Link to home
Start Free TrialLog in
Avatar of subversivetech
subversivetech

asked on

ACL Problem: "domain\administrator" permissions allows "computer\administrator" access

I don't know what is going on but I have shares that can be accessed by non-domain-joined computers via the local administrator account.

Removing domain\administrator removes the problem
Adding domain\domain admins creates the problem
adding domain\administrator creates the problem

From a random computer:
computername\administrator has access
computername\otheradministrator has no access

FYI the only other entry in the ACL is SYSTEM (full control)

Domain Functional level is Server 2003
Any clues would be appreciated.
Avatar of Radhakrishnan
Radhakrishnan
Flag of India image

Could you check whether the computer\administrators has allow access for this folder, if so, the local admin can able to access the shares.
Also, take the ownership of the shares and remove the permissions which is not required and see whether it's working.
Avatar of subversivetech
subversivetech

ASKER

No, only domain\groups are present in the ACL. Share permissions are set to "everyone" allow , but this is common practice and what I have always done. I rely on the ACL for security, not share permissions. Ownership is "domain admins"
Domain Admins are the owner of folders and can access to them. Change owner or add a NTFS deny on ACL to prevent access.
My issue is at the moment, anybody can walk into the office with a random computer (even the cleaner) and plug into the LAN. If they log in using "administrator" then bingo, they can access the shares. This is not as it should be "obviously". See screenshot of my ACL.
acl.JPG
ASKER CERTIFIED SOLUTION
Avatar of subversivetech
subversivetech

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Worked it out with some experimentation.