Can't seem to restrict network access to a domain Win8-Pro PC folder from domain users on Win7 Pro PCs

Hi everyone -

Here's my problem:


I have a Windows 8 Professional x64 PC on my 2003 Active Directory domain.

I have a folder on that Windows-8 Professional x64 PC that I need to restrict access/block for certain network domain users that are on other PCs on the LAN.  That folder is on the "G" drive of the Win8 PC in question.

The users are using Windows 7 Pro PCs on the same 2003 A/D domain.  The only A/D group they are members of is the default "Domain Users", but they are Local Administrators on their own Win7 PCs

I originally had the folder set as a share; I removed security inheritance from above it and Explicitly added the individual users I want to block, I selected "Full Control", then "Deny" on both the "Share" tab and the "Permissions" tab for the share.

These users, that should have been blocked, were still able to browse the network and access the share.

I stopped sharing the folder, making the only way to get to it to be by navigating to \\<Win8-Computer-name>\G$\<folder-name>.  I then similarly Explicitly added those users to the folder permissions by  selecting "Full Control", then "Deny" on the "Permissions" tab for the folder.  I also Explicitly added those users to the "G$" permissions by  selecting "Full Control", then "Deny" on the "Permissions" tab for G$.

The target users were STILL able to access the folder simply by navigating to \\<Win8-Computer-name>\G$\<folder-name>, even though they should still have been blocked.

This is my first encounter working with file access permissions relative to Win8 and Win7 PCs on a 2003 A/D domain (nothing but WinXP PCs have been on the domain up to this point)

I doubt that it matters, but the "G" drive on the Win8 PC is not an internal hard drive.  It is an iSCSI NAS box made operational and available specifically to the Win8 PC by the usual iSCSI Initiator on the Win8 PC.

Is this something new /peculiar with Win8 and Win7 PCs as to how they interact with network and file/folder security????  I've been working with networks and IT for a very long time and have never seen a situation where EXPLICITLY applied Deny-Access settings have had absolutely NO effect in blocking users.

What the heck am I missing?

Thanks in advance for any and all help.
aiicoAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Ok, so it's the g$ share. That should under no circumstances be accessible at all by non-admins. So the only possible reason is, that on your win7 box, you are using saved credentials.
Please look at the saved credentials you have, delete them, log your user off and on again and retry.
0
 
McKnifeCommented:
First of all: your users are admins on their own pcs, not admins on the remote computer, so g$ will not be accessible. It is accessible, you say? Then they are admins on the remote computer also.
About the weird denied-but-nevertheless...-thing: please read the conclusion in my own thread: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22108365.html
0
 
aiicoAuthor Commented:
Since we all sometimes miss something right in front of our face, I went back and double-checked the admins on the Windows-8 PC,  The users I intend to block are emphatically NOT admins of that machine.  The only local admins on that machine are specifically my own A/D account, and the "Domain Admins" security group in A/D. and (of course) the local machine administrator account.  There are no other users in the local admin group, and even explicitly listed even as users at all.

Understandably, the administrative share for the G-drive, "G$" should only be accessible by admins, non-admins are still accessing it.  I did just notice, however, that the group "everyone" is apparently assigned (by default by Windows 8 I'm guessing, as I would never assign such a setting) "read & execute" permission to G$ !!!
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
McKnifeCommented:
Ok, but have you ever seen anyone being able to access an administrative $-share without being admin at the remote machine? No, because these share permissions of the builtin administrative shares even cannot be changed. So my guess is you made all of them domain admins. Please check the domain admins group and see whether any group is nested there in that might house the user(s) in question or the users themselves.

At least I can say this has nothing to do with the type of OS you use.
0
 
aiicoAuthor Commented:
I agree with you about non-admins accessing the root $ admin share, so that's why this is confusing.

To be a little more carefully specific, I should have said that I noticed that when looking at the properties of the "G" drive, as shown in Windows file explorer, on the Security tab, drilling into the Advanced Security Settings, the "everyone" group seems to be granted by default "read & execute" permissions at that level.  I definitely did not assign that myself.  (I did misspeak when I said it was on the G$ admin share.)

In my Domain Admins group, the only two user accounts in there are my own and the default built-in "administrator" account, and there are no other groups nested inside it.

I removed the "everyone" group from the advanced security settings for the G: drive and users are still able to access and traverse G$.  Doesn't make any sense.
0
 
McKnifeCommented:
Your last sentence: ...g$... again the $-share? Or is there a g-share as well and we are talking about a share named "g"? Please set that straight, first.
Then please tell me if you understand what my other thread was about and how it turned out.
0
 
aiicoAuthor Commented:
To clarify:  

First, in the "Properties-->Security-->Advanced" settings of the G-Drive, when viewed in windows explorer, there WAS the "everyone" group in there by default with Read & Execute access rights (screenshot image named "G1.jpg" uploaded)

Second, A non-admin user on another PC can navigate to and thru G$ from their PC (screenshot image, named G-1.jpg attached)

I hope this clarifies what I am very badly explaining.
G1.jpg
G-1.jpg
0
 
aiicoAuthor Commented:
I'm re-reading your other thread now again...
0
 
aiicoAuthor Commented:
I did log the user on and off once, but I will check the saved creds.  Good thought.
0
 
aiicoAuthor Commented:
McKnife -

You rock.  Thanks for the second pair of mental eyes on this.  It was Saved Creds on the user's Win7 PC.  One of my network admins had used their own creds there a while ago to connect to the network share to make it easier on themselves at the time instead of setting up proper access for the user.

Always turns out to be something basic :-)

Thanks again.
0
 
McKnifeCommented:
You're welcome.

> Always turns out to be something basic :-)
Yes, mostly. Also think about changing the support strategy: your network admin has obviously used a domain admin account to service a workstation (or at least an account that is in the admin group of other workstations as well). This is dangerous, especially if the users are local admins. They could use hacker tools like mimikatz and don't even need to crack anything... they get your domain admin pw in plaintext instantly - even after the network admin has logged off and cleared eventually saved creds. [Unless you already run win 8.1 which has changed that game a bit].
0
 
aiicoAuthor Commented:
Thanks for that tip.  I'd think using the user's PC local admin account would be an improved strategy over using domain admin logons.
0
 
McKnifeCommented:
0
All Courses

From novice to tech pro — start learning today.