The concept of a "file share" on Windows servers is a bit of a misnomer. What it really means is "set up some folders with access control list (ACL) permissions management (security groups, user accounts) and use SMB/NetBIOS protocols for file access". Yes, this is often - even usually - used for sharing files amongst multiple users but the management features of file shares are useful even if one will be "shared" by only a single user.

If you support multiple simultaneous remote users for, say, Company1, then they will actually be sharing access to \MainFolder\Company1\App etc. If you don't set up an explicit share you're relying on implicit SMB/NetBIOS support. As I understand it this *should* work for local admins in RDS mode but:

- Every new version of Windows Server has been locked down by default harder than its predecessors
- RDS offers a lot of policies for locking down remote access. If you have multiple separate companies on a single server I imagine you've used these policies to lock things down hard. For example, you might have \MainFolder\Company1 accessible only by Company1 account(s). Depending how you do that, you may explicitly lock out admin accounts. Deny permissions take precedence over allow permissions

I don't know what your automated tasks do and how they're configured to do it (via Task Scheduler etc.). As an example, suppose you have to back up all company data folders every evening to an external USB hard drive F: attached to the server computer. One way to set that up:

- Have security groups configured with the required access to Company1 files, Company2 files etc.
- Add account dCTask to those groups
- Define another security group which has required access to F: drive and make dCTask a member of that group as well

Since Vista/Server 2008 MS has been trying to get users into the least privileges mindset of the *n?x world. It can be tempting to run tasks as a local admin just to try to get things to work, but that's hazardous and Windows will fight you.

>Hi
>
>The drives are not shared because the application and data are all on the same drive all the users access the applications via RDP. The structure is something like:
>
>C:\MainFolder\Company1\App
>C:\MainFolder\Company2\App
>C:\MainFolder\Company3\App....
>
>The servers are also not part of a domain and the users are all local Remote Desktop User accounts with rights just to their company's folder. The users never have any problems. The problems always arise for the Administrative accounts. I have several for running automated task related to the applications and they are the ones where the "read-only" problem arises.
>
>Simon
>
>>Is the server a member of a domain, and might there be a conflict between domain and local policy? Is it a DC itself?
>>
>>It seems like you're going through a lot of hassle with Group Policy etc. and changing default policy settings (which are there for a reason). Changing permissions should not require a server restart.
>>
>>I don't know how you've structured your data folders but I recall running into issues long ago with user/data folders on the root of the system drive and with using administrative shares (e.g. \\Server\C$) - these may be related. As a result I always set up file shares for user data - usually something like
>>
>>C:\Shares\FileShare1
>>C:\Shares\FileShare2
>>...
>>
>>then create security groups and give them Full Control permissions to the share(s), then add user accounts to the security groups.
>>
>>I don't have to make GP changes and I don't see permissions issues such as you describe.
>>
>>>I applied the same fixes but used the gpupdate /force but though it reported successful it did not work. So I had to wait until I could re-boot the server which I have just done and it works. So the net result is that the server must be re-booted.
>>>
>>>Simon
>>>
>>>
>>>>>Hi
>>>>>
>>>>>I setup a new Windows 2019 Server and I created a user in the Administrators group called "dCTask". When I log into the server as dCTask all my VFP applications complain that the data tables are read only. The tables do not have the read only flag checked. When I check the security tab the "Administrators group has full control. So I tried opening a table using Libre Office it reports that the table is "locked for editing by Unknown User". When I check the effective privileges in the Security tab for the dCTask user it says it has full control of everything.
>>>>>
>>>>>The only way I have found to fix this is the explicitly add the dCTask user in the security tab for the folder containing the tables which is redundant but works. Does anyone have any suggestions about what cases this problem?
>>>>>
>>>>>I should add that I did use the Group Policy Editor to disable running all Administrators in Admin Approval mode and I used gpupdate/force after the change.
>>>>
>>>>You had something similar in Message#01677468 . Have you applied the same fixes you did then?