Solved

NTFS read weirdness

Posted on 2011-09-30
21
260 Views
Last Modified: 2012-05-12
Am I correct in thinking if a user has read & execute, read and list folder contents on a folder - they should not be able to create new files in that folder, nor go into a spreadsheet in that folder edit it and save it?

I have been added to a group that has just these permissions - however, I can create new files in this folder and edit exisiting spreadsheets.

This is not a root directory, its in \\server\subdri\subdir
0
Comment
Question by:pma111
21 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 100 total points
ID: 36890961
If you look at this picture and check what rights the user inherits from other places.

With read and execute you get access to create stuff, but shouldnt be able to change others files (unless they made the files themselfs to start with which gives them user owner rights)
NTFS.PNG
0
 
LVL 3

Author Comment

by:pma111
ID: 36890965
>>unless they made the files themselfs to start with which gives them user owner rights)

No they didnt.

0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36890968
Yes, that's righ. But you have to check if the user is not in other groups also. NTFS permissions are cumulative :)
To check current permissions, go to Security tab, choose Advanced and on "Effective Permissions" tab specify that user and check what he/she actually can do

Regards,
Krzysztof
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Author Comment

by:pma111
ID: 36890970
I get full control when doing the above - but how do I tell where from?

It must be some other group I am in, but theres tons!
0
 
LVL 19

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 100 total points
ID: 36890977
I believe your priveledges (rights) are overriding the permissions
Are you the administrator ?
0
 
LVL 3

Author Comment

by:pma111
ID: 36890978
So is it as simple as right clicking this folder

\\server\subdir\subdir and right click > security

and I must be in at least one group that has full control?

I am in this read only group - but must also be in another group too?
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 100 total points
ID: 36890980
Normally that should be the case, but make sure you are not also a member of another group who has more rights on that folder.
0
 
LVL 3

Author Comment

by:pma111
ID: 36890981
Nope I am not an administrator
0
 
LVL 3

Author Comment

by:pma111
ID: 36890991
If I run that effective permissions thing. And it shows full control.

Can I limit checking group membership to just groups also with full control?

Or can it be more complex.

Weird thing is - I dont think I am in any of these other groups/

If I run net user me /domain - I dont see any of the groups with full cotnrol in my "global group memberships"
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36890998
Check this users group membership in ADUC and compare to those assigned to NTFS on that folder. Then you can find in which group he/she is

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36891066
Theres the thing. I have checked which groups I am in in ad users and computers, and NON of them are listed on the ACL for that folder. Which makes me think the ACL for that folder may have a group with full control, and groups within that group.
0
 
LVL 3

Author Comment

by:pma111
ID: 36891076
Should I check the share permissions or just directory (NTFS) on that folder?
0
 
LVL 3

Author Comment

by:pma111
ID: 36891100
weird.

What does it mean in ADUC when the head symbol next to a user/group is grey as opposed black hair?

I found what groups I am in.

It lists a citrix group, when I do member of on the citrix group it lists another citrix group that is on the folders ACL.

However, it lists our citrix group as a user on the members list for the other citrix group, when normally it should show a group "ie 2 heads in ADUC as opposed 1"
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36891222
1 head -> user
2 heads -> group

Gray head within group means that there are more than 500 users in the group. Nothing wrong happens :) AD query cannot for object class takes too much time and icon cannot be assigned. Check this MS article at
http://support.microsoft.com/?kbid=281923

and yes, nested groups are also users so, permissions also are cumulative :]

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36892880
That's weird because we had a group on the acl (that was grey) that had one head but was definately a group. But it was grey :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915733
The grey hair thing is confusing me as every user has grey hair - even single users. Plus - for groups it wasnt showing them as 2 heads just 1.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915744
That's really strange :/ I've never seen it before. Group object has always 2 heads :)
I will try to dig in the Internet for any useful information :) (I'm also curious in this topic)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36915747
Ok cool let me know if you find something - perhaps these user accounts had just had a tough week at work :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915749
im wondereing if it has any links to citrix?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915762
I will check also Citrix topic. I think I saw something similar in my network but I'm not Citrix administrator. Thanks for hint ;)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36923920
Any luck?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question