Solved

AD Users Have Access to Folder Shares Other Than Whats Listed In AD Users and Computers

Posted on 2014-12-29
9
72 Views
Last Modified: 2015-04-22
I have a few users that somehow have access to some folder shares other than what they have access to stated in AD under the "Member Of" tab.  My folders have security groups which are what I tie the users to.  I have also checked the folder shares to make sure that the users were not listed under groups nor security groups they were added in.

Any suggestions as to how I can fix this issue?

Thanks!
0
Comment
Question by:ollybuba
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522232
Ultimately it is down to NTFS permissions. It matters not if a user can see a share, has full permissions on a share or whatever.  What matters is what NTFS permissions are set.
Users will not be able to see something if they do not have permissions.  Are these shares/folders visible to ALL users or just  those in groups PLUS one or two others?

Can you paste some screen shots of share permission and ntfs permissions and group membership of a user that should not have access?

We could guess all night but without seeing something it will be a long process.
0
 

Author Comment

by:ollybuba
ID: 40522301
The Maintenance-NTFS picture is the setting for all shared folders including the folders this user isn't able to view and shouldn't.
Maintenance-NTFS.JPG
Maintenance-Permissions.JPG
Member-Of.JPG
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40522344
If you changed the permissions recently, be sure to have those users logoff then logon.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:ollybuba
ID: 40522383
I have not changed any settings recently.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522389
You are certain that these users are not for any reason members of the servers local Administrators group? Either directly of through membership of another group?
Also of course that they are not domain admins.
0
 
LVL 24

Accepted Solution

by:
NVIT earned 500 total points
ID: 40522403
AccessEnum can help to quickly view user accesses to a tree of directories or keys.
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

Start by plugging in affected paths in the folder field at top.
You can also export the results to a .txt file for off-line examination.
0
 

Author Comment

by:ollybuba
ID: 40524091
I've checked a user and they are not part of any group that Enum says has permissions to that share.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40524136
Is it an entire folder of files or just certain files? e.g. say you have c:\main. Under that you have subfolder1 with some files. Also subfolder2 with some files.

Maybe all files in subfolder2 is exposed but not files in subfolder1.

Or, just certain files affected all over the place?
0
 

Author Comment

by:ollybuba
ID: 40524144
It would be for an example c:\maintenance.  As in the parent directory.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question