-1

I have been handed a new Server 2012 that is a member of the company domain. I am in the local server Administrators group. I do not have a domain account.

When I opened up the permissions properties of some files, the Add/Remove buttons are disabled. For example:

enter image description here

Why can't I modify the ACL for this folder when I am an Administrator?

Old Geezer
  • 397
  • 8
  • 25

2 Answers2

1

It looks like you've opened the permissions window without elevated privileges.

C:\Windows\System32\inetsrv\config is a privileged location, so you should have been presented with a warning message similar to "you currently do not have access to this location" with a UAC prompt when navigating to it.

If you right-click on the schema folder in question, select 'properties' and then navigate to the 'security' tab, you should see an Edit button with a UAC shield on it like the following: properties

Once you click the Edit button, you should be presented with a UAC prompt to elevate as required.

BE77Y
  • 2,667
  • 3
  • 18
  • 23
  • Until this moment, I have not "entered" the `schema` folder, so the UAC button isn't there. After I have navigated into the `schema` folder and cleared the UAC hurdle, the Edit button is now as your screenshot shows. However, upon clicking Edit, the Add and Remove buttons are still disabled. I went to Advanced and checked Effective Access for my id and it did not have Change permission. The group `Administrators` have Full permissions and I am a member of that group, so why do I not have those permissions? – Old Geezer Oct 23 '18 at 11:13
  • Did you receive a UAC prompt when clicking Edit, and therefore elevate appropriately? Or is UAC disabled on the server in question? IT can cause issues if it is indeed disabled. – BE77Y Oct 23 '18 at 11:15
  • Yes, I clicked Yes to `Do you want to allow the following program to make changes...?` `Program name: Permissions editor for files and folders.` Utterly confused now. – Old Geezer Oct 23 '18 at 11:45
  • Frankly, I am likewise; the only remaining explanation is non-standard ACLs and/or ownership being applied to the directory in question. You might benefit from re-setting the ownership of the directory (and its contents) to the Administrators group. – BE77Y Oct 23 '18 at 12:19
1

Administrators aren't allowed to change permissions on this folder.

You can see that by clicking "Cancel" on this window, then "Advanced" in the "Security" tab and you'll see that thw owner is "TrustedInstaller" and "Administrators" have "Full Control" of "Sub-folders and files only".

It's strongly discouraged to change these permissions as you will end up with an untested, unsupported configuration that will probably create security holes and possibly system failures.

However, if you still want to tweak these permissions, you'll have to change the owner of the folder or perform this modification in the System context.

Swisstone
  • 6,725
  • 7
  • 22
  • 32