A client recently called in with an interesting problem. When users would create a new folder on a network share, four folders would appear instead of one. Even more interesting is that this was only happening for those users when connecting to the share from a Windows 10 workstation. The same user accessing the share from Windows 7 would only create a single folder.
Now the client did specify that they had a unique requirement for needing to set granular permissions through the use of the Advanced Permissions tab. However, this had been setup long ago and has worked well for a number of years.
I began by using Sysinternals Process Monitor to view the folder creation from the client side.
Four folders are created, but I chose to focus my analysis on the creation of “New Folder (2)”, the second folder created in the sequence. When searching for a reference to this folder name, we immediately notice the numerous ACCESS DENIED messages for the “Create File” operation.
At this point I had the client create a new test user and add that user to an already existing group with higher level permissions. After mapping a drive as this user we were able to verify that creating a new folder resulted in a single folder as expected. So the issue seems to be permissions
Next I went to see what permissions the user had to this folder. Remember here that the client had set granular permissions so we’re looking at the Advanced Security Settings Permissions tab.
So the user has been granted “Create files” and “Create folders” permissions based on their group membership. So what are all the groups with permissions to this folder. (I’ve simplified the listing to just what’s relevant)
The SYSTEM account and Administrators are granted permissions as expected, and the user has their permissions through membership in the Special File Access Group, but when compared to the permissions of a new folder created on a different system we quickly see that there is no entry for CREATOR OWNER. This means that even though the user is granted the ability to create a new folder, they will not have any additional rights to that folder, just the same rights they have in this folder.
Now we know its a permissions issue and we know that the permissions for the user in question are only assigned from the one group. When we revisit the advanced permissions tab shown above and scan the unassigned permissions, the only one that made any sense as being involved was “Write attributes”. Sure enough, through a short trial-and-error I determined that both “Write attributes” and “Write extended attributes” were needed and when selected resulted in only one folder being created.
When going back to the Process Monitor capture we clearly see this as being one of the requested attributes.
So why does this error appear in Windows 10 but not Windows 7 given the same level of permissions?
Here’s a capture of a new folder being created from Windows 7 by the same user.
Short and successful, despite also having a desired access of Write EA and Write attributes, which the user doesn’t have.
Now for comparison purposes let’s assign the user the correct permissions and look at the folder creation process.
Here is a capture of a folder creation in Windows 7
And one from Windows 10
Taking a closer look at the chain of events we see that it begins with a Create File operation resulting in a NAME_NOT_FOUND status. This is a check to see if a folder of the same name already exists. From there we see Windows 7 then create the file, query it, and close it. Windows 10 seems to introduce an additional step before the folder is created, which enumerates the directory listing.
If anyone knows why Window 7 ignores the Desired Access Write Attribute and succeeds anyway I’d love to know!