A Domain User able to access "Secure" Folders

Posted on 2004-11-14
Last Modified: 2013-12-04


We need your help in resolving a security issue.  We have discovered that a new user on a client's Windows network can access what were thought to be secure directories accessible only by members of an upper management security group.  The new user seems to be an ordinary domain user, but can freely roam through personnel and confidential management folders.  We are asking for help in determining:

   1) what happened to make this situation possible,
   2) what we can do to rectify it, and
   3) how we can avoid this in the future.

Additional Information

The folders in question reside on a Windows Server 2000 Standard Edition which serves as a domain controller and file server for user directories.  It also provides DHCP and DNS services for a network of around 100 users.  It is protected by up-to-date antivirus software, a Cisco PIX firewall filters Internet access, and it has all current Microsoft security updates installed.

The user's desktop runs WinXP SP1 with up-to-date antivirus protection.  The user is a member of the domain user's security group and no other.

We do not know how this user account obtained privileges to access these secure directories nor can we find any evidence anywhere to indicate that such privileges should exist.  The user account was created as a member of the domain users group and seems to be member of that and only that security group yet it permits one to freely roam through human resource files and confidential management folders.  The secured (?) directories were presumed to be accessible only by members of the domain security group and domain administrators.  We are not aware of any other domain user accounts which can access these directories.  We cannot find any evidence that such privileges should exist for this user account or that any security settings have been changed.

We would appreciate your thoughts on what to do here.  We are considering removing the user's entry from the domain and re-creating it and/or explicitly denying this user access to the sensitive folders, but neither of these solutions help us understand why this might have happened or how to avoid it in the future.

Question by:wdschoon
    LVL 5

    Expert Comment

    the ntfs rights are set corect?
    it's possible that user was renamed in the past from an administrative account?
    LVL 18

    Expert Comment

    As stated above, I'd first start by double checking to make sure the ntfs permissions are setup correctly for the directories in question.
    LVL 5

    Expert Comment

    can check also if the user has a SID History attribute (with adsi editor); but that only if the user was moved from other domain
    otherwise, I have no other explanation (teoretically - can't exist this situation)

    Author Comment

     Sorry for the delay in getting back on this.  Had a bout with cancer in the intervening months and I really got off task for a while.  The client got involved with other issues because the user in question was a trusted employee and it wasn't until late April that we all got back on task.  We called Microsoft, but the tech demanded $250.00 cash-on-the-barrelhead to even talk ("that's the way we do things," he said) and the client refused the offer.  We did manage to get the tech to admit that they, Microsoft, were quite familiar with the problem.  So, our home grown solution was to create a new user in the domain then migrate the user's email and favorites list to the new domain user and disable the original domain user at the W2k domain server.  All work just fine now, the user's new domain user name behaves normally--no domain administrator privileges--and the client's managers are happy.  However, we still do not know how the problem was created in the first place.

    Author Comment

    Addendum:  We did follow up on each of the user suggestions above, before getting off task, but were unable to resolve the problem.  

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now