subversivetech
asked on
ACL Problem: "domain\administrator" permissions allows "computer\administrator" access
I don't know what is going on but I have shares that can be accessed by non-domain-joined computers via the local administrator account.
Removing domain\administrator removes the problem
Adding domain\domain admins creates the problem
adding domain\administrator creates the problem
From a random computer:
computername\administrator has access
computername\otheradminist rator has no access
FYI the only other entry in the ACL is SYSTEM (full control)
Domain Functional level is Server 2003
Any clues would be appreciated.
Removing domain\administrator removes the problem
Adding domain\domain admins creates the problem
adding domain\administrator creates the problem
From a random computer:
computername\administrator
computername\otheradminist
FYI the only other entry in the ACL is SYSTEM (full control)
Domain Functional level is Server 2003
Any clues would be appreciated.
ASKER
No, only domain\groups are present in the ACL. Share permissions are set to "everyone" allow , but this is common practice and what I have always done. I rely on the ACL for security, not share permissions. Ownership is "domain admins"
Domain Admins are the owner of folders and can access to them. Change owner or add a NTFS deny on ACL to prevent access.
ASKER
My issue is at the moment, anybody can walk into the office with a random computer (even the cleaner) and plug into the LAN. If they log in using "administrator" then bingo, they can access the shares. This is not as it should be "obviously". See screenshot of my ACL.
acl.JPG
acl.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked it out with some experimentation.
Also, take the ownership of the shares and remove the permissions which is not required and see whether it's working.