permissions and copy some of the data to the new share. If the users dont have issues with the new share - make plans to migrate the remaining old share data to the new share and disable the old one when done.

Thanks for the reply, when you say access based enumeration and users won't see the files if they don't have access to them even IF those users have full read, edit, write permissions on the folder?

 

[YeOldeStonecat]

So taking on a possibly poorly setup/badly botched setup like this can take some time.

Start simple.
Top level shares...who should have access to what?
Start shares simple, on the "share level"...share to "everyone" with full access. Next...on the security tab...this is where the NTFS permissions kick in, and get granular here. Ensure at the very least, the Domain Administrators, System and Domain users are here. To pair down permissions, replace Domain Users, with the security group(s) of users.

Now...also ensure that TCP/IP is set up properly. Active Directory is based on DNS, DNS is the foundation of Active Directory. The server MUST be setup properly, and DHCP for the workstations...for active directory to function properly.

In TCP/IP v4 properties on the server, the domain controller(s) and MUST use itself for DNS. You can have 127.0.0.1 there (loopback)...or the servers IP itself. Not the routers IP, not the ISPs DNS servers, not Google DNS or whatever...but the server itself. For secondary DNS, if you have a larger network with multiple DCs...additional servers that run the DNS service...wide area networks, etc...yeah you can put another DC in there. but nothing outside of active directory.

DHCP for the workstations...handing out DNS servers...it should have out the IP of the DC(s). Nothing else. No ISP DNS, no Google DNS or whatever...just the IP of the DC(s).

 

[nlinecomputers]

Also, note that sometimes Client workstations need to be rebooted in order for permission changes to take.

 

[putz]

Thanks for the reply, when you say access based enumeration and users won't see the files if they don't have access to them even IF those users have full read, edit, write permissions on the folder?

Its possible depending on how inheritance is working within the structure - files can have their own permissions in addition to or separate of their root folders depending on how inheritance is setup.

Any Object (File / Folder / Shortcut / Reparse Point / etc.) where the user has less than generic read permissions is omitted in the response by the server.

Generic Read means:

• List Folder / Read Data
• Read Attributes
• Read Extended Attributes
• Read Permissions

Simple way to test would be to check for and disable ABE on the share. If your users can now see the files then its most likely some inconsistency with their permissions. If the files are now displayed and they try and launch the file and see what happens - I would assume it would say they dont have permission to open or read the file.