So weird problem.
We have the following siplified setup:
- W2K8R2FileServer1 = Fileserver
- W2K3Server2 = Terminalserver (Windows Server 2003)
- W2K8R2Server3 = Terminalserver (Windows Server 2008 R2)
We have the following structure on the fileserver:
- D:\ShareFolder\Subfolder
- D:\ShareFolder is shared as \\W2K8R2FileServer1\Sharefolder
- On D:\ShareFolder only Administrators and SYSTEM are granted access
- On D:\ShareFolder\Subfolder also Domain\User1 is granted access (FC)
On both terminalservers we:
- Login as an administrator and start cmd.exe
- Run runas /user:domain\User1 cmd.exe
- In the new cmd.exe running as doain\User1 run "dir \\W2K8R2FileServer1\ShareFolder\Subfolder"
Results:
- On the W2K3 server we get a directory listing
- On the W2K8 server we get an Access Denied - most of the times!
- If we in the administrator cmd prompt on W2K8 run "dir \\W2K8R2FileServer1\ShareFolder\Subfolder" it works - and if we then do the same in the User1 cmd.exe prompt it also works the first time, but then stops working if repeated (= Access Denied).
Troubleshooting:
- With Process Monitor we see that the W2K8 server gets a Access Denied on the \\W2K8R2FileServer1\ShareFolder.
- If we add domain\User1 to the ACL of the ShareFolder1 with fx "Read Attributes" on "This folder only" then everything Works al the time - and the ProcMon result of the dir seems identical as when testing with W2K3 without the extra permission on the root (shared) folder.
- In ProcMon we see that a dir of a subfolder within a sare (deep sharing) results in Windows first opening the sharefolder, querying attriutes etc. and clsoing it Again - before it accesses the subfolder specified. It looks exactly the same from W2K3 to W2K8 with the minor difference that on W2K8 the users actually needs permissions on the root (shared) folder while this not being neccessary in W2K3.
- We also tried adding a share on the subfolder and doing a dir of it - and this works as expected since the user has permissions on the folder and don't need to go through the root folder this time.
Thoughts:
- Ok, seems like MS in W2K8 has a requirement of users having permissions on the shared folder when accessing data using deep sharing...it might make sense for some unknown reason if it was consistent, but is isn't.
We have "solved" the urgent issue by granting a group permissions on the root (shared) folder, permissions being "Read Attributes" on "This folder only" since this seemed the most innocent permission. But we really rather only have to grant access to the folders that users only need to access.
Can anyone else replicate this issue? I tried to make it as simple as possible, and we did test a bunch of different W2K8 and W2K8R2 servers (against the same folder structure and share on the same fileserver).
Best regards,
Nicolaj