robw24
asked on
Unexplained full write access to entire server. What is causing this?
I have a user, who is myself, with full write access to any shared folder in the domain. Something you would expect to see with a domain admin, however this user is not setup as a domain admin. Environment is Windows 2003 native AD, with Windows 2003 servers. I have checked all the permissions and don't understand how this could be.
Example: User logged into workstation as user1, and can save files to any part of any mapped network drive, even when the write permissions on the folder do not list any group of which this user is a member.
Example: User logged into workstation as user1, and can save files to any part of any mapped network drive, even when the write permissions on the folder do not list any group of which this user is a member.
What permissions are granted to 'Everyone' or 'Domain Users' ('Users')
Are there any 'Special Permissions' - check the advanced options
Are there any 'Special Permissions' - check the advanced options
ASKER
Here is an example: There is a shared parent folder with the share permissions of -
Domain Admins - Full
Local Admins - Full
Domain Users - Read
System - Full
And the security permissions of -
Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full
Then a few subfolders from that one, there is a folder with the following security permissions -
Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full
Group1 - (special permissions) Traverse folder/List Folder (only)
Group2 - Write access
Group3 - Write access
Group4 - Read Access
Group5 - (special permissions) Traverse folder/List Folder (only)
User2 - Write access
The folder is not shared, so there are no Share permissions to change. Me, User1, is not a member of any of the groups 1-5, nor a domain admin or local admin.
Domain Admins - Full
Local Admins - Full
Domain Users - Read
System - Full
And the security permissions of -
Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full
Then a few subfolders from that one, there is a folder with the following security permissions -
Domain Admins - Full
Local Admins - Full
Domain Uses - Read
System - Full
Group1 - (special permissions) Traverse folder/List Folder (only)
Group2 - Write access
Group3 - Write access
Group4 - Read Access
Group5 - (special permissions) Traverse folder/List Folder (only)
User2 - Write access
The folder is not shared, so there are no Share permissions to change. Me, User1, is not a member of any of the groups 1-5, nor a domain admin or local admin.
to start with you could use the Sysinternals tool accessenum to find the effective permissions on a couple of folders on different machines.the account has to be a member of one of these groups that has a RW access on the folder. Acceschk another utility, I have found useful in such cases
If you mention that this account does not have any privileges and can still access all the shares are there any login scripts/ group policy that adds this user to privileged groups on the workstations / servers?
If you mention that this account does not have any privileges and can still access all the shares are there any login scripts/ group policy that adds this user to privileged groups on the workstations / servers?
ASKER
Well I just narrowed down the issue. I created a new folder on the network server, blocked inheritance (copied permissions), and removed groups one by one until I could not access the folder anymore through my workstation mapped drive. The access is coming from the Domain Admins group. However, my user account is not a member of this group, and there are only users in this group, not more groups.
There is nothing in our login script that assigns users to group. It only maps drives.
There is nothing in our login script that assigns users to group. It only maps drives.
ASKER
So how can I be in the Domain Admins group, as I have demonstrated, if it does not appear that I am?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This solved the issue.
Thanks
Mike