0

I am connected as a local administrator using RDP to my WIN2K16 server, and manage it using gui and powershell.

Overall I have full control over the machine, and never had permission errors using both methods. Yet, when running PS and CMD as an administrator I am unable to do some actions on files and directories used by my default IIS site.

I'm able to bypass this error with commands that support the -force flag, for example:

Remove-Item foo returns access is denied, but Remove-Item foo -force works fine. Removing the same files using the gui also works. However actions such as certutil -hashfile foo MD5 will return access is denied, and have no gui alternative or -force flag.

What seems to be the problem?

Pizza
  • 163
  • 8
  • 1
    "Force" gives you access to Hidden and Read Only files so it's likely one or both are set. Clear both Attributes and try your `certutil` command again – jfrmilner Jul 16 '20 at 19:52
  • 2
    Please post the output of `Get-Item -Path foo -Force | Select-Object -Property Mode, IsReadOnly, Attributes`, where `foo` is a file that causes your problem. – stackprotector Jul 17 '20 at 16:54

1 Answers1

0

As suggested by users jfrmilner and Thomas in the comment section, it seems all the files located at the root directory of the default website were tagged as 'Read Only'.

I'm not sure if it is done by default by IIS (as non default sites I run also tag all their files as 'Read Only'), or it is some sort of a security policy I assigned in the past.

To conclude, disabling this attribute solved this mystery.

Pizza
  • 163
  • 8