none
Change in how Windows 2008R2 treats Backup Operators or bug? RRS feed

  • Question

  • I found that subinacl /display when executed over SMB to a share with ABE enabled, returns Access_Denied to files that dont exist, instead of prior behavior (2003,2008) when file_not_found are being returned.

    If ABE is disabled - I get file not found. The UAC is disabled, the user has all the rights in the domain and still I get the "access denied".

    This trips up my other applications that dont expect this response. Note that folder "restricted" is only ACL'ed to one user. 

    Here is what Process Monitor sees (confirmed with network trace):

    With ABE:

    c:\>subinacl.exe /file \\10.90.63.80\toplevelabe\restricted\foo
    \\10.90.63.80\toplevelabe\restricted\foo - CreateFile Error : 5 Access is
    de
    nied.
    
    
    
    Elapsed Time: 00 00:00:00
    Done:        1, Modified        0, Failed        1, Syntax errors        0
    Last Done  : \\10.90.63.80\toplevelabe\restricted\foo
    Last Failed: \\10.90.63.80\toplevelabe\restricted\foo - CreateFile Error :
    5
     Access is denied.
    
    Process monitor:
    Date & Time:    10/10/2012 9:32:56 AM
    Event Class:    File System
    Operation:    CreateFile
    Result:    ACCESS DENIED
    Path:    \\10.90.63.80\toplevelabe\restricted\foo
    TID:    3008
    Duration:    0.0004029
    Desired Access:    Read Attributes, Read Control, Write DAC, Write Owner,
    Synchronize, Access System Security
    Dis
    Options:    Synchronous IO Non-Alert, Open For Backup, Open Reparse Point
    Attributes:    N
    ShareMode:    Read, Write
    AllocationSize:    n/a

    ==================================

    without ABE:

    c:\>subinacl.exe /file \\10.90.63.80\toplevelnoabe\restricted\foo
    \\10.90.63.80\toplevelnoabe\restricted\foo- CreateFile Error : 3 The
    system
     cannot find the path specified.
    
    
    
    Elapsed Time: 00 00:00:00
    Done:        1, Modified        0, Failed        1, Syntax errors        0
    Last Done  : \\10.90.63.80\toplevelnoabe\restricted\foo
    Last Failed: \\10.90.63.80\toplevelnoabe\restricted\foo - CreateFile Error
    :
     3 The system cannot find the path specified.
    Date & Time:    10/10/2012 9:37:23 AM
    Event Class:    File System
    Operation:    CreateFile
    Result:    PATH NOT FOUND
    Path:    \\10.90.63.80\toplevelnoabe\restricted\foo
    TID:    2864
    Duration:    0.0002941
    Desired Access:    Read Attributes, Read Control, Write DAC, Write Owner,
    Synchronize, Access System Security
    Disposition:    Open
    Options:    Synchronous IO Non-Alert, Open For Backup, Open Reparse Point
    Attributes:    N
    ShareMode:    Read, Write
    AllocationSize:    n/a

    anyone have an explanation for this? or is this a bug in R2?

    I think this is the right forum, since i found very similar bug described here: BUG: SeBackupPrivilege not honored by Vista when accessing SMB

    Wednesday, October 10, 2012 5:05 PM

Answers