Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Microsoft Cluster and file permissions changed

Status
Not open for further replies.
Lidia

Lidia

IS-IT--Management
Oct 18, 2002
1
0
0
ES
Hi,

I've reinstalled two cluster machines, mantaining the information on the shared disk without changes, except quorum disk. Before this, my customer had 300 file share resources in the Cluster Administrator, I've changed this and I've used the "share subdirectories" option from Administrator. Then, after this I find that in all the folders the permission for the Administrators group in the Domain has been changed to Administrators un the local machine (NTFS security level). If I failover the resources, magically, this permission change to the Administrators local group for the other machine. Anybody knows why?

Also, some folders aren't automatically shared, we need to move the information to another disk and afterwards re-copy the information to the old directory, but then I loss the permissions.

Before the re-installation, both nodes were Domain Controllers, now, the machines are members.

I'm taljing about Windows 2000 Advanced Server SP2.

Thanks in advanced for your replies,
Lidia
 
Sort by date Sort by votes
Something to keep in mind. All file shares are created with cluster administrator, not with windows explorer.

-Xen
 
Upvote 0 Downvote
> If I failover the resources, magically, this permission change to the Administrators local group for the other machine. Anybody knows why?

The computer's local admin group, has the following well-known SID:

S-1–5-32-544

The SID is composed from:
A revision level of 1
An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)

As you can see, the local admin SID doesn't carry the computer's SID, so it's the same everywhere. If you display the NTFS security on node 1, you will see NODE1\Administrators where on node 2 you'll see NODE2\Administrators.

For example the local admin account has the computer SID as its base with the RID of 500 appended to it:

S-1-5-21-13124455-12541255-61235125-500


Imagine two member server C1 and C2.
It is not possible (well it is, but not via GUI) to grant C2\Administrator access to a folder in C1. Only domain accounts. It's non sense.

For this reason shared resources must be permissioned against domain accounts or *well-known* accounts (like everyone, system, local admin group, etc).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
130
gbaughma
gbaughma
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
136
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
128
goombawaho
goombawaho
zorg2004
  • Locked
  • Question
Cluster CSV Disk Ownership Performance
Replies
0
Views
53
zorg2004
zorg2004
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
106
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top