• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

Win 2008 R2 File Server Share/NTFS Permissions

I've now encountered two different cases where a users permissions were changed on a folder and they shouldn't have been.  

A user's sec group, where they currently are the only member of said sec group, has been getting changed to that particular user, and permissions set to this folder only.  Security states it is inheriting these from the root of the share.

The only person with accounts able to modify sec permissions are myself and our operations director/VP of Operations who supervise our IT department (in case I get hit by a bus type thing, and one has the pw and the other has the UN).

When checking the root of the share, the permissions don't exist.

Any ideas how and why this is happening, and how to stop it?
0
PriorityResearch
Asked:
PriorityResearch
  • 3
  • 2
1 Solution
 
Spyder2010Commented:
does the root of the share give CREATOR OWNER permissions?  If so, when a user creates a file/folder, their user object is granted explicit permissions on that file/folder
0
 
PriorityResearchAuthor Commented:
It did have creator/owner.  Would this also cause all folders between the root share and the file to change their permission?
0
 
Spyder2010Commented:
It may... if a user creates a folder/file at a lower level in the file structure, CREATOR OWNER will assign them explicit permissions to the folder/file that they just created... it may also assign(need to test this) the explicit special permissions to folders between the root and the folder/file that they created to allow them to traverse the folder structure to get to the file/folder that they just created... if it does this, it would only apply the minimum set of rights that would let the user see the folder path to the folder that they created.  Again, I'm not positive about this part, would need to test that....
0
 
PriorityResearchAuthor Commented:
I've removed creator/owner from root of the share and I'm going to reset all permissions this weekend.  I'm still curious if that's what caused this issue to arise.  I did find some newly created files in a subdirectory of the one I troubleshot this morning for a user.
0
 
Spyder2010Commented:
Best of Luck!  I've run into strange issues in the past where Creator Owner was the culprit... normally for my file shares, I'll break inheritance at the root of the shared folder, and remove everything except for SYSTEM and Administrators(usually this is Creator Owner and Users), then add in the appropriate AD Security groups and let the rights inherit correctly from the root of the share.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now