[NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE

[Michael B. Smith]

HAHAHAHAHA.

It should be this:

                Get-GPOReport -All -ReportType Html -Path 
C:\GPOReports\Report.html

I should've noticed that the first time, but I didn't. Sorry.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, April 23, 2015 10:21 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

I deleted the gporeports folder and did everything from an elevated PowerShell 
session.

[cid:image001.png@01D07DB0.44F24AB0]

Thanks


Webster

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, April 23, 2015 8:43 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

When I go into a freshly built 2012 R2 image, open an elevated command prompt, 
"md GPOReports" and run icacls, this is what I get:

C:\>icacls c:\GPOReports
c:\GPOReports NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
              BUILTIN\Administrators:(I)(OI)(CI)(F)
              BUILTIN\Users:(I)(OI)(CI)(RX)
              BUILTIN\Users:(I)(CI)(AD)
              BUILTIN\Users:(I)(CI)(WD)
              CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Which is exactly what is expected, based on:

C:\>icacls c:\
c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Administrators:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    BUILTIN\Users:(CI)(AD)
    BUILTIN\Users:(CI)(IO)(WD)
    CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

You've got some additional permissions, but they are not limiting permissions. 
By default, a member of the BUILTIN\Users group can read a file, execute a 
file,  add a subdirectory, write to an existing file, and add a file. That 
doesn't include traverse/list or delete or read attributes.

You also have explicit FC for LabADDomain\ctxadmin, CREATOR OWNER, and 
BUILTIN\Users. You must have applied those manually. That should allow any 
authenticated user to do anything to that folder.

Which leads to the next questions - what credential is the application 
attempting to use and what operations is it attempting to perform? Using 
procmon might be your best bet there, as Ed suggested.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, April 23, 2015 9:18 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

Yes, the PoSH session was elevated. Icacls is also being run from an elevated 
command prompt.

c:\>icacls.exe c:\
c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Administrators:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    BUILTIN\Users:(CI)(S,AD)
    BUILTIN\Users:(CI)(IO)(S,WD)
    CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

c:\>

I could not get the Get-GPOReport to work so I just went into GPMC and did a 
backup of all GPOs into that folder and that worked.

I am working with a vendor on a new version of one of their products. We can 
get the current version of their product to work fine in my lab but the new 
version refuses to run. It will install and let me configure it but the product 
refuses to run. The vendor wants to recreate my lab as close as they can so 
they wanted the GPO Reports. Guess they will have to work with the backup 
instead. Of course I use a PoSH script to create my lab's AD structure and I 
sent them that script.

I am just hoping I don't have an intrinsic issue with my lab's AD that is 
causing issues with this vendor's software. When I attempted to see if I could 
recreate the issue with their new product on Server 2008 R2, GPResult reported 
an unknown SID for the 2008 R2 server of S-1-18-1. I found the hotfix for that, 
applied it to the 2008 R2 server but it made no difference in being able to run 
the new software.

The vendor is unable to repro the issue in their lab but it is 100% 
reproducible in mine. I am running all 2012 R2 servers, FFL is 2012 R2 and I am 
also using SQL 2014 (no SP1, stand-alone SQL server, no HA).

Thanks


Webster

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, April 23, 2015 8:04 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

Notice those are all inherited rights.

Notice also that UAC comes into play.

Is your PowerShell session elevated?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, April 23, 2015 8:53 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

c:\>icacls.exe c:\gporeports
c:\gporeports CREATOR OWNER:(OI)(CI)(IO)(F)
              LabADDomain\ctxadmin:(OI)(CI)(F)
              BUILTIN\Users:(OI)(CI)(F)
              NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
              BUILTIN\Administrators:(I)(OI)(CI)(F)
              BUILTIN\Users:(I)(OI)(CI)(RX)
              BUILTIN\Users:(I)(CI)(S,AD)
              BUILTIN\Users:(I)(CI)(S,WD)
              LabADDomain\ctxadmin:(I)(F)
              CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

But:

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> get-gporeport -All -ReportType HTML -Path c:\GPOReports
get-gporeport : Access to the path 'c:\GPOReports' is denied.
At line:1 char:1
+ get-gporeport -All -ReportType HTML -Path c:\GPOReports
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-GPOReport], 
UnauthorizedAccessException
    + FullyQualifiedErrorId : 
System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand

PS C:\Windows\system32>

Thanks


Webster

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, April 23, 2015 7:49 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on 
drive/folder ACE

What does icacls.exe say about the folder?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, April 23, 2015 8:44 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] trying to find a thread about missing account(s) on 
drive/folder ACE

I have run into an issue in my lab where I can create a folder but cannot 
create any files in the folder after the folder is created. I thought I 
remembered a thread on this list earlier this year about a similar issue and it 
was a missing account that needed to be added back. I can't find that thread.

My lab is 2 2012R2 DCs and FFL of 2012 R2. All my servers are 2012 R2.

Thanks


Webster