Solved

NTFS read weirdness

Posted on 2011-09-30
21
257 Views
Last Modified: 2012-05-12
Am I correct in thinking if a user has read & execute, read and list folder contents on a folder - they should not be able to create new files in that folder, nor go into a spreadsheet in that folder edit it and save it?

I have been added to a group that has just these permissions - however, I can create new files in this folder and edit exisiting spreadsheets.

This is not a root directory, its in \\server\subdri\subdir
0
Comment
Question by:pma111
21 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 100 total points
ID: 36890961
If you look at this picture and check what rights the user inherits from other places.

With read and execute you get access to create stuff, but shouldnt be able to change others files (unless they made the files themselfs to start with which gives them user owner rights)
NTFS.PNG
0
 
LVL 3

Author Comment

by:pma111
ID: 36890965
>>unless they made the files themselfs to start with which gives them user owner rights)

No they didnt.

0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36890968
Yes, that's righ. But you have to check if the user is not in other groups also. NTFS permissions are cumulative :)
To check current permissions, go to Security tab, choose Advanced and on "Effective Permissions" tab specify that user and check what he/she actually can do

Regards,
Krzysztof
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Author Comment

by:pma111
ID: 36890970
I get full control when doing the above - but how do I tell where from?

It must be some other group I am in, but theres tons!
0
 
LVL 19

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 100 total points
ID: 36890977
I believe your priveledges (rights) are overriding the permissions
Are you the administrator ?
0
 
LVL 3

Author Comment

by:pma111
ID: 36890978
So is it as simple as right clicking this folder

\\server\subdir\subdir and right click > security

and I must be in at least one group that has full control?

I am in this read only group - but must also be in another group too?
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 100 total points
ID: 36890980
Normally that should be the case, but make sure you are not also a member of another group who has more rights on that folder.
0
 
LVL 3

Author Comment

by:pma111
ID: 36890981
Nope I am not an administrator
0
 
LVL 3

Author Comment

by:pma111
ID: 36890991
If I run that effective permissions thing. And it shows full control.

Can I limit checking group membership to just groups also with full control?

Or can it be more complex.

Weird thing is - I dont think I am in any of these other groups/

If I run net user me /domain - I dont see any of the groups with full cotnrol in my "global group memberships"
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36890998
Check this users group membership in ADUC and compare to those assigned to NTFS on that folder. Then you can find in which group he/she is

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36891066
Theres the thing. I have checked which groups I am in in ad users and computers, and NON of them are listed on the ACL for that folder. Which makes me think the ACL for that folder may have a group with full control, and groups within that group.
0
 
LVL 3

Author Comment

by:pma111
ID: 36891076
Should I check the share permissions or just directory (NTFS) on that folder?
0
 
LVL 3

Author Comment

by:pma111
ID: 36891100
weird.

What does it mean in ADUC when the head symbol next to a user/group is grey as opposed black hair?

I found what groups I am in.

It lists a citrix group, when I do member of on the citrix group it lists another citrix group that is on the folders ACL.

However, it lists our citrix group as a user on the members list for the other citrix group, when normally it should show a group "ie 2 heads in ADUC as opposed 1"
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36891222
1 head -> user
2 heads -> group

Gray head within group means that there are more than 500 users in the group. Nothing wrong happens :) AD query cannot for object class takes too much time and icon cannot be assigned. Check this MS article at
http://support.microsoft.com/?kbid=281923

and yes, nested groups are also users so, permissions also are cumulative :]

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36892880
That's weird because we had a group on the acl (that was grey) that had one head but was definately a group. But it was grey :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915733
The grey hair thing is confusing me as every user has grey hair - even single users. Plus - for groups it wasnt showing them as 2 heads just 1.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915744
That's really strange :/ I've never seen it before. Group object has always 2 heads :)
I will try to dig in the Internet for any useful information :) (I'm also curious in this topic)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36915747
Ok cool let me know if you find something - perhaps these user accounts had just had a tough week at work :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915749
im wondereing if it has any links to citrix?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915762
I will check also Citrix topic. I think I saw something similar in my network but I'm not Citrix administrator. Thanks for hint ;)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36923920
Any luck?
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question