I deleted the gporeports folder and did everything from an elevated PowerShell session.
[cid:[email protected]] Thanks Webster From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, April 23, 2015 8:43 AM To: [email protected] Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE When I go into a freshly built 2012 R2 image, open an elevated command prompt, "md GPOReports" and run icacls, this is what I get: C:\>icacls c:\GPOReports c:\GPOReports NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(AD) BUILTIN\Users:(I)(CI)(WD) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files Which is exactly what is expected, based on: C:\>icacls c:\ c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files You've got some additional permissions, but they are not limiting permissions. By default, a member of the BUILTIN\Users group can read a file, execute a file, add a subdirectory, write to an existing file, and add a file. That doesn't include traverse/list or delete or read attributes. You also have explicit FC for LabADDomain\ctxadmin, CREATOR OWNER, and BUILTIN\Users. You must have applied those manually. That should allow any authenticated user to do anything to that folder. Which leads to the next questions - what credential is the application attempting to use and what operations is it attempting to perform? Using procmon might be your best bet there, as Ed suggested. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, April 23, 2015 9:18 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE Yes, the PoSH session was elevated. Icacls is also being run from an elevated command prompt. c:\>icacls.exe c:\ c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(S,AD) BUILTIN\Users:(CI)(IO)(S,WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files c:\> I could not get the Get-GPOReport to work so I just went into GPMC and did a backup of all GPOs into that folder and that worked. I am working with a vendor on a new version of one of their products. We can get the current version of their product to work fine in my lab but the new version refuses to run. It will install and let me configure it but the product refuses to run. The vendor wants to recreate my lab as close as they can so they wanted the GPO Reports. Guess they will have to work with the backup instead. Of course I use a PoSH script to create my lab's AD structure and I sent them that script. I am just hoping I don't have an intrinsic issue with my lab's AD that is causing issues with this vendor's software. When I attempted to see if I could recreate the issue with their new product on Server 2008 R2, GPResult reported an unknown SID for the 2008 R2 server of S-1-18-1. I found the hotfix for that, applied it to the 2008 R2 server but it made no difference in being able to run the new software. The vendor is unable to repro the issue in their lab but it is 100% reproducible in mine. I am running all 2012 R2 servers, FFL is 2012 R2 and I am also using SQL 2014 (no SP1, stand-alone SQL server, no HA). Thanks Webster From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, April 23, 2015 8:04 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE Notice those are all inherited rights. Notice also that UAC comes into play. Is your PowerShell session elevated? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, April 23, 2015 8:53 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE c:\>icacls.exe c:\gporeports c:\gporeports CREATOR OWNER:(OI)(CI)(IO)(F) LabADDomain\ctxadmin:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(S,AD) BUILTIN\Users:(I)(CI)(S,WD) LabADDomain\ctxadmin:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files But: Windows PowerShell Copyright (C) 2014 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> get-gporeport -All -ReportType HTML -Path c:\GPOReports get-gporeport : Access to the path 'c:\GPOReports' is denied. At line:1 char:1 + get-gporeport -All -ReportType HTML -Path c:\GPOReports + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-GPOReport], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand PS C:\Windows\system32> Thanks Webster From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, April 23, 2015 7:49 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE What does icacls.exe say about the folder? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, April 23, 2015 8:44 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] trying to find a thread about missing account(s) on drive/folder ACE I have run into an issue in my lab where I can create a folder but cannot create any files in the folder after the folder is created. I thought I remembered a thread on this list earlier this year about a similar issue and it was a missing account that needed to be added back. I can't find that thread. My lab is 2 2012R2 DCs and FFL of 2012 R2. All my servers are 2012 R2. Thanks Webster
