I hope someone can answer this once and for all, this is driving me mad for months now.
- Platform: Windows Server, any version. This problem doesn't happen on a workstation.
- Problem:
In a folder, whenever I create files while being Administrator (from command prompt or from a batch run "As Administrator", the user I am connected with cannot edit the files created. The set of permissions is missing my user with "Special permissions" (whatever that means), whereas this doesn't happen on a workstation. Why??
I tried many flavors of ICACLS, among which the one that comes back all the time in search results: ICACLS folder /reset /C /L /T
and it doesn't help: my user still cannot edit the files unless it's in the set of permissions.
The only bypass I found is to force grant full access to my user like so: icacls folder /grant %USERNAME%@%USERDNSDOMAIN%:F /T /C /Q
The problem is that the set of permissions for files still doesn't match what they should be:
- missing CREATOR OWNER
- COMPUTERNAME\Users are missing inheritance ("Special Permissions")
Is there something I'm doing wrong?
What is the best practice when executing batches as admin, when you want the files created to have the same permissions as if you were not executing the batch as Administrator? Is it possible to actually reset the permissions to the way they should be without writing a batch with multiple conditions?
I don't think you're doing anything wrong and the system is working as designed. When running a script with an elevated account within a non-privileged session, you are creating the file as administrator. As far as I understand, members of the administrator group will have full permission not the logged in user account. User permissions will have to be added to the file exactly how you are bypassing it. You can also use takeown %USERNAME% in your script to change the owner of the file. I believe you will need to add the conditions to your batch files.
there is no solution but only a workaround: force apply permissions by granting full access to the user of your choice:
icacls folder /grant %USERNAME%@%USERDNSDOMAIN%:F /T /C /Q