• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 571
  • Last Modified:

Bizarre NTFS permissions issue on Windows Server 2008 64-bit

I've got a Windows 2008 server (x64, sp1) running as a VM on a Hyper-V host. It's the primary DC in a 35 user network. Runs Symantec Backup Exec System Recovery 8 for backup.

One of our main data shares, data2, is not picking up the access rights correctly. This folder is restricted to users in the "data 2 access" security group. There was a problem with this when I took over the account, everyone had full control instead of the data 2 access group. This has been rectified. Yet users outside of the group still have access. The permissions appear correct but usersr don't test properly in Effective Permissions, and they can access things they should not be able to access.

Any help greatly appreciated!
0
michaelcoop123
Asked:
michaelcoop123
  • 4
  • 3
4 Solutions
 
tigermattCommented:

A little more information would be appreciated to further diagnose the issue.

What are the share permissions set to?
What are the NTFS permissions set to?

Feel free to upload screenshots to answer these questions if you feel it is more applicable or convenient.

-Matt
0
 
michaelcoop123Author Commented:
Share permissions: Authenticated users have full control.
NTFS permissions for DATA2 parent folder: Data2 access group (full), Domain Admins (full), Administrators (full), Creator Owner (full), System (full).

No permissions set for other groups or users .

A test user I just created last night is a member of the following security groups: Corp Everyone, Domain Users and Staff Schedule Access. This is the same as the majority of the other users who shouldn't have access. Yet in effective permissions, this user has full control over Data 2 subfolders.

The weird thing is, last night this user didn't have access to any of the subfolders. This morning it has full access. Could the backup program be doing something?
0
 
michaelcoop123Author Commented:
I think this has to do with Symantec Backup Exec System Recovery. According to this article there's something wrong with our version (8.0.1) that results in elevation of privilige.

http://www.symantec.com/avcenter/security/Content/2008.05.28c.html

There's a patch, I need to dig up our serial number to get it. Stay tuned!
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tigermattCommented:

The only way the users would get access based on NTFS Security alone is if the following in your example were true:

The user (who should not have access) is a member of one or more groups which is in turn a member of the Data2 Access, Domain Admins or Administrators groups. The users obviously are not... but don't forget permissions can be inherited from group to group up the tree.

However, the Symantec issue looks like the one causing it. Let me know how you get on.

-Matt
0
 
michaelcoop123Author Commented:
Symantec was definitely causing it somehow. A test user ("test) I created using 8.0.1 with the correct group permissions didn't have access when I created it, but did have access after I created it.

A second test user ("test2") was created after the upgrade to 8.0.4. The correct permissions were applied and have stuck after two backups .

Unfortunately the permissions for the other 30+ users are still at full access and the fix didn't take those rights away. Neither did adding them to the data 2 access group and removing them. However, adding test to a group that has explicit no access rights to the directory, then removing from that group, doesn't work either. The rights come right back. Unless anyone has a better idea, I will have to add them to this group tonight.
0
 
tigermattCommented:
Sounds like the permissions are being cached somewhere. Just out of interest, what does a new user (but identically configured) result in permissions-wise?
0
 
michaelcoop123Author Commented:
This issues was caused by some stupidly applied permissions (my company did not install this server) for a group within a group within a group that made most of our users domain admins. Apparently, this was because many apps need the user to be a local admin, but somebody told him theyshouldn't be local admins (?????).

This is resolved. Thanks.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now