A Domain User able to access "Secure" Folders


We need your help in resolving a security issue.  We have discovered that a new user on a client's Windows network can access what were thought to be secure directories accessible only by members of an upper management security group.  The new user seems to be an ordinary domain user, but can freely roam through personnel and confidential management folders.  We are asking for help in determining:

   1) what happened to make this situation possible,
   2) what we can do to rectify it, and
   3) how we can avoid this in the future.

Additional Information

The folders in question reside on a Windows Server 2000 Standard Edition which serves as a domain controller and file server for user directories.  It also provides DHCP and DNS services for a network of around 100 users.  It is protected by up-to-date antivirus software, a Cisco PIX firewall filters Internet access, and it has all current Microsoft security updates installed.

The user's desktop runs WinXP SP1 with up-to-date antivirus protection.  The user is a member of the domain user's security group and no other.

We do not know how this user account obtained privileges to access these secure directories nor can we find any evidence anywhere to indicate that such privileges should exist.  The user account was created as a member of the domain users group and seems to be member of that and only that security group yet it permits one to freely roam through human resource files and confidential management folders.  The secured (?) directories were presumed to be accessible only by members of the domain security group and domain administrators.  We are not aware of any other domain user accounts which can access these directories.  We cannot find any evidence that such privileges should exist for this user account or that any security settings have been changed.

We would appreciate your thoughts on what to do here.  We are considering removing the user's entry from the domain and re-creating it and/or explicitly denying this user access to the sensitive folders, but neither of these solutions help us understand why this might have happened or how to avoid it in the future.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the ntfs rights are set corect?
it's possible that user was renamed in the past from an administrative account?
As stated above, I'd first start by double checking to make sure the ntfs permissions are setup correctly for the directories in question.
can check also if the user has a SID History attribute (with adsi editor); but that only if the user was moved from other domain
otherwise, I have no other explanation (teoretically - can't exist this situation)
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

wdschoonAuthor Commented:
 Sorry for the delay in getting back on this.  Had a bout with cancer in the intervening months and I really got off task for a while.  The client got involved with other issues because the user in question was a trusted employee and it wasn't until late April that we all got back on task.  We called Microsoft, but the tech demanded $250.00 cash-on-the-barrelhead to even talk ("that's the way we do things," he said) and the client refused the offer.  We did manage to get the tech to admit that they, Microsoft, were quite familiar with the problem.  So, our home grown solution was to create a new user in the domain then migrate the user's email and favorites list to the new domain user and disable the original domain user at the W2k domain server.  All work just fine now, the user's new domain user name behaves normally--no domain administrator privileges--and the client's managers are happy.  However, we still do not know how the problem was created in the first place.
wdschoonAuthor Commented:
Addendum:  We did follow up on each of the user suggestions above, before getting off task, but were unable to resolve the problem.  
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.