Solved

Windows 2008 R2 Sharing Problem

Posted on 2013-06-12
26
326 Views
Last Modified: 2013-06-16
Hi
I am having a problem with a shared folder in R2. I create a share and configure it the way i always do. So i right click the folder and click on the Sharing tab and set the everyone group full control. I do this because i know that i can lock that folder down using the Security tab via NTFS permissions.
So no i click Security and add in my group of users who i want read only access to on this share.
when testing this setup logged in as a member of the read only group it still allows me the create folders and files in the share so basically ignoring the NTFS perms.

Any ideas?
0
Comment
Question by:kingcastle
  • 14
  • 12
26 Comments
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39240729
Share permissions and NTFS Permissions are combined when the file system enumerates the reqeust, the MOST RESTRICTIVE are effective.  Share with Everyone, Full Control is indeed best practice.

My guess is that the intended person is a member of a group which has permissions - either directly or nested.  By default, Local Administrators have permission to the entire filesystem, so check that though nested group membership, this user has not gained permissions from that group.

If a user is a member of multiple groups, he will get the combined permissions from all of the groups - not just one of them.
0
 

Author Comment

by:kingcastle
ID: 39240789
thanks for your response. the plot thickens so i removed the group from the security completely and logged in again as test user but still i could do everything. So i then went to the Sharing and changed the everyone group from full control to read only and then it worked but that tells me that the security tab is not working at all.

any ideas?
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39240805
Go to the server on which the share resides, and open up a command prompt.  Type "net shere" and then find the share that you are testing.

then type CD "c:\path goes here" so that you are in the same folder which is being shared.  NOTE: If this is on a different drive other than c: then you have to change the drive letter first by typing "x:" where x is the drive letter.

Once you're in the target folder, type "icacls ." and then show us the output.  This will show us all the permissions on this folder, including inherited ones.  Once we can see the permissions, we can try to help you identify which group is giving him the permissions you don't want them to have.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:kingcastle
ID: 39240822
thanks for this, do i need to type anything other than icacls because when i type that it gives me a list of switches i could use but real output i don't think.

thanks again.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39240975
icacls with a period next to it (after a space), which represents "current directory"  You may have missed the period, but it is within my quotes :)
0
 

Author Comment

by:kingcastle
ID: 39241015
aha didn't spot that sorry about that.
0
 

Author Comment

by:kingcastle
ID: 39241034
OK so after running that we have.

DOMAIN\Domain Admins:(OI)(CI)(F)
BUILTIN\Administrator:(F)
BUILTIN\Administrator:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CREATE OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)

Thats what we got.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241049
BUILTIN\Users:(I)(CI)(AD)

BUILTIN\Users is getting the (AD) Permission, which is

AD - append data/add subdirectory

It's because of this that he is able to create folders :)

CREATE OWNER:(I)(OI)(CI)(IO)(F)

Because he can create folders, this right gives him full access to the new folder, because he is the owner of it.

Both of these permissions are being inherited from folders above (which is indicated by (I))

Hope this helps!

P.S. BUILTIN\Users is a group on every server, and DOMAIN USERS is automatically a member of it, if it's a member server.  All users are by default members of DOMAIN USERS.
0
 

Author Comment

by:kingcastle
ID: 39241084
so even tho this guy is not a member builtin users and should be still be able to have full access?
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241097
This guy is a member of BUILTIN\Users by the mere fact that he's a member of Domain Users.  Check his Active Directory account, you will see that he's a member of Domain Users (it's probably his primary group).

Then, check the BUILTIN\Users group on the server in question - you'll see that Domain Users is a member of this group.

Through nested groups, he gets this permission :)

Incidentally - this is BY DESIGN - Don't go deleting these groups or changing their group memberships.  The solution here is to remove the permissions you DON'T want them to have.  the following commands will probably remove the unwanted ones:

icacls \ /remove BUILTIN\Users:(I)(CI)(AD)
icacls \ /remove BUILTIN\Users:(I)(CI)(WD)

Open in new window


Be aware though, that this will have consequences for ALL USERS!  So, do this with caution.
0
 

Author Comment

by:kingcastle
ID: 39241111
do you what i actually removed domain users from the local users group on this server to see if that would help but it didnt you see. so even tho i removed domain users from there the user could still do what they wanted.

so typically how would this be setup do you think.

if have my server with c drive and d drive on my d drive i have a folder that i want to share called Public. So i right click public and on the sharing tab grant everyone full. then on the security tab only grant my user group read access?

should i put domain users back into local users group on the member server in question?

thanks
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241147
the Root of your D: drive should have the following permissions:

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)

Remove the others.  Once you've sorted out your root folder's permissions, then you can give permissions to D:\Public, adding the group you want to have read only access to it.

As I have previously said, you should not change group memberships for BUILTIN groups - because this group is used to provide other functionality for the users (for example, allowing users to print to the print spooler).

If after this your user still has more permissions than they are supposed to have, then the only way he could be getting permissions is if he is (through nested group membership) a member of BUILTIN\Administrators.  Check the local Administrators group of the server and ensure you don't have rogue entries in there.
0
 

Author Comment

by:kingcastle
ID: 39241317
so at the mo if i right click the D drive from My Computer and then click properties and from there then on to the security tab i currently can see:

Everyone                                                    which has a grayed out tick in special permissions
CREATE OWNER                                           as above
SYSTEM                                                        Full Control
Local Administrators of the Server             Full Control
Local Users                                                  Read

this seems to be the same on another R2 i have.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241334
Can you show ICACLS output of the D:\ drive instead, it's easier to read because it will also include all special permissions.

Can you also show ICACLS output of D:\Public folder

Can you also confirm that D:\Public is the share you are referring to

Thanks!
0
 

Author Comment

by:kingcastle
ID: 39241340
do u think if i stop inheriting on the d:\Public folder and then set my perms on D:\Public it will solve this?
It must be happening because the Public folder is taking its perms from the D drive itself.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241357
You could do this, and it may resolve the problem but breaking inheritance is generally not considered good practice.  Best practice is, give people the least amount of permissions they need, and build on top of that, rather than taking permissions away.  If you do break inheritence, remember to use the button to "Add" the current permissions so that you as the Administrator, and the system does not lose permissions.  Once the ACL's have been added to the Public folder, you can remove the unnecessary ones.
0
 

Author Comment

by:kingcastle
ID: 39241399
D:\>icacls .
. BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  BUILTIN\Users:(OI)(CI)(RX)
  BUILTIN\Users:(CI)(AD)
  BUILTIN\Users:(CI)(IO)(WD)
  Everyone:(RX)

D:\Public\icacls .
 CREATOR OWNER:(OI)(CI)(IO)(F)
 NT AUTHORITY\SYSTEM:(OI)(CI)(F)
 BUILTIN\Administrators:(OI)(CI)(F)
 DOMAIN\Domain Admins:(OI)(CI)(F)
 DOMAIN\Domain Read Only Group:(OI)(CI)(RX)
0
 

Author Comment

by:kingcastle
ID: 39241405
yip d:\public will be the folder im sharing
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241407
Alrighty that looks good - is the test user getting more rights than he should, or is the problem resolved?
0
 

Author Comment

by:kingcastle
ID: 39241460
if i stop inheriting from the D drive it works but now im nervous that maybe i should not be doing that as its not best practice.
0
 

Author Comment

by:kingcastle
ID: 39241465
ok so just tested with inherit from D on and it doesnt work it allows you to create what you like.

If i stop inherit and set my own privileges it works as i expect it to.

weird
0
 
LVL 18

Accepted Solution

by:
LesterClayton earned 500 total points
ID: 39241474
If you leave it the way it is, it will work, but if you create a new folder under D: (like D:\Department), then Department will inherit the problems from root - this is why it's best practice to give the least amount of permission at Root, and then add permissions as they are needed :)

Ideally, you want to end up with this:

D:\>icacls .
. BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  Everyone:(RX)

D:\Public\>icacls .
 BUILTIN\Administrators:(I)(OI)(CI)(F)
 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 DOMAIN\Domain Read Only Group:(OI)(CI)(RX)
0
 

Author Comment

by:kingcastle
ID: 39241576
ok so for now i gotta remember that any other folder i create on the root of D if i want to share it then i need to stop inheriting perms.
Would that be right?

I wonder why its does it like that by default you would think it would be the least restrictive way.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241586
ok so for now i gotta remember that any other folder i create on the root of D if i want to share it then i need to stop inheriting perms.
Would that be right?

That would be right, if you don't remove the default permissions at the root.
0
 

Author Comment

by:kingcastle
ID: 39241592
arrrhhh ok so now i cant create files or folders which is correct but i can delete ones that are already there which i dont want.
the perms applying are Read & Execute, List Folder and Read.
I only want the user to view the list of folders at this point and not create any new ones or delete any at this level.
i wonder is it the read and execute perm allowing that.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 39241611
Read and execute won't allow you to delete stuff which already exists.  Check the permissions on the items which are already there - it's possible that they too are different.

It seems to me you may need to revisit all your permissions.

You may also want to consider taking a training course so that you can learn about permissions and inheritance, there's only so much information one can give you in a forum thread.  You have the tools at your disposal (Icacls, to view permissions), so you just have to review your file structure accordingly.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question