Avatar of gglollc
gglollc
 asked on

Folder Permissions Issue

We have a 2008 R2 file server. It has a share in which only Domain Admins have full control. Domain Users have Read and execute, Lister Folder content and Read.  The only other group in the list that has full control is the local administrators. However we discovered that our domain users can write to this folder. When we test effective permissions, the domain users group is correct. But if we test effective permissions for any individual user, they have full control. We are quite baffled at this point.
Windows Server 2008

Avatar of undefined
Last Comment
gglollc

8/22/2022 - Mon
gglollc

ASKER
I forgot to mention that the Share permissions are Change and Read for Everyone.
zalazar

Could you double check if "CREATOR OWNER" is also in the NTFS security.

In the past the default Windows permissions of a formatted drive included "CREATOR OWNER" in combination with "Users Special"
Where "Users  Special" gets "Create files / write data, Create folders / append data".
In combination with CREATOR OWNER it gives permissions to write files and create folders.
If the share permissions are change then this gives any user with read permissions on the directory the possiblity to create files and folders. On every file or folder created by the user the user gets full control.
gglollc

ASKER
Thanks but that group is not in there. The groups in the list are SYSTEM, Domain Admins, Domain Users, local Admins, local users, backup operators.
Your help has saved me hundreds of hours of internet surfing.
fblack61
zalazar

Thanks for the info.
Could you maybe open a command prompt (cmd.exe) on the server and execute the following command:
cacls <directory> /s

Open in new window

where <directory> is the name of the directory you are sharing, e.g. D:\Data\Department1
cacls "D:\Data\Department1" /s

Open in new window

and then post the info here.
/s will display the SDDL string
gglollc

ASKER
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.GGLO>cacls "G:\data\drafting" /s
G:\data\drafting "D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;0x1200a9;;;DU)(A;
OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)(A;OICI;0x1301bf;;;BO)"


C:\Users\administrator.GGLO>
zalazar

Thanks for posting. The security looks indeed fine.
Did you already double check the Domain Admins, Administrators and Backup Operators group for unknown groups or users ?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
gglollc

ASKER
Yes, we have other shares with the same groups and when I check effective permissions for an individual users the do not have full control.
ASKER CERTIFIED SOLUTION
Michael Machie

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
zalazar

Thanks for the info.
In addition of checking the effective permissions I also would prefer to check the groups itself.
From the question I understand the share is setup on a fileserver and I assume it's a member server.
Could you then open Administrative Tools\Computer Management
Open the "Local Users and Groups\Groups" and open the "Backup Operators" and "Administrators" group and look for unknown user accounts and groups. For every group that is listed the corresponding group should be checked individually, locally or on the Active Directory domain.
Please also check the "Domain Admins" group and do a similar check.

You could also try to check an individual file where according to your check the user has full control on.
Can you check if the NTFS file permissions do look the same as the directory permissions ?
gglollc

ASKER
Machienet,

Once I figured out how to turn off simple sharing by turning off the sharing wizard in Folders options, then setting advanced sharing, this worked. It also appeared that in advanced sharing Everyone had full control by default. I removed Everyone and added domain users and domain admins with the appropriate permissions. Thanks!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Michael Machie

Glad it is all worked out.
zalazar

Good to see it's solved.
I'm just interested on how you investigated the share permissions earlier.
"Share permissions are Change and Read for Everyone".
Would you be able to let me know ?
gglollc

ASKER
Zalazar, thank you for your interest and help. I am not sure exactly what you are asking, but I had previously double checked all of the groups before I posted this question.

The Share permissions were selected under the Properties - Share button.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
zalazar

Thanks for your feedback.
What I meant was about your second post about the Share permissions but this simple file sharing is so foggy and not very well documented that it's difficult to fully understand. Anyway, I'm glad it's solved.
Michael Machie

Zalazar, the permissions set via the Share button as seen in my screenshot relate to the Simple Sharing method. Using the Simple method is not very secure with no granular control. It's kind of like a very basic security, such as having a key (key=permissions) to an apartment building main door and all of the apartments are either unlocked or use the same key. This is enabled and disabled via two methods - using the button as seen in the screenshot above, OR, via the Folder options in Control Panel - Folder options - (check/uncheck) Use Simple File Sharing. In Vista it is called Sharing Wizard or something to that effect.

Advanced sharing uses NTFS permissions - much more granular and much better. Like the afore-mentioned apartment building; with Advanced sharing you have the front door key (key=permissions). There is also a separate key for each apartment. Each apartment could also have a garage or closet with another key. Advanced sharing allows your User account to hold many keys. Only the doors you have a key for can be accessed, not like with Simple Sharing - with no options to allow more than one key.

 sorry for being long-ended but hope that helps.
zalazar

Machienet, thanks for the detailed explanation.
I actually know of how advanced sharing is working and I'm familiar with it and using it in enterprise environments.
I never used the simple sharing method as, as you explained, you do not have good control.
In the second post gglollc does mention "Share permissions are Change and Read for Everyone".
From this line you can probably make up that it was looked up via the Advanced sharing method as the terms change and read are only used there and these terms are not used with simple sharing.
But in the end it seemed that the advanced share permissions where Everyone Full Control.
I have done some testing and from I what I have seen is that when using simple sharing Share permissions are set accordingly and NTFS permissions are explicitly (non inherited) set.
Also it seemed that Everyone did have Full Control on share and NTFS permissions but Everyone was actually not included in the posted DACL.
Do you maybe know an explanation for this behavior ?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Michael Machie

I'm assuming, based on that specific post, the Users within the NTFS permissions had Change and Read, since that is where those permissions reside. However, I am not sure gglollc had looked at the (Simple) Share permissions yet, where everyone most likely had Read/Write, at that time which is why they could fully access the Share.

As for why those Simple permissions did not appear in the (D)ACL, it could be simply that DACL reports on NTFS permissions, since it specifically applies to AD accounts and the relative SID.

Hopefully that helps.
gglollc

ASKER
Yes I had looked at the simple permissions. Typically I do what Technet advises, give full control in Sharing, (what you are calling simple) and then tighten the restrictions with NTFS in the Security tab. The most restrictive wins. If you look up how to share folders on Technet, this is still the advice, but maybe this is old school now. I have been in IT for 20 years, so yep, old school!