• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

NTFS read weirdness

Am I correct in thinking if a user has read & execute, read and list folder contents on a folder - they should not be able to create new files in that folder, nor go into a spreadsheet in that folder edit it and save it?

I have been added to a group that has just these permissions - however, I can create new files in this folder and edit exisiting spreadsheets.

This is not a root directory, its in \\server\subdri\subdir
0
pma111
Asked:
pma111
5 Solutions
 
ReubenwelshCommented:
If you look at this picture and check what rights the user inherits from other places.

With read and execute you get access to create stuff, but shouldnt be able to change others files (unless they made the files themselfs to start with which gives them user owner rights)
NTFS.PNG
0
 
pma111Author Commented:
>>unless they made the files themselfs to start with which gives them user owner rights)

No they didnt.

0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Yes, that's righ. But you have to check if the user is not in other groups also. NTFS permissions are cumulative :)
To check current permissions, go to Security tab, choose Advanced and on "Effective Permissions" tab specify that user and check what he/she actually can do

Regards,
Krzysztof
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
pma111Author Commented:
I get full control when doing the above - but how do I tell where from?

It must be some other group I am in, but theres tons!
0
 
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
I believe your priveledges (rights) are overriding the permissions
Are you the administrator ?
0
 
pma111Author Commented:
So is it as simple as right clicking this folder

\\server\subdir\subdir and right click > security

and I must be in at least one group that has full control?

I am in this read only group - but must also be in another group too?
0
 
rindiCommented:
Normally that should be the case, but make sure you are not also a member of another group who has more rights on that folder.
0
 
pma111Author Commented:
Nope I am not an administrator
0
 
pma111Author Commented:
If I run that effective permissions thing. And it shows full control.

Can I limit checking group membership to just groups also with full control?

Or can it be more complex.

Weird thing is - I dont think I am in any of these other groups/

If I run net user me /domain - I dont see any of the groups with full cotnrol in my "global group memberships"
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Check this users group membership in ADUC and compare to those assigned to NTFS on that folder. Then you can find in which group he/she is

Krzysztof
0
 
pma111Author Commented:
Theres the thing. I have checked which groups I am in in ad users and computers, and NON of them are listed on the ACL for that folder. Which makes me think the ACL for that folder may have a group with full control, and groups within that group.
0
 
pma111Author Commented:
Should I check the share permissions or just directory (NTFS) on that folder?
0
 
pma111Author Commented:
weird.

What does it mean in ADUC when the head symbol next to a user/group is grey as opposed black hair?

I found what groups I am in.

It lists a citrix group, when I do member of on the citrix group it lists another citrix group that is on the folders ACL.

However, it lists our citrix group as a user on the members list for the other citrix group, when normally it should show a group "ie 2 heads in ADUC as opposed 1"
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
1 head -> user
2 heads -> group

Gray head within group means that there are more than 500 users in the group. Nothing wrong happens :) AD query cannot for object class takes too much time and icon cannot be assigned. Check this MS article at
http://support.microsoft.com/?kbid=281923

and yes, nested groups are also users so, permissions also are cumulative :]

Krzysztof
0
 
pma111Author Commented:
That's weird because we had a group on the acl (that was grey) that had one head but was definately a group. But it was grey :)
0
 
pma111Author Commented:
The grey hair thing is confusing me as every user has grey hair - even single users. Plus - for groups it wasnt showing them as 2 heads just 1.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
That's really strange :/ I've never seen it before. Group object has always 2 heads :)
I will try to dig in the Internet for any useful information :) (I'm also curious in this topic)

Krzysztof
0
 
pma111Author Commented:
Ok cool let me know if you find something - perhaps these user accounts had just had a tough week at work :)
0
 
pma111Author Commented:
im wondereing if it has any links to citrix?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I will check also Citrix topic. I think I saw something similar in my network but I'm not Citrix administrator. Thanks for hint ;)

Krzysztof
0
 
pma111Author Commented:
Any luck?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now