Domain users are able to write to folder in spite of read only permissions
On our Windows 2008 server, I changed the properties of Folder A, and set users' security to read. Logged on as a user, to test, and he is still able to create files, inside Folder A.
Smith and Andersen
what are your share perms and what are the ntfs perms??
ASKER
Share permissions give users read and write. Folder A is however a sub-folder inside the actual shared folder. I have removed inheritable permissions from Folder A.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please consider this. A higher level folder is mapped, and users have write permissions at that level. I do however need to restrict users from writing to Folder A. See below:
Folder 1\Folder 2\Folder A
Folder 1 is mapped and users have write access. Folder A is not directly shared (Folder 1 is shared, so users can drill down and view the contents of Folder A). I used security permissions for Folder A to assign "Read" permissions to users.
Folder 1\Folder 2\Folder A
Folder 1 is mapped and users have write access. Folder A is not directly shared (Folder 1 is shared, so users can drill down and view the contents of Folder A). I used security permissions for Folder A to assign "Read" permissions to users.
ASKER
I have told the user I am testing with, to restart his PC and try creating a test folder inside folder A. Will report back on the result, after he's back from lunch.
ASKER
C:\Users\me>net user /domain testuser
The request will be processed at a domain controller for domain domainname.things.
User name testuser
Full Name test user
Comment
User's comment
Country code (null)
Account active Yes
Account expires Never
Password last set 2/1/2012 10:14:31 AM
Password expires Never
Password changeable 2/2/2012 10:14:31 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/12/2013 11:12:12 AM
Logon hours allowed All
Local Group Memberships *Remote Desktop Users *Server Operators
Global Group memberships *Office Group *DenyAccounting
*Local Admin Users *Domain Users
The command completed successfully.
The request will be processed at a domain controller for domain domainname.things.
User name testuser
Full Name test user
Comment
User's comment
Country code (null)
Account active Yes
Account expires Never
Password last set 2/1/2012 10:14:31 AM
Password expires Never
Password changeable 2/2/2012 10:14:31 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/12/2013 11:12:12 AM
Logon hours allowed All
Local Group Memberships *Remote Desktop Users *Server Operators
Global Group memberships *Office Group *DenyAccounting
*Local Admin Users *Domain Users
The command completed successfully.
ASKER
Local Group Memberships *Remote Desktop Users *Server Operators
Global Group memberships *Office Group *DenyAccounting
*Local Admin Users *Domain Users
All the groups listed above have no effective permissions. The group named "Users" have List and Read effective permissions.
Global Group memberships *Office Group *DenyAccounting
*Local Admin Users *Domain Users
All the groups listed above have no effective permissions. The group named "Users" have List and Read effective permissions.
ASKER
Still don't know where users are getting write permissions from. Hopefully restarting his laptop will make the read permissions effective.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Problem still exists. I'm sure there's something I'm missing.