-1

I have renamed a Windows Server using the Control Panel feature. This worked fine at first. Today I noticed that I was unable to rename a certain file that I always was able to rename before. This file was a SQL Server database file. The SQL Server service was successfully able to use the file. But even after shutting down the server I got the message:

You require permission from Administrator to make changes to this file

So the file clearly was not locked by a running program.

Reviewing the security settings in Windows Explorer I found out the following:

  1. There was a noticable delay when resolving the SID's to user names
  2. The SQL Server user still had the old server name in its name. However that seems to be harmless because the user name is an uninterpreted string (right?)
  3. I saw nothing suspicious (like unresolved SID's or the old server name as the domain part of some user name)
  4. Even giving Full Control to Everyone did not allow me to rename the file
  5. Changing ownership to Administrators (and I am a member of that group) restored access

I ran SysInternals AccessEnum to enumerate the drive that the file in question was on. The output showed a few "???" markers.

I do not fully understand why I lost access to that file. Some permissions must have been lost when renaming the server. What happened?

Also, do I need to fix the server somehow after renaming it? I worry that there are a lot of latent permission issues now that I will only discover over time.

usr
  • 245
  • 3
  • 11
  • 1. Renaming the server should have no bearing on file and folder permissions. 2. The statement `I ran SysInternals AccessEnum to enumerate the drive that the file in question was on. The output showed a few "???" markers.` is meaningless because you don't have a comparative report from before the rename. 3. After renaming a server that is running SQL Server you also need to do this: http://strictlysql.blogspot.com/2010/03/changing-server-name.html – joeqwerty Apr 27 '14 at 19:42

1 Answers1

2

You didn't "lose" any permissions when renaming the server. Security principals are referenced by their SID in ACLs. The SID does not change when you rename a computer. Even if it did, that you'll only impact local users (but it doesn't). If there is a noticeable delay in translating security principals from SID to display name, then you've got a connectivity or AD problem somewhere.

The message You require permission from Administrator to make changes to this file is a UAC message that you are prompted with when modifying files in a protected file system location. Program Files is one such location, which is where your database files are, I am assuming. This is normal.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Thank you. First I want to clarify that I'm an "accidental" server admin. Not professional.; I have no DC/AD. This is a standalone server. I'll investigate this angle, though, and find out what caused the delay.; UAC: Yes, this was indeed turned on! Surprise. Any idea why the message disappeared after taking ownership? The DB files are on a separate drive. I do not fully understand the ACLs on it. I basically added an entry every time something needed access which is: me, SQL Server and IIS. – usr Apr 27 '14 at 20:02
  • http://blogs.msdn.com/b/brian_dewey/archive/2004/01/20/60902.aspx http://technet.microsoft.com/en-us/library/bb727008.aspx http://en.wikipedia.org/wiki/User_Account_Control http://technet.microsoft.com/en-us/library/cc731416(v=ws.10).aspx – MDMarra Apr 27 '14 at 20:05
  • Thanks again. I believe the issue has been explained now: a) a server rename is highly likely not to disrupt permissions because they are based on SIDs. b) UAC caused the message. c) I probably did not have access to the file even before the rename (or UAC made me believe that I do not have access), and I miscorrelated the two events to due proximity in time. – usr Apr 27 '14 at 20:31
  • That sounds about right to me :) – MDMarra Apr 27 '14 at 20:32