Access denied when changing NTFS permissions on a NetApp CIFS share from Windows 2008

I suspect this problem isn’t limited to just managing CIFS shares on NetApp’s. I bet if you’ve got a Windows File Server and you’re trying to edit NTFS permissions on shares via a Windows 2008 Computer Management MMC you’ll get this error message.

In our case we’ve got a NetApp FAS2040 joined to our new AD forest with a few CIFS shares on it. In this new forest we’re using Windows 2008 R2 domain controllers and our forrest is set to a 2008 functional level.

When we want to manage the NTFS permissions of CIFS shares exported from our old NetApp FAS2020 in our old forrest (which is at a 2003 functional level with 2003 domain controllers) we’d typically login to a Windows 2003 server, load up the Computer Management MMC and connect to our NetApp.

Today I created a new CIFS share on our FAS2040, logged into a Windows 2008 R2 server, fired up the Computer Management MMC, connected to the NetApp and tried to change the NTFS permissions on the share. This is what I got:

This shouldn’t be happening. The account I’m using is a Domain Administrator and the Domain Admins group has been added to the NetApps local Administrator group.

If you click ‘Cancel’ all the way out and then go back and view the NTFS permissions it will turn out that the changes did take effect despite the “Access Denied” error message.

For some odd reason I thought to try using a Windows 2003 Server from our old forest to manage the NTFS permissions. It worked perfectly with no access denied error. What gives?

Turns out this does: http://support.microsoft.com/kb/972299

Microsoft doesn’t explicitly state this but to “solve” the problem just create an empty folder, a blank text file or anything in the share first and then edit the permissions… or you can fire up a Windows 2003 Server and just use it’s MMC.

12 thoughts on “Access denied when changing NTFS permissions on a NetApp CIFS share from Windows 2008”

  1. Thanks Eric, you just saved me so much pain of having to collect packet traces etc…

    Reply
  2. Thanks a Million mate… spent 3hrs+ wondering why kept getting Access Denied via NetApp CIFS Shares, yet had the same thing working a while back. So the process was smooth with Server 2003, but not with 2008 until you create the blank files. Thanks again for posting this, will several others!

    Reply
  3. Hallelujah!! This has been beating me up for a day now!! Couldn’t figure out why all the other CIFS shares threw the access denied, but one, and it was because it was empty! Created a text file, and could apply permissions with no errors!

    Reply
  4. Thanks for figuring this out!  I’ve run into this a few times and it was driving me nuts.

     

    One thing.  This problem also occurs when managing ACLs with Windows 7.  I assume it’s because it shares the same or very similar kernel with Windows 2008.

    Reply
  5. Hallelujah.  I”ve  been pulling my hair out over this ever since I installed Win 7.  Thank you.

    Reply
  6. Unbefrikkinlieveable.  Thanks so much for this – I can’t understand why it isn’t (a) noted in the NetApp docs or knowledgebase, (b) fixed by MS.

     

    Note to MS:  Please get out of the OS business.  You’ve had DECADES to create something secure and robust, and it’s clear by now it’s never gonna happen.  Kthxbai.

    Reply
  7. does not work for me; the shares ntfs permissions are read-only. I can manage my older shares file permissions but not any new ones.

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.