?
Solved

Security Question

Posted on 2006-03-20
32
Medium Priority
?
397 Views
Last Modified: 2012-08-13
UserA is a member of GroupA and GroupA is given all rights except Full Control to FolderA.
UserA creates a sub-folder in FolderA called SubFolderA.

UserA changes departments and is removed from GroupA.

My problem is that UserA still has Full Control (special) to SubFolderA because they are the creator/owner.

Is this right?
0
Comment
Question by:lpenrod
  • 10
  • 6
  • 6
  • +2
28 Comments
 
LVL 4

Expert Comment

by:omegamueller
ID: 16241816
yes this is right
i hate to say it
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16241973
You can fix this on a schedule by running CACLS.exe and replacing the owner on certain folders with the Domain Admin group.

However, yes, this is expected.


0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16242039
I thought I saw some MS tool or similar that would reclaim ownership of all files/folders on a server to the built-in administrator account of that server?  Ehh...maybe I'm wrong...
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 3

Author Comment

by:lpenrod
ID: 16242546
When I reclaim ownership, do they lose those rights?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16242567
If you assigned permissions based on Groups and they are removed from the Group(s) and ownership is transferred to the Administrator - then, yes they lose the access.

You should always be using local groups to assign permissions to resources, then adding in the appropriate Global Groups to give this access.  This way when a user is removed from a Global Group giving access, they automatically lose access.


0
 
LVL 9

Expert Comment

by:vmaheen
ID: 16246088
in domain system...

it will show owner as "user_ A"  but it will lost full control (only few permision will remain) .  full control goes to adminsrtive group

but problem is if  you set   Quota,   it will  count file capacity in  folder_A for UserA.

Maheen
0
 
LVL 9

Expert Comment

by:vmaheen
ID: 16255232

Above  my comment I assumed  permission not inherit to Folder_A from parent. And permission inherit to sub folder and file from Folder_A . And  permission assign only for Aministratos and GroupA (other all user and group  removed) . Check with effective permission it will show clearly. Domain or work group it will work.

Maheen  
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16258729
I took ownership of every file and folder on the system.  The users still have Special Full Control...

Thoughts?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16262649
Is this checkbox greyed out?
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16262862
What box?

The original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16263057
Is this how you took ownership of all the files:

To take ownership of a folder, follow these steps: 1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16263358
Yes, and if you scroll down on the main security tab to the user the Special Permission checkbox should be grey.

Keep moving up the tree and checking to see where the account is.  I find it weird that the direct parent shows no sign of the user, yet it states the child is inheriting it.

Is there a hidden folder above this one that you are not seeing?

0
 
LVL 3

Author Comment

by:lpenrod
ID: 16270038
I have 3+ million files on this server.  I can't one-by-one manually take ownership.

I used subinacl.exe to take ownership.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16270244
You don't have to one-by-one.

On the server, go to the drive that houses the share and then right click on that top folder and do the steps I said in my last comment to take full ownership on every file in that share (3 mil files will take some time)...
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16270342
I follow.  Trying now.
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16270375
OK, I tried that on a folder and the original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16270444
You'll need to go to the parent folder...heck if you have to just open the D drive or whatever on the server (not the share) and do it from there.
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16270526
I did it at the root of one of my smaller drives.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16270729
by right clicking the drive itself?  you shouldn't even see any inherited permissions or even the checkbox for "inherit from parent" since it is the parent.
0
 
LVL 9

Expert Comment

by:vmaheen
ID: 16286732
i think above my comment dificult to understand, ok ,could be because i explain briefly.

ok for testing use windows XP  workstation with NTFS, and create GroupA  , userA  folderA -> sub folderA

userA member of groupA ( not any group or administrative group , but if you want to loin lacally with userA then add userA to power user group)

now i think folderA created on as c:\folderA , and folderA got all permision belong to "C" drive (folderA  parent is "C"). next you have to stop inherit permision of folderA from its parent( "C" drive).
folderA -> properties -> security->Advanced->permision ->untick "inherit from parent.. -> in next window >click copy.
now  permision inherit from will stoped.

next
folderA -> properties -> security , remove all user and groups except Administrator, Administrators. next add groupA permision  (group A with full "full control " or modify" permision )

next log off login with userA locally
and creat subfolderA and  and copy ( dont do Cut and paste)  some file . now userA is the owner with full control for those files.

next logoff and login  as adminstrator

go to folderA and its sub folders and check effective permisin (folder/file -> properties -> security->Advanced->Effective permision -> select userA and check its permision list. it will show as full control

next remove userA from groupA ,  next go to  folderA and its sub folders and check permision ( os as above effective permision) you can see userA is owner  but it dont have full control
effective permision show "read permision" and " change permision " to user A

waiting for your reply ..

maheen
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16300431
I honestly don't know if you are going to be able to get around this unless you then take ownership as administrator on the folder/files in FolderA and it's inherited folders.

UserA may still be the "owner" of those files, but they won't be able to do anything with them, or even get to them since you've removed their permissions.

I thought if you left them at "Modify" rights then they wouldn't get full control of any file, including ones they create.

(I'll see if I can test your setup myself in a little while)
0
 
LVL 9

Expert Comment

by:vmaheen
ID: 16307968
Good morning   Cleaner,

and don't forget to check as my above configaration.

Maheen
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16827902
I ended up kicking "Creator Owner" from the Access Control List.  That stopped users from gaining full control to anything they create.

Next I took ownership of every file and directory.

Next I chose to "Replace permission entried on all child objects with entries shown here that apply to child objects".

That got things cleaned up.

I didn't understand what "Creator Owner" was doing.  By default it is assigned to any newly created drive.

Recomendations on assigning points?
0
 
LVL 3

Author Comment

by:lpenrod
ID: 16827903
Oops, just noticed it was forced accept.  Sorry.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16827954
Interesting that the accepted answer came after I had mentioned doing exactly what it appears you did in the end (or a manual variation).

Too bad I didn't notice this earlier.



0
 
LVL 9

Expert Comment

by:vmaheen
ID: 16830416
Hi friends,

i dont warry about points...

dear   vsg375 and  CetusMOD   can i refund Points..  ?  i think points must go to Netman66

Regards,

 Maheen

0
 
LVL 3

Author Comment

by:lpenrod
ID: 16832657
Cool with me.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16835778
Do whatever you think is fair.  I wasn't complaining - just making an observation.

0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question