Solved

NTFS read weirdness

Posted on 2011-09-30
21
255 Views
Last Modified: 2012-05-12
Am I correct in thinking if a user has read & execute, read and list folder contents on a folder - they should not be able to create new files in that folder, nor go into a spreadsheet in that folder edit it and save it?

I have been added to a group that has just these permissions - however, I can create new files in this folder and edit exisiting spreadsheets.

This is not a root directory, its in \\server\subdri\subdir
0
Comment
Question by:pma111
21 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 100 total points
ID: 36890961
If you look at this picture and check what rights the user inherits from other places.

With read and execute you get access to create stuff, but shouldnt be able to change others files (unless they made the files themselfs to start with which gives them user owner rights)
NTFS.PNG
0
 
LVL 3

Author Comment

by:pma111
ID: 36890965
>>unless they made the files themselfs to start with which gives them user owner rights)

No they didnt.

0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36890968
Yes, that's righ. But you have to check if the user is not in other groups also. NTFS permissions are cumulative :)
To check current permissions, go to Security tab, choose Advanced and on "Effective Permissions" tab specify that user and check what he/she actually can do

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36890970
I get full control when doing the above - but how do I tell where from?

It must be some other group I am in, but theres tons!
0
 
LVL 18

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 100 total points
ID: 36890977
I believe your priveledges (rights) are overriding the permissions
Are you the administrator ?
0
 
LVL 3

Author Comment

by:pma111
ID: 36890978
So is it as simple as right clicking this folder

\\server\subdir\subdir and right click > security

and I must be in at least one group that has full control?

I am in this read only group - but must also be in another group too?
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 100 total points
ID: 36890980
Normally that should be the case, but make sure you are not also a member of another group who has more rights on that folder.
0
 
LVL 3

Author Comment

by:pma111
ID: 36890981
Nope I am not an administrator
0
 
LVL 3

Author Comment

by:pma111
ID: 36890991
If I run that effective permissions thing. And it shows full control.

Can I limit checking group membership to just groups also with full control?

Or can it be more complex.

Weird thing is - I dont think I am in any of these other groups/

If I run net user me /domain - I dont see any of the groups with full cotnrol in my "global group memberships"
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36890998
Check this users group membership in ADUC and compare to those assigned to NTFS on that folder. Then you can find in which group he/she is

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36891066
Theres the thing. I have checked which groups I am in in ad users and computers, and NON of them are listed on the ACL for that folder. Which makes me think the ACL for that folder may have a group with full control, and groups within that group.
0
 
LVL 3

Author Comment

by:pma111
ID: 36891076
Should I check the share permissions or just directory (NTFS) on that folder?
0
 
LVL 3

Author Comment

by:pma111
ID: 36891100
weird.

What does it mean in ADUC when the head symbol next to a user/group is grey as opposed black hair?

I found what groups I am in.

It lists a citrix group, when I do member of on the citrix group it lists another citrix group that is on the folders ACL.

However, it lists our citrix group as a user on the members list for the other citrix group, when normally it should show a group "ie 2 heads in ADUC as opposed 1"
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 200 total points
ID: 36891222
1 head -> user
2 heads -> group

Gray head within group means that there are more than 500 users in the group. Nothing wrong happens :) AD query cannot for object class takes too much time and icon cannot be assigned. Check this MS article at
http://support.microsoft.com/?kbid=281923

and yes, nested groups are also users so, permissions also are cumulative :]

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36892880
That's weird because we had a group on the acl (that was grey) that had one head but was definately a group. But it was grey :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915733
The grey hair thing is confusing me as every user has grey hair - even single users. Plus - for groups it wasnt showing them as 2 heads just 1.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915744
That's really strange :/ I've never seen it before. Group object has always 2 heads :)
I will try to dig in the Internet for any useful information :) (I'm also curious in this topic)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36915747
Ok cool let me know if you find something - perhaps these user accounts had just had a tough week at work :)
0
 
LVL 3

Author Comment

by:pma111
ID: 36915749
im wondereing if it has any links to citrix?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915762
I will check also Citrix topic. I think I saw something similar in my network but I'm not Citrix administrator. Thanks for hint ;)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36923920
Any luck?
0

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now