gglollc
asked on
Folder Permissions Issue
We have a 2008 R2 file server. It has a share in which only Domain Admins have full control. Domain Users have Read and execute, Lister Folder content and Read. The only other group in the list that has full control is the local administrators. However we discovered that our domain users can write to this folder. When we test effective permissions, the domain users group is correct. But if we test effective permissions for any individual user, they have full control. We are quite baffled at this point.
Could you double check if "CREATOR OWNER" is also in the NTFS security.
In the past the default Windows permissions of a formatted drive included "CREATOR OWNER" in combination with "Users Special"
Where "Users Special" gets "Create files / write data, Create folders / append data".
In combination with CREATOR OWNER it gives permissions to write files and create folders.
If the share permissions are change then this gives any user with read permissions on the directory the possiblity to create files and folders. On every file or folder created by the user the user gets full control.
In the past the default Windows permissions of a formatted drive included "CREATOR OWNER" in combination with "Users Special"
Where "Users Special" gets "Create files / write data, Create folders / append data".
In combination with CREATOR OWNER it gives permissions to write files and create folders.
If the share permissions are change then this gives any user with read permissions on the directory the possiblity to create files and folders. On every file or folder created by the user the user gets full control.
ASKER
Thanks but that group is not in there. The groups in the list are SYSTEM, Domain Admins, Domain Users, local Admins, local users, backup operators.
Thanks for the info.
Could you maybe open a command prompt (cmd.exe) on the server and execute the following command:
/s will display the SDDL string
Could you maybe open a command prompt (cmd.exe) on the server and execute the following command:
cacls <directory> /scacls "D:\Data\Department1" /s/s will display the SDDL string
ASKER
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.GGL
G:\data\drafting "D:PAI(A;OICI;FA;;;SY)(A;O
OICI;FA;;;BA)(A;OICI;0x120
C:\Users\administrator.GGL
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.GGL
G:\data\drafting "D:PAI(A;OICI;FA;;;SY)(A;O
OICI;FA;;;BA)(A;OICI;0x120
C:\Users\administrator.GGL
Thanks for posting. The security looks indeed fine.
Did you already double check the Domain Admins, Administrators and Backup Operators group for unknown groups or users ?
Did you already double check the Domain Admins, Administrators and Backup Operators group for unknown groups or users ?
ASKER
Yes, we have other shares with the same groups and when I check effective permissions for an individual users the do not have full control.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the info.
In addition of checking the effective permissions I also would prefer to check the groups itself.
From the question I understand the share is setup on a fileserver and I assume it's a member server.
Could you then open Administrative Tools\Computer Management
Open the "Local Users and Groups\Groups" and open the "Backup Operators" and "Administrators" group and look for unknown user accounts and groups. For every group that is listed the corresponding group should be checked individually, locally or on the Active Directory domain.
Please also check the "Domain Admins" group and do a similar check.
You could also try to check an individual file where according to your check the user has full control on.
Can you check if the NTFS file permissions do look the same as the directory permissions ?
In addition of checking the effective permissions I also would prefer to check the groups itself.
From the question I understand the share is setup on a fileserver and I assume it's a member server.
Could you then open Administrative Tools\Computer Management
Open the "Local Users and Groups\Groups" and open the "Backup Operators" and "Administrators" group and look for unknown user accounts and groups. For every group that is listed the corresponding group should be checked individually, locally or on the Active Directory domain.
Please also check the "Domain Admins" group and do a similar check.
You could also try to check an individual file where according to your check the user has full control on.
Can you check if the NTFS file permissions do look the same as the directory permissions ?
ASKER
Machienet,
Once I figured out how to turn off simple sharing by turning off the sharing wizard in Folders options, then setting advanced sharing, this worked. It also appeared that in advanced sharing Everyone had full control by default. I removed Everyone and added domain users and domain admins with the appropriate permissions. Thanks!
Once I figured out how to turn off simple sharing by turning off the sharing wizard in Folders options, then setting advanced sharing, this worked. It also appeared that in advanced sharing Everyone had full control by default. I removed Everyone and added domain users and domain admins with the appropriate permissions. Thanks!
Glad it is all worked out.
Good to see it's solved.
I'm just interested on how you investigated the share permissions earlier.
"Share permissions are Change and Read for Everyone".
Would you be able to let me know ?
I'm just interested on how you investigated the share permissions earlier.
"Share permissions are Change and Read for Everyone".
Would you be able to let me know ?
ASKER
Zalazar, thank you for your interest and help. I am not sure exactly what you are asking, but I had previously double checked all of the groups before I posted this question.
The Share permissions were selected under the Properties - Share button.
The Share permissions were selected under the Properties - Share button.
Thanks for your feedback.
What I meant was about your second post about the Share permissions but this simple file sharing is so foggy and not very well documented that it's difficult to fully understand. Anyway, I'm glad it's solved.
What I meant was about your second post about the Share permissions but this simple file sharing is so foggy and not very well documented that it's difficult to fully understand. Anyway, I'm glad it's solved.
Zalazar, the permissions set via the Share button as seen in my screenshot relate to the Simple Sharing method. Using the Simple method is not very secure with no granular control. It's kind of like a very basic security, such as having a key (key=permissions) to an apartment building main door and all of the apartments are either unlocked or use the same key. This is enabled and disabled via two methods - using the button as seen in the screenshot above, OR, via the Folder options in Control Panel - Folder options - (check/uncheck) Use Simple File Sharing. In Vista it is called Sharing Wizard or something to that effect.
Advanced sharing uses NTFS permissions - much more granular and much better. Like the afore-mentioned apartment building; with Advanced sharing you have the front door key (key=permissions). There is also a separate key for each apartment. Each apartment could also have a garage or closet with another key. Advanced sharing allows your User account to hold many keys. Only the doors you have a key for can be accessed, not like with Simple Sharing - with no options to allow more than one key.
sorry for being long-ended but hope that helps.
Advanced sharing uses NTFS permissions - much more granular and much better. Like the afore-mentioned apartment building; with Advanced sharing you have the front door key (key=permissions). There is also a separate key for each apartment. Each apartment could also have a garage or closet with another key. Advanced sharing allows your User account to hold many keys. Only the doors you have a key for can be accessed, not like with Simple Sharing - with no options to allow more than one key.
sorry for being long-ended but hope that helps.
Machienet, thanks for the detailed explanation.
I actually know of how advanced sharing is working and I'm familiar with it and using it in enterprise environments.
I never used the simple sharing method as, as you explained, you do not have good control.
In the second post gglollc does mention "Share permissions are Change and Read for Everyone".
From this line you can probably make up that it was looked up via the Advanced sharing method as the terms change and read are only used there and these terms are not used with simple sharing.
But in the end it seemed that the advanced share permissions where Everyone Full Control.
I have done some testing and from I what I have seen is that when using simple sharing Share permissions are set accordingly and NTFS permissions are explicitly (non inherited) set.
Also it seemed that Everyone did have Full Control on share and NTFS permissions but Everyone was actually not included in the posted DACL.
Do you maybe know an explanation for this behavior ?
I actually know of how advanced sharing is working and I'm familiar with it and using it in enterprise environments.
I never used the simple sharing method as, as you explained, you do not have good control.
In the second post gglollc does mention "Share permissions are Change and Read for Everyone".
From this line you can probably make up that it was looked up via the Advanced sharing method as the terms change and read are only used there and these terms are not used with simple sharing.
But in the end it seemed that the advanced share permissions where Everyone Full Control.
I have done some testing and from I what I have seen is that when using simple sharing Share permissions are set accordingly and NTFS permissions are explicitly (non inherited) set.
Also it seemed that Everyone did have Full Control on share and NTFS permissions but Everyone was actually not included in the posted DACL.
Do you maybe know an explanation for this behavior ?
I'm assuming, based on that specific post, the Users within the NTFS permissions had Change and Read, since that is where those permissions reside. However, I am not sure gglollc had looked at the (Simple) Share permissions yet, where everyone most likely had Read/Write, at that time which is why they could fully access the Share.
As for why those Simple permissions did not appear in the (D)ACL, it could be simply that DACL reports on NTFS permissions, since it specifically applies to AD accounts and the relative SID.
Hopefully that helps.
As for why those Simple permissions did not appear in the (D)ACL, it could be simply that DACL reports on NTFS permissions, since it specifically applies to AD accounts and the relative SID.
Hopefully that helps.
ASKER
Yes I had looked at the simple permissions. Typically I do what Technet advises, give full control in Sharing, (what you are calling simple) and then tighten the restrictions with NTFS in the Security tab. The most restrictive wins. If you look up how to share folders on Technet, this is still the advice, but maybe this is old school now. I have been in IT for 20 years, so yep, old school!
ASKER