Shared Folder Access

kingcastle
kingcastle used Ask the Experts™
on
Hi
i have a share on windows server and on the share tab i have everyone granted access and full control but on the security tab i have all my restrictions in place ie i only have a few allowed access to it. I thought the security was the key tab to locking down access.

i discovered today that a user that is NOT in any of the groups that can access this share(based on security tab) can actually access and browse the share.

how can this be what have i missed?>

thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
does the security tab has users, authenticated users or domain users listed with any permission? Also apply  "Replace all child object permissios with inheritable permissio from this object" under advanced options and remove include inheritable permissions

Author

Commented:
it has "create  owner", "system", "users(servername/users)" and then of course the groups i want of which this particualr user is not in any but strangely still has access

Commented:
and is the user account part of servername/users?  Personally I would remove that group and add administrators-->Full Access.  No reason for it if you're giving access by a group already.
creator/owner is the person who created the folder (by default they have full access) - system is network related -"servername\users" would be anyone who is in the LOCAL users and/or groups on the server. You would likely want to make sure admins/domain admins are listed (so you dont get locked out) and then remove the servername\users group and only allow - creator/owner, system, and the users/groups you created for the resource. However make sure the memberships are appropriate.

Typically, your understanding is correct, you allow "everyone" full control -only-  under the "sharing" tab and then set access to the resource under the "security" or NTFS perms tab.

Commented:
As far as security being the key tab to locking things down...well it can be.  Share permissions are used when accessing the share remotely and are processed first.  NTFS permissions are always applied and are processed after share permissions are applied.  So really if accessing a share remotely then share permissions are just as effective and meaningful as NTFS permissions.  With that said I do it the same way you are.  It's easier.

Commented:
Also I assume the users getting access isn't the creator/owner?  Have you checked?

Author

Commented:
yeah they wouldnt have createed it. but thats an interesting point Zouleous has this users is actually accessing this share over a wan. so we have two physical sites within a single AD and the share resides at site 1 but the user that is accessing that share is doing so from site 2 maybe that has something to do with it and maybe thats why they seem to have full access to everything even tho they are not in any group that is listed in the security tab

Commented:
Well as I said things accessed remotely still have to go through NTFS processing.  NTFS processing always applies.  I've seen weird stuff with permissions before, but I'd really lean towards the person somehow being a member of a group defined in NTFS permissions.  I'd start by removing the servername/users group.  If all the users that need access are defined in an access group already then that is all that's required.  Creator/owner is not normally used either...only for things like Folder Redirection.  It should be Domain Admins, system, "DL my resource MODIFY".  DL stands for Domain Local group type.  MODIFY is the level of access that the group has.  The type of group you use depends on what's been decided in your environment as a standard.
on the domain "domain users" are by default member of "server\users" group. Also if the remote machine's loal administrator password maches with  server's local administrator password and if user is using local administrator account to logon then the server will authenticate the remote administrator account as local.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial