Solved

Windows 2008 R2 Sharing Problem

Posted on 2013-06-12
26
319 Views
Last Modified: 2013-06-16
Hi
I am having a problem with a shared folder in R2. I create a share and configure it the way i always do. So i right click the folder and click on the Sharing tab and set the everyone group full control. I do this because i know that i can lock that folder down using the Security tab via NTFS permissions.
So no i click Security and add in my group of users who i want read only access to on this share.
when testing this setup logged in as a member of the read only group it still allows me the create folders and files in the share so basically ignoring the NTFS perms.

Any ideas?
0
Comment
Question by:kingcastle
  • 14
  • 12
26 Comments
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
Share permissions and NTFS Permissions are combined when the file system enumerates the reqeust, the MOST RESTRICTIVE are effective.  Share with Everyone, Full Control is indeed best practice.

My guess is that the intended person is a member of a group which has permissions - either directly or nested.  By default, Local Administrators have permission to the entire filesystem, so check that though nested group membership, this user has not gained permissions from that group.

If a user is a member of multiple groups, he will get the combined permissions from all of the groups - not just one of them.
0
 

Author Comment

by:kingcastle
Comment Utility
thanks for your response. the plot thickens so i removed the group from the security completely and logged in again as test user but still i could do everything. So i then went to the Sharing and changed the everyone group from full control to read only and then it worked but that tells me that the security tab is not working at all.

any ideas?
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
Go to the server on which the share resides, and open up a command prompt.  Type "net shere" and then find the share that you are testing.

then type CD "c:\path goes here" so that you are in the same folder which is being shared.  NOTE: If this is on a different drive other than c: then you have to change the drive letter first by typing "x:" where x is the drive letter.

Once you're in the target folder, type "icacls ." and then show us the output.  This will show us all the permissions on this folder, including inherited ones.  Once we can see the permissions, we can try to help you identify which group is giving him the permissions you don't want them to have.
0
 

Author Comment

by:kingcastle
Comment Utility
thanks for this, do i need to type anything other than icacls because when i type that it gives me a list of switches i could use but real output i don't think.

thanks again.
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
icacls with a period next to it (after a space), which represents "current directory"  You may have missed the period, but it is within my quotes :)
0
 

Author Comment

by:kingcastle
Comment Utility
aha didn't spot that sorry about that.
0
 

Author Comment

by:kingcastle
Comment Utility
OK so after running that we have.

DOMAIN\Domain Admins:(OI)(CI)(F)
BUILTIN\Administrator:(F)
BUILTIN\Administrator:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CREATE OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)

Thats what we got.
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
BUILTIN\Users:(I)(CI)(AD)

BUILTIN\Users is getting the (AD) Permission, which is

AD - append data/add subdirectory

It's because of this that he is able to create folders :)

CREATE OWNER:(I)(OI)(CI)(IO)(F)

Because he can create folders, this right gives him full access to the new folder, because he is the owner of it.

Both of these permissions are being inherited from folders above (which is indicated by (I))

Hope this helps!

P.S. BUILTIN\Users is a group on every server, and DOMAIN USERS is automatically a member of it, if it's a member server.  All users are by default members of DOMAIN USERS.
0
 

Author Comment

by:kingcastle
Comment Utility
so even tho this guy is not a member builtin users and should be still be able to have full access?
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
This guy is a member of BUILTIN\Users by the mere fact that he's a member of Domain Users.  Check his Active Directory account, you will see that he's a member of Domain Users (it's probably his primary group).

Then, check the BUILTIN\Users group on the server in question - you'll see that Domain Users is a member of this group.

Through nested groups, he gets this permission :)

Incidentally - this is BY DESIGN - Don't go deleting these groups or changing their group memberships.  The solution here is to remove the permissions you DON'T want them to have.  the following commands will probably remove the unwanted ones:

icacls \ /remove BUILTIN\Users:(I)(CI)(AD)
icacls \ /remove BUILTIN\Users:(I)(CI)(WD)

Open in new window


Be aware though, that this will have consequences for ALL USERS!  So, do this with caution.
0
 

Author Comment

by:kingcastle
Comment Utility
do you what i actually removed domain users from the local users group on this server to see if that would help but it didnt you see. so even tho i removed domain users from there the user could still do what they wanted.

so typically how would this be setup do you think.

if have my server with c drive and d drive on my d drive i have a folder that i want to share called Public. So i right click public and on the sharing tab grant everyone full. then on the security tab only grant my user group read access?

should i put domain users back into local users group on the member server in question?

thanks
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
the Root of your D: drive should have the following permissions:

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)

Remove the others.  Once you've sorted out your root folder's permissions, then you can give permissions to D:\Public, adding the group you want to have read only access to it.

As I have previously said, you should not change group memberships for BUILTIN groups - because this group is used to provide other functionality for the users (for example, allowing users to print to the print spooler).

If after this your user still has more permissions than they are supposed to have, then the only way he could be getting permissions is if he is (through nested group membership) a member of BUILTIN\Administrators.  Check the local Administrators group of the server and ensure you don't have rogue entries in there.
0
 

Author Comment

by:kingcastle
Comment Utility
so at the mo if i right click the D drive from My Computer and then click properties and from there then on to the security tab i currently can see:

Everyone                                                    which has a grayed out tick in special permissions
CREATE OWNER                                           as above
SYSTEM                                                        Full Control
Local Administrators of the Server             Full Control
Local Users                                                  Read

this seems to be the same on another R2 i have.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
Can you show ICACLS output of the D:\ drive instead, it's easier to read because it will also include all special permissions.

Can you also show ICACLS output of D:\Public folder

Can you also confirm that D:\Public is the share you are referring to

Thanks!
0
 

Author Comment

by:kingcastle
Comment Utility
do u think if i stop inheriting on the d:\Public folder and then set my perms on D:\Public it will solve this?
It must be happening because the Public folder is taking its perms from the D drive itself.
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
You could do this, and it may resolve the problem but breaking inheritance is generally not considered good practice.  Best practice is, give people the least amount of permissions they need, and build on top of that, rather than taking permissions away.  If you do break inheritence, remember to use the button to "Add" the current permissions so that you as the Administrator, and the system does not lose permissions.  Once the ACL's have been added to the Public folder, you can remove the unnecessary ones.
0
 

Author Comment

by:kingcastle
Comment Utility
D:\>icacls .
. BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  BUILTIN\Users:(OI)(CI)(RX)
  BUILTIN\Users:(CI)(AD)
  BUILTIN\Users:(CI)(IO)(WD)
  Everyone:(RX)

D:\Public\icacls .
 CREATOR OWNER:(OI)(CI)(IO)(F)
 NT AUTHORITY\SYSTEM:(OI)(CI)(F)
 BUILTIN\Administrators:(OI)(CI)(F)
 DOMAIN\Domain Admins:(OI)(CI)(F)
 DOMAIN\Domain Read Only Group:(OI)(CI)(RX)
0
 

Author Comment

by:kingcastle
Comment Utility
yip d:\public will be the folder im sharing
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
Alrighty that looks good - is the test user getting more rights than he should, or is the problem resolved?
0
 

Author Comment

by:kingcastle
Comment Utility
if i stop inheriting from the D drive it works but now im nervous that maybe i should not be doing that as its not best practice.
0
 

Author Comment

by:kingcastle
Comment Utility
ok so just tested with inherit from D on and it doesnt work it allows you to create what you like.

If i stop inherit and set my own privileges it works as i expect it to.

weird
0
 
LVL 17

Accepted Solution

by:
LesterClayton earned 500 total points
Comment Utility
If you leave it the way it is, it will work, but if you create a new folder under D: (like D:\Department), then Department will inherit the problems from root - this is why it's best practice to give the least amount of permission at Root, and then add permissions as they are needed :)

Ideally, you want to end up with this:

D:\>icacls .
. BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  Everyone:(RX)

D:\Public\>icacls .
 BUILTIN\Administrators:(I)(OI)(CI)(F)
 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 DOMAIN\Domain Read Only Group:(OI)(CI)(RX)
0
 

Author Comment

by:kingcastle
Comment Utility
ok so for now i gotta remember that any other folder i create on the root of D if i want to share it then i need to stop inheriting perms.
Would that be right?

I wonder why its does it like that by default you would think it would be the least restrictive way.
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
ok so for now i gotta remember that any other folder i create on the root of D if i want to share it then i need to stop inheriting perms.
Would that be right?

That would be right, if you don't remove the default permissions at the root.
0
 

Author Comment

by:kingcastle
Comment Utility
arrrhhh ok so now i cant create files or folders which is correct but i can delete ones that are already there which i dont want.
the perms applying are Read & Execute, List Folder and Read.
I only want the user to view the list of folders at this point and not create any new ones or delete any at this level.
i wonder is it the read and execute perm allowing that.
0
 
LVL 17

Expert Comment

by:LesterClayton
Comment Utility
Read and execute won't allow you to delete stuff which already exists.  Check the permissions on the items which are already there - it's possible that they too are different.

It seems to me you may need to revisit all your permissions.

You may also want to consider taking a training course so that you can learn about permissions and inheritance, there's only so much information one can give you in a forum thread.  You have the tools at your disposal (Icacls, to view permissions), so you just have to review your file structure accordingly.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now