Solved

AD Users Have Access to Folder Shares Other Than Whats Listed In AD Users and Computers

Posted on 2014-12-29
9
75 Views
Last Modified: 2015-04-22
I have a few users that somehow have access to some folder shares other than what they have access to stated in AD under the "Member Of" tab.  My folders have security groups which are what I tie the users to.  I have also checked the folder shares to make sure that the users were not listed under groups nor security groups they were added in.

Any suggestions as to how I can fix this issue?

Thanks!
0
Comment
Question by:ollybuba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522232
Ultimately it is down to NTFS permissions. It matters not if a user can see a share, has full permissions on a share or whatever.  What matters is what NTFS permissions are set.
Users will not be able to see something if they do not have permissions.  Are these shares/folders visible to ALL users or just  those in groups PLUS one or two others?

Can you paste some screen shots of share permission and ntfs permissions and group membership of a user that should not have access?

We could guess all night but without seeing something it will be a long process.
0
 

Author Comment

by:ollybuba
ID: 40522301
The Maintenance-NTFS picture is the setting for all shared folders including the folders this user isn't able to view and shouldn't.
Maintenance-NTFS.JPG
Maintenance-Permissions.JPG
Member-Of.JPG
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40522344
If you changed the permissions recently, be sure to have those users logoff then logon.
0
Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

 

Author Comment

by:ollybuba
ID: 40522383
I have not changed any settings recently.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40522389
You are certain that these users are not for any reason members of the servers local Administrators group? Either directly of through membership of another group?
Also of course that they are not domain admins.
0
 
LVL 24

Accepted Solution

by:
NVIT earned 500 total points
ID: 40522403
AccessEnum can help to quickly view user accesses to a tree of directories or keys.
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

Start by plugging in affected paths in the folder field at top.
You can also export the results to a .txt file for off-line examination.
0
 

Author Comment

by:ollybuba
ID: 40524091
I've checked a user and they are not part of any group that Enum says has permissions to that share.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40524136
Is it an entire folder of files or just certain files? e.g. say you have c:\main. Under that you have subfolder1 with some files. Also subfolder2 with some files.

Maybe all files in subfolder2 is exposed but not files in subfolder1.

Or, just certain files affected all over the place?
0
 

Author Comment

by:ollybuba
ID: 40524144
It would be for an example c:\maintenance.  As in the parent directory.
0

Featured Post

Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question