1

I'm dealing with two directories, the one being the parent of the other (but that's irrelevant for the question). I want to read the files in one directory, using an application, but that seems not to work. According to the Powershell Get-Acl command, that can easily be explained:

Prompt> Get-Acl -All C:\Temp_Folder\Decompile
...
Path      Owner           Access                                                                                                                                    
----      -----           ------                                                                                                                                    
Decompile Domain\MyUser   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION 
                          PACKAGES Allow  Write, Read, Synchronize...                                                 

Prompt> Get-Acl -All C:\Temp_Folder\Decompile\Customer_Logs
...
Path          Owner           Access                                                                                                                                     
----          -----           ------                                                                                                                                     
Customer_Logs Domain\MyUser   NT AUTHORITY\SYSTEM Allow  FullControl...

As you can see, I have full control over the directory "C:\Temp_Folder\Decompile\Customer_Logs" while the permissions on the directory "C:\Temp_Folder\Decompile" are limited.

However, the problem is just the opposite: I can see everything in the "C:\Temp_Folder\Decompile" directory, while I see nothing in the "C:\Temp_Folder\Decompile\Customer_Logs" directory.

  1. How is this possible?
  2. Is there a way to copy the file permissions from one directory to another one? (I didn't see such an option in the Powershell Set-Acl command)

Oh, my application is Microsoft Server Management Studio, version v18.12. I'm trying to restore a backup and I can't seem to find it in its directory.

Edit1: Full list of directories' file permissions:

Prompt> Get-Acl -All C:\Temp_Folder\Decompile\ | fl

Path   : Microsoft.PowerShell.Core\FileSystem::
         C:\Temp_Folder\Decompile\
Owner  : Domain\MyUser
Group  : Domain\Domain Users
Access : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
         Allow  Write, Read, Synchronize
         BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize
         NT AUTHORITY\Authenticated Users Allow  -536805376
Audit  : 
Sddl   : ...

Prompt> Get-Acl -All C:\Temp_Folder\Decompile\Customer_Logs | fl

Path   : Microsoft.PowerShell.Core\FileSystem::
         C:\Temp_Folder\Decompile\Customer_Logs
Owner  : Domain\MyUser
Group  : Domain\Domain Users
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         Domain\GVH Allow  FullControl
         Domain\MyUser Allow  FullControl
Audit  : 
Sddl   : ...

Edit2: iCalcLs results:

C:\Temp_Folder\Decompile>icacls .
. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(R,W)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files

...

C:\Temp_Folder\Decompile\Customer_Logs>icacls .
. Domain\MyUser:(OI)(CI)(F)
  Domain\GVH:(OI)(CI)(F)
  BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
Improve this question
6
  • I don't actually see you having full control over either of those directories. You're only listed as the owner, but the entire ACL isn't shown (use |fl or even icacls.exe to get it) and you're not listed in the truncated ACL output.
    – grawity_u1686
    Commented Sep 19, 2022 at 9:29
  • @user1686: thanks for the |fl trick: I'm quite a newbie in Powershell :-) I've edited my question accordingly.
    – Dominique
    Commented Sep 19, 2022 at 9:41
  • Hmm, can you still show the result of icacls for both directories?
    – grawity_u1686
    Commented Sep 19, 2022 at 9:56
  • @user1686: I added the icalcls results. If this does not solve the issue, I'm afraid there"s a bug somewhere in my SQL-Server Management Studio application.
    – Dominique
    Commented Sep 19, 2022 at 10:04
  • Right, those look more-or-less normal – in that case, could it be that there are no files in the directory? Only cmd.exe's dir has a habit of saying the directory is "empty" when it gets an access-denied error, but PowerShell and graphical browsers would just outright say that access is denied.
    – grawity_u1686
    Commented Sep 19, 2022 at 10:06

1 Answer 1

Reset to default
1

I think the key here is you mentioned “Microsoft Server Management Studio” and you’re trying to restore a backup. I think you mean SQL Server Management Studio.

If that is the case, it is not YOU who needs permissions to the folder, but the SQL server service account which is usually NT SERVICE\MSSQLSERVER.

You must grant read access to the folder containing the backups for the SQL service account if you want SSMS and SQL server to be able to restore from them. You can find the SQL server service account by opening SQL Server Configuration Manager then assign this user permissions on the folders.

More info here: https://www.mssqltips.com/sqlservertip/6930/issues-sql-server-permissions-restore-database/

In regards to seeing the top level folder, and not the Customer_Logs folder, it’s because the parent folder gives all users on the system access through both BUILTIN\Users and NT AUTHORITY\Authenticated users but Customer_Logs does not.

Improve this answer
3
  • Thanks a lot, you nailed it! I have added Authenticated Users to the list of users in the "Security" tab, and now it seems to be working. I believe the whole thing is a side-effect of having shared that directory once, so now I wonder if there's a way to ensure that sharing/unsharing does not cause file permissions to be lost. I'll write another question for this matter.
    – Dominique
    Commented Sep 20, 2022 at 6:39
  • 1
    @Dominique hi. Glad it worked. I'm not sure how the permissions ended up like that, but sharing and unsharing a folder does not change it's NTFS permissions. There are two sets of permissions. NTFS permissions are file system permissions that affect the folder both with local access and network access. Share permissions affect access only for network access. Unsharing / sharing a folder may reset or change sharing permissions but it will not change NTFS permissions referred to in this post.
    – Appleoddity
    Commented Sep 20, 2022 at 19:16
  • Thanks for that extra remark.
    – Dominique
    Commented Sep 21, 2022 at 6:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .