Completely stripped directory permissions (file recovery/deletion)...

[mvbighead]

Suffice it to say, there is something going on that is chewing up file permissions on the following path:

C:\Users\All Users\Microsoft\Windows\Start Menu\Programs

By chewing up, I mean, as a domain admin, I cannot read/write/delete the sub-folders / files.

I have tried using a powershell script run under the SYSTEM account, and it does not have access to the sub-folders / files either. At this point, I have a bunch of useless directories that I can neither update nor remove/replace.

I have tried to run Powershell as an admin and run a delete -force command, but that fails as well. Pretty much looks to me as though those files are stuck unless I use a third party app to try and remove them.

As far as what is chewing the permissions up, I have my suspicions that it is a 3rd party software deployment application that I'd rather not get into.

 

[goobernoodles]

Are you able to take ownership of the top directory?

 

[mvbighead]

Yep. The parent object I have access to is : C:\Users\All Users\Microsoft\Windows\Start Menu

Problem is, I cannot propagate permissions to the subfolders because I essentially don't have permission to access them.

 

[mvbighead]

Ah, scratch that. Thank you very much for pointing me in that direction. Seems I can work my way down and maybe get this cleaned up.

Now, to do this automagically with Powershell...

 

[mvbighead]

Thanks again. I never realized you could do that, one machine cleaned up. Now on to making this work for dozens of others.

 

[goobernoodles]

I assume you found the "replace all child object permissions with inheritable permissions" check box?

 

[mvbighead]

I assume you found the "replace all child object permissions with inheritable permissions" check box?

Indeed I did. Even created a script to correct the errors automatically, and then restore ownership to the BUILTIN\Administrators group.

Now the plot thickens...

Seems my test system which I manually corrected (via your advice) and verified has now gone a step further. Now, something has gone and stripped permissions from the parent folder:

C:\Users\All Users

Shortcuts are again broken, and the two systems I manually repaired are back to being borked. Running malwarebytes to assure I do not have a virus problem, but I still suspect an application deployment tool that was recently implemented.

 

[goobernoodles]

Eesh... You might want to try running sfc (system file checker), though I don't think it checks security permissions. Go to start > all programs > accessories and right click command prompt, then run as administrator. Type the command "sfc /scannow" without quotes.

 

[mvbighead]

Running now. Granted, I already re-fixed the issues on the machine I am testing now.

I'd always thought of that as more of an OS files type of tool. Trying anyhoo.

Any ideas on tracking changes of NTFS permissions? I'd really like to just get to the bottom of what is screwing this up.

 

[vailr]

Check this thread for information pertaining to the
"replicating Application Data folder" problem, and how simply "taking ownership" of certain folders in Windows 7 64-bit can have unintended consequences.
http://www.sevenforums.com/general-...ation-data-folder-replicating.html#post990903

 

[dawks]

Seems my test system which I manually corrected (via your advice) and verified has now gone a step further. Now, something has gone and stripped permissions from the parent folder:

C:\Users\All Users

Shortcuts are again broken, and the two systems I manually repaired are back to being borked. Running malwarebytes to assure I do not have a virus problem, but I still suspect an application deployment tool that was recently implemented.

hmm. Pull back the application deployment asap. You can turn on auditing for file permissions with Group Policy. Or just wipe the computers and start over.

 

[mvbighead]

hmm. Pull back the application deployment asap. You can turn on auditing for file permissions with Group Policy. Or just wipe the computers and start over.

I have yet to do anything with auditing file permissions using GPO. Any more direction you can give on where I'd go to check / configure this?

EDIT: NVM, I think I got it. I now have it enabled and hopefully will see something. Thanks for the pointer.

 

[mvbighead]

New question, when auditing is enabled... where is the log?

Scratch that too - Security logs I suppose.

 

[mvbighead]

Well, here is the kicker. My first bonehead move in the last year or so and it was the cause of the problem.

We had an onsite career fair of sorts and they needed to access this particular room for Internet use. I threw out a quick dirty policy to deny them access to the any of the applications that existed on the system, and we moved the systems to a separate Internet circuit. Completely forgot about it after the fact, and it has been making these changes ever since.

Uck. I feel quite stupid at the moment. Time to go home I guess.