Unexplained full write access to entire server. What is causing this?

robw24
robw24 used Ask the Experts™
on
I have a user, who is myself, with full write access to any shared folder in the domain. Something you would expect to see with a domain admin, however this user is not setup as a domain admin. Environment is Windows 2003 native AD, with Windows 2003 servers. I have checked all the permissions and don't understand how this could be.

Example: User logged into workstation as user1, and can save files to any part of any mapped network drive, even when the write permissions on the folder do not list any group of which this user is a member.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
That is odd, did you check both the share and NTFS permissions.  Double check to make sure the folder is not inheriting permissions or that he is not in any group that may have permissions.

Thanks
Mike
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
What permissions are granted to 'Everyone' or 'Domain Users' ('Users')

Are there any 'Special Permissions' - check the advanced options

Author

Commented:
Here is an example: There is a shared parent folder with the share permissions of -

Domain Admins - Full
Local Admins - Full
Domain Users - Read
System - Full

And the security permissions of -

Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full

Then a few subfolders from that one, there is a folder with the following security permissions -

Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full
Group1 - (special permissions) Traverse folder/List Folder (only)
Group2 - Write access
Group3 - Write access
Group4 - Read Access
Group5 - (special permissions) Traverse folder/List Folder (only)
User2 - Write access

The folder is not shared, so there are no Share permissions to change. Me, User1, is not a member of any of the groups 1-5, nor a domain admin or local admin.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Kini pradeepDevelopment Manager

Commented:
to start with you could use the Sysinternals tool accessenum to find the effective permissions on a couple of folders on different machines.the account has to be a member of one of these groups that has a RW access on the folder. Acceschk another utility, I have found useful in such cases
If you mention that this account does not have any privileges and can still access all the shares are there any login scripts/ group policy that adds this user to privileged groups on the workstations / servers?

Author

Commented:
Well I just narrowed down the issue. I created a new folder on the network server, blocked inheritance (copied permissions), and removed groups one by one until I could not access the folder anymore through my workstation mapped drive. The access is coming from the Domain Admins group. However, my user account is not a member of this group, and there are only users in this group, not more groups.

There is nothing in our login script that assigns users to group. It only maps drives.

Author

Commented:
So how can I be in the Domain Admins group, as I have demonstrated, if it does not appear that I am?
Commented:
I figured this out. On my workstation, in the control panel/User Accounts area, there is something called the credentials vault. It had stored domain admin credentials for my mapped drives. Once I removed these and rebooted, the access was gone.

Author

Commented:
This solved the issue.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial