Solved

AD Users Have Access to Folder Shares Other Than Whats Listed In AD Users and Computers

Posted on 2014-12-29
9
70 Views
Last Modified: 2015-04-22
I have a few users that somehow have access to some folder shares other than what they have access to stated in AD under the "Member Of" tab.  My folders have security groups which are what I tie the users to.  I have also checked the folder shares to make sure that the users were not listed under groups nor security groups they were added in.

Any suggestions as to how I can fix this issue?

Thanks!
0
Comment
Question by:ollybuba
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522232
Ultimately it is down to NTFS permissions. It matters not if a user can see a share, has full permissions on a share or whatever.  What matters is what NTFS permissions are set.
Users will not be able to see something if they do not have permissions.  Are these shares/folders visible to ALL users or just  those in groups PLUS one or two others?

Can you paste some screen shots of share permission and ntfs permissions and group membership of a user that should not have access?

We could guess all night but without seeing something it will be a long process.
0
 

Author Comment

by:ollybuba
ID: 40522301
The Maintenance-NTFS picture is the setting for all shared folders including the folders this user isn't able to view and shouldn't.
Maintenance-NTFS.JPG
Maintenance-Permissions.JPG
Member-Of.JPG
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40522344
If you changed the permissions recently, be sure to have those users logoff then logon.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:ollybuba
ID: 40522383
I have not changed any settings recently.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522389
You are certain that these users are not for any reason members of the servers local Administrators group? Either directly of through membership of another group?
Also of course that they are not domain admins.
0
 
LVL 24

Accepted Solution

by:
NVIT earned 500 total points
ID: 40522403
AccessEnum can help to quickly view user accesses to a tree of directories or keys.
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

Start by plugging in affected paths in the folder field at top.
You can also export the results to a .txt file for off-line examination.
0
 

Author Comment

by:ollybuba
ID: 40524091
I've checked a user and they are not part of any group that Enum says has permissions to that share.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40524136
Is it an entire folder of files or just certain files? e.g. say you have c:\main. Under that you have subfolder1 with some files. Also subfolder2 with some files.

Maybe all files in subfolder2 is exposed but not files in subfolder1.

Or, just certain files affected all over the place?
0
 

Author Comment

by:ollybuba
ID: 40524144
It would be for an example c:\maintenance.  As in the parent directory.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question